a8e282748c4562514d4f3cea87cc77134973cfe3bae4cb2cde15571184f9d635

General

Target

ed4f39d62c1156dd91e4cd84ebe3d120N.exe
Size

59KB
MD5

ed4f39d62c1156dd91e4cd84ebe3d120
SHA1

2f86bc3aa4d9d729333a10efbba8ff4aaf7adb0d
SHA256

a8e282748c4562514d4f3cea87cc77134973cfe3bae4cb2cde15571184f9d635
SHA512

4b79637c89694d00c65597c4dd7297bcc62d0342feada62f590a435287829c5ed5b6216e8b8cc72f43f0042da90a4a79e5a66e122619234cc275d93ebdb40a4b
SSDEEP

384:PsjPGY2HXgrk8YhQ98E8I1XAV/QcaYpATUgch1A9NB/erxRXkoM1:PePG5H8+hKD8ISZQjkgs1lxRjM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2440	winupdate.exe

Loads dropped DLL 1 IoCs

pid	Process
2336	ed4f39d62c1156dd91e4cd84ebe3d120N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed4f39d62c1156dd91e4cd84ebe3d120N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	winupdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	winupdate.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2440	2336	ed4f39d62c1156dd91e4cd84ebe3d120N.exe	30
PID 2336 wrote to memory of 2440	2336	ed4f39d62c1156dd91e4cd84ebe3d120N.exe	30
PID 2336 wrote to memory of 2440	2336	ed4f39d62c1156dd91e4cd84ebe3d120N.exe	30
PID 2336 wrote to memory of 2440	2336	ed4f39d62c1156dd91e4cd84ebe3d120N.exe	30
PID 2336 wrote to memory of 2440	2336	ed4f39d62c1156dd91e4cd84ebe3d120N.exe	30
PID 2336 wrote to memory of 2440	2336	ed4f39d62c1156dd91e4cd84ebe3d120N.exe	30
PID 2336 wrote to memory of 2440	2336	ed4f39d62c1156dd91e4cd84ebe3d120N.exe	30

C:\Users\Admin\AppData\Local\Temp\ed4f39d62c1156dd91e4cd84ebe3d120N.exe
"C:\Users\Admin\AppData\Local\Temp\ed4f39d62c1156dd91e4cd84ebe3d120N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\winupdate.exe
  "C:\Users\Admin\AppData\Local\Temp\winupdate.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\winupdate.exe

Filesize
59KB

MD5
64fa3786587455db5a15cc20f7906818

SHA1
6d885a126d6aa7eae11409d49491040197e5233a

SHA256
2f7f50fa897187846f7730a808b4430e86e17a00316cddbbade73a2c4dc9751c

SHA512
ac64dc24c4c12488dee827bce8a41bf2c693b5df2dbed0f0f41fe6decc9adf4713d369f1c649bd6952e1f626d1796bc482ce22b96751f461b267b5973d30bb85

Download Submit
memory/2336-0-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2336-1-0x0000000000501000-0x0000000000502000-memory.dmp

Filesize
4KB

Download
memory/2336-8-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2440-9-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2440-11-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing