296d5a4b7ae49389992d8add8334681d9cb7fa31b720a32eecc26ee070c206a6

General

Target

296d5a4b7ae49389992d8add8334681d9cb7fa31b720a32eecc26ee070c206a6.exe
Size

1.1MB
MD5

c1e014f2ce7a49094fb694028207292a
SHA1

0f9e70be8da2df949be128b8c40c79f0be68cc2f
SHA256

296d5a4b7ae49389992d8add8334681d9cb7fa31b720a32eecc26ee070c206a6
SHA512

bdb1a010257c76f8e2ea48c3887bab68bcb798012cc8642e975042e041ad961c3f46871f149da2543f35c311c91343e8b2c55f7817373f8b7c173551ff16d6fc
SSDEEP

24576:kp9mNaOPOeZ4ZRQVxj3kWO1pgkysLbIqBcDu5GY/Hj4coCYHb0YLVU5:Qvy4ZRQVZkDIqBR5GY/HUcophO5

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	296d5a4b7ae49389992d8add8334681d9cb7fa31b720a32eecc26ee070c206a6.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	296d5a4b7ae49389992d8add8334681d9cb7fa31b720a32eecc26ee070c206a6.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	296d5a4b7ae49389992d8add8334681d9cb7fa31b720a32eecc26ee070c206a6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	296d5a4b7ae49389992d8add8334681d9cb7fa31b720a32eecc26ee070c206a6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1292	296d5a4b7ae49389992d8add8334681d9cb7fa31b720a32eecc26ee070c206a6.exe
1292	296d5a4b7ae49389992d8add8334681d9cb7fa31b720a32eecc26ee070c206a6.exe

C:\Users\Admin\AppData\Local\Temp\296d5a4b7ae49389992d8add8334681d9cb7fa31b720a32eecc26ee070c206a6.exe
"C:\Users\Admin\AppData\Local\Temp\296d5a4b7ae49389992d8add8334681d9cb7fa31b720a32eecc26ee070c206a6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CyberLink\CBE\D8D760AC-ACA2-493e-9623-61E9D47DE89C\296d5a4b7ae49389992d8add8334681d9cb7fa31b720a32eecc26ee070c206a6.exe_v2\911e37e0-d71c-4bdd-a0b3-99ce50dad136.json

Filesize
891B

MD5
774283d1f5d995d8eb81addd16eaf68a

SHA1
635a15a27a17606f94b250b640c505aa52bf4090

SHA256
6addf0edfdb2277c1042b4ee38ac24710d02edcce0cd93d219dc09712b9a1673

SHA512
836102b205432f8c6a3848d2bc4b7d9abc25616c9981c9e8326eeb22a262f9bb073c4749c2b2da6a35685ba843e79e6329c45d36a7811789d10dc77ffdfa11c6

Download Submit
C:\ProgramData\CyberLink\CBE\D8D760AC-ACA2-493e-9623-61E9D47DE89C\296d5a4b7ae49389992d8add8334681d9cb7fa31b720a32eecc26ee070c206a6.exe_v2\UNO.ini

Filesize
7B

MD5
be9d6efbd8632e482c64618f00a701fa

SHA1
cc7c0702a34305282ba77d4eb88db1fa0bbed850

SHA256
d94fd0c7e43df0a03014a44d79653c0845adb29e6222ca47718c46af90847b84

SHA512
c59eee3a838ec35f447c28a701289f3f35ea5ec08d0c38df54482b39a2219598074d49fc162b1ef46d9e20c336221f53bc86de7163183193001b466ff36dd5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbb1b91a-af8d-49d1-87b6-5d94cbe11648.json

Filesize
328B

MD5
6b4e2954299d21d26bd7b43a811a49ab

SHA1
93652c6b97a4fc0d4fba519f76706b58a3f9509e

SHA256
e69d8b764f81e9e1fdef8c66e4e49dc15d603c15e33e8cdad73442eaf252fbf5

SHA512
a1e2b9535a9f429fbcc2c42494f6f49c33135b953e914a562f80098793363c2be058a25c87f914a631f8355df83c9c506ba88304ed446f93a7d65bb350beedaf

Download Submit

Analysis

Sharing