cef4875b93d64c4faf1308e416504696f64263dc9f790f5736d5a1273977082a

Analysis

max time kernel
96s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba85a8b17d6f55a3b5bd74d3d3a98570N.exe
Size

9.4MB
MD5

ba85a8b17d6f55a3b5bd74d3d3a98570
SHA1

8359e9619103e4f80e08158749093315d2dd579b
SHA256

cef4875b93d64c4faf1308e416504696f64263dc9f790f5736d5a1273977082a
SHA512

70275e0b398d9877820e3b1a7344e8c7a627018c2e031944d9c72eb5a177e57a082e1b852bac29eba76c34375e1c1b975fe420548ea5f79091e08ce591928f93
SSDEEP

196608:6s5nTuypxBRJxo85pTdvbN0Xx06IVT4B8iXt3b8r0xnaMw1oMyj73:6s5nCqBz5/x0BXIOr8rye3GT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
816	ba85a8b17d6f55a3b5bd74d3d3a98570N.exe
3528	SETUP64.EXE

Loads dropped DLL 2 IoCs

pid	Process
3528	SETUP64.EXE
3528	SETUP64.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba85a8b17d6f55a3b5bd74d3d3a98570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba85a8b17d6f55a3b5bd74d3d3a98570N.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SETUP64.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SETUP64.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	SETUP64.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3528	SETUP64.EXE
3528	SETUP64.EXE
3528	SETUP64.EXE
3528	SETUP64.EXE
3528	SETUP64.EXE
3528	SETUP64.EXE
3528	SETUP64.EXE
3528	SETUP64.EXE
3528	SETUP64.EXE
3528	SETUP64.EXE
3528	SETUP64.EXE
3528	SETUP64.EXE
3528	SETUP64.EXE
3528	SETUP64.EXE
3528	SETUP64.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 816	4864	ba85a8b17d6f55a3b5bd74d3d3a98570N.exe	84
PID 4864 wrote to memory of 816	4864	ba85a8b17d6f55a3b5bd74d3d3a98570N.exe	84
PID 4864 wrote to memory of 816	4864	ba85a8b17d6f55a3b5bd74d3d3a98570N.exe	84
PID 816 wrote to memory of 3528	816	ba85a8b17d6f55a3b5bd74d3d3a98570N.exe	87
PID 816 wrote to memory of 3528	816	ba85a8b17d6f55a3b5bd74d3d3a98570N.exe	87

C:\Users\Admin\AppData\Local\Temp\ba85a8b17d6f55a3b5bd74d3d3a98570N.exe
"C:\Users\Admin\AppData\Local\Temp\ba85a8b17d6f55a3b5bd74d3d3a98570N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\AppData\Local\Temp\e57a21c\ba85a8b17d6f55a3b5bd74d3d3a98570N.exe
  run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\ba85a8b17d6f55a3b5bd74d3d3a98570N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\SC-F7200_comdrv_ACL_x64_146JAHomeExportAsia\WINVISTA_XP64\SETUP\SETUP64.EXE
    .\SC-F7200_comdrv_ACL_x64_146JAHomeExportAsia\WINVISTA_XP64\SETUP\SETUP64.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\epstplog.txt

Filesize
4KB

MD5
3327cd70c0d09ddc8e15901a99503ba0

SHA1
ce9184664fd9c8a68b9c822455072f12a893ac37

SHA256
d4db66c76266981e855dd17f5473e84e4fdb2dfedfd515d4d249d9046b9514f6

SHA512
f1c7a29d4537786de1e04eb847c6415a15fde6df36fd09f4b61ce86de519e5b95c871fdb231496733e3c7eb76a4ab11afbaaa79d203a7b91d9e06b18e6ab984c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\SC-F7200_comdrv_ACL_x64_146JAHomeExportAsia\WINVISTA_XP64\SETUP\EPEULA64.dll

Filesize
3.4MB

MD5
d5c9763ab346ebd8b90e0ed9090823a2

SHA1
3021876ffa12f331941debcb95e9015d1f259831

SHA256
7d5b28d92d2169014691c82f7a87e76ae8c257debdca3b4a10dc1b589a75f5b5

SHA512
2de7d96a0f073c3057d7994bbc295ca778756c7f140ddce151eedc219ef55ac66c295e1d536851593bae104883710f5f410b08195db6f36d483ce732179ff2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\SC-F7200_comdrv_ACL_x64_146JAHomeExportAsia\WINVISTA_XP64\SETUP\E_GLSDLG.dll

Filesize
54KB

MD5
4627b95b7f67c61829ef414c0a640d59

SHA1
e8cb6796ac87b1fd06923a61506ea7d435b3d1b0

SHA256
653b5a162131473865dc60ee33e9092dd78ecfc69a87488aef3d3fe5276787c8

SHA512
76fb03ebabec703d1fb2a7acf43cad4c091af366bbb6967d12b62b64483cf5dbad7edb98c4134fc3b80ee9fffe2f92b118d86840d7d5651f3ff0517feb3a9ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\SC-F7200_comdrv_ACL_x64_146JAHomeExportAsia\WINVISTA_XP64\SETUP\SETUP64.dat

Filesize
424KB

MD5
f8cad209eb776d536b8624aa219015f7

SHA1
0b3b970966d875d9f2df25d1cb67761555d71c68

SHA256
da8121fc91e2a1ef63f22d01ae60f918ce99083ac16fd291f3d76a61c3abb690

SHA512
3f5387acf9d7fb76562c9e818d2d1ac7b468e3b2aafae613d29c8140a67e2cde2c0f5b34264a7e1e12cf2704ed9ccfdcd33b90c91c5e791b6382411373c7d6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\SC-F7200_comdrv_ACL_x64_146JAHomeExportAsia\WINVISTA_XP64\SETUP\epsetup.eif

Filesize
30KB

MD5
2f016bf82e7ce558e92a00c6999209bb

SHA1
a21d7d9adb6de70202b32f4c0134dd016a2285cf

SHA256
c69801ffc77e0f135c291f6b81384982d630e778d00c581e7908ea39a9d62648

SHA512
7f75c22cbab1e7cb06bcd1205e267d4d776196f4f8e1a80fa701859bbb24541ef88458805246d2ebdc3c97fbc88c7bdef49bc45e5d5af6d7202b2d028a0f5169

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\SC-F7200_comdrv_ACL_x64_146JAHomeExportAsia\WINVISTA_XP64\setup\SETUP64.EXE

Filesize
1.3MB

MD5
49e2aba7c0d047e311c2c3854932b0df

SHA1
f4aef3a1eaa109a14709b2b687002430361f9c4d

SHA256
4224671e06e72a919dae4cbfe278fddfe90fbd410010ea1a73c219ba7f252c17

SHA512
8d40a0e67dcc756d7149f58d963af313d4984aab3462d8840a1d2dbe4a28e22d5acb90653017e75075caa116859774be1693a3bf4f76a287a2ffde7979dfc046

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57a21c\ba85a8b17d6f55a3b5bd74d3d3a98570N.exe

Filesize
9.4MB

MD5
ba85a8b17d6f55a3b5bd74d3d3a98570

SHA1
8359e9619103e4f80e08158749093315d2dd579b

SHA256
cef4875b93d64c4faf1308e416504696f64263dc9f790f5736d5a1273977082a

SHA512
70275e0b398d9877820e3b1a7344e8c7a627018c2e031944d9c72eb5a177e57a082e1b852bac29eba76c34375e1c1b975fe420548ea5f79091e08ce591928f93

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\sc-f7200_comdrv_acl_x64_146jahomeexportasia\winvista_xp64\E_NF21HE.CAT

Filesize
23KB

MD5
f59e606eee26bed7b74c16ff983c3174

SHA1
b2720f6c0a2ec10ea304eee42ce3ddcc4a72f3d6

SHA256
5915ea7fc929c268673287c931688e923053c6d3f2ac129e1c7b552629f5c5b4

SHA512
91403dbdf0fbe001c3fad06fe93df7b22bd28d0ab93bfc7e8d8b592da0e210fb7c93d5a58abddcd1aa5ee9e75013f362b8cf863a0f72a4480f6803c402232b6f

Download Submit
\??\c:\users\admin\appdata\local\temp\wzse0.tmp\sc-f7200_comdrv_acl_x64_146jahomeexportasia\winvista_xp64\e_nf21he.inf

Filesize
4KB

MD5
ec6aeadd4bd2f07c3c7daac9728f4606

SHA1
00ec247fb9777f4af327f6b4fdef012481654216

SHA256
48767362bc2931f10b8acdcb94bbfaf38a509542a13ced6639afffd7579f5ef4

SHA512
b70f4601b7ffd1395a7857ec08ad291ce1509795684d02fbb7dc0bae02106f06018d916ccfecdc9a383a0bf01c91ee72456a58be6024006f2d33afc9ae5d13e6

Download Submit