aefccb4b3298d621b8a36e343f040a7fd66e8b8c6d461e1a87743601372151c4

General

Target

7ddc96c0aaeda71d6d0d6b2b25fb5e40N.exe
Size

61KB
MD5

7ddc96c0aaeda71d6d0d6b2b25fb5e40
SHA1

c563c44db39e8adafec50fd340e3e7c6aa8fc843
SHA256

aefccb4b3298d621b8a36e343f040a7fd66e8b8c6d461e1a87743601372151c4
SHA512

ceb38b0f9bd059720fd92db03041a4b55ac32e5c6c5b7f1adc142636a86cd15a7418e97f7962231828af0b972cb9ab3b83f8e527f55588ff2516931945ad82b6
SSDEEP

768:r8eRH+MlFh0pDpuJ84WEi+U6sh7iQroCHmyf+RjFBSuB2XpfsPpzSdtKDGo:r9l+W8xFt6sh7iQroCoRB0u0sPpzS2V

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
340	bkgrnd.exe

Loads dropped DLL 1 IoCs

pid	Process
2156	7ddc96c0aaeda71d6d0d6b2b25fb5e40N.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2156-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0007000000012117-5.dat	upx
behavioral1/memory/340-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2156-10-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ddc96c0aaeda71d6d0d6b2b25fb5e40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bkgrnd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	bkgrnd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	bkgrnd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 340	2156	7ddc96c0aaeda71d6d0d6b2b25fb5e40N.exe	30
PID 2156 wrote to memory of 340	2156	7ddc96c0aaeda71d6d0d6b2b25fb5e40N.exe	30
PID 2156 wrote to memory of 340	2156	7ddc96c0aaeda71d6d0d6b2b25fb5e40N.exe	30
PID 2156 wrote to memory of 340	2156	7ddc96c0aaeda71d6d0d6b2b25fb5e40N.exe	30

C:\Users\Admin\AppData\Local\Temp\7ddc96c0aaeda71d6d0d6b2b25fb5e40N.exe
"C:\Users\Admin\AppData\Local\Temp\7ddc96c0aaeda71d6d0d6b2b25fb5e40N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\bkgrnd.exe
  "C:\Users\Admin\AppData\Local\Temp\bkgrnd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\bkgrnd.exe

Filesize
61KB

MD5
1563ade11e1a67c4719f1611b5a37965

SHA1
f1bcb3626baf37b76167e2b1a58f9615ca649810

SHA256
3a22951d3e9321bea96ce243bc63268fce63ddca3e70304234e630e192817a5b

SHA512
a812c88b24a6f2e74681a53df0d088a0f4b8113f7da73f558b5c9f253bae685c4bc9d10b34cbef16b3b6dccb9934aa709fe359cb4d656787be4fc1c60c71f5d4

Download Submit
memory/340-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2156-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2156-1-0x0000000004000000-0x0000000004006000-memory.dmp

Filesize
24KB

Download
memory/2156-2-0x0000000004000000-0x0000000004006000-memory.dmp

Filesize
24KB

Download
memory/2156-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2156-8-0x0000000000580000-0x000000000058F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing