97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d

General

Target

97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe
Size

4.5MB
MD5

f3be35113fa87b9213c45e146d448a2d
SHA1

fa9bf12e1c4a04b2e9f899e413be8c1a7cc5dd25
SHA256

97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d
SHA512

eea96f29c1db74b07fe9d584aa691803015e66c278474e95e8fa41330df088be4a113acf5ec2f5a0934a3f41b4d0e10e44e7a1ae1895f8564a6e97a94ccda220
SSDEEP

98304:nvumyF5QoUDheFI/lpNOFHbBtwodaaSoyd3YgZQ8B8dL94jY:nLUFFINpoFHbBtwodasydogZQ809oY

Score

6^/10

discovery evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\495847A93187CFB8C71F840CB7B41497AD95C64F	97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\495847A93187CFB8C71F840CB7B41497AD95C64F\Blob = 030000000100000014000000495847a93187cfb8c71f840cb7b41497ad95c64f20000000010000000e0600003082060a308204f2a00302010202105200e5aa2556fc1a86ed96c9d44b33c7300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3130303230383030303030305a170d3230303230373233353935395a3081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293130312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e67203230313020434130820122300d06092a864886f70d01010105000382010f003082010a0282010100f5234b5ea5d78abb32e9d457f7efe4c7267ead1998fea89d7d94f6366b10d77581307f04687fcb2b751ecd1d088cdf6994a737a39c7b80e099e1ee374d5fce3b14ee86d4d0f52735bc250b38a78c639d17a308a5abb0fbcd6a62824cd521da1bd9f1e3843b8a2a4f855b90014fc9a776107f27037cbeae7e7dc1ddf905bc1b489c69e7c0a43c3c41003edf96e5c5e49471d65501c700264a403cb5a126a90ca76d808e90257bcfbf3f1ceb2f96fae58777c6b556b27a3b5430531bdf6234ff1ed1f45a932885e54c174e7e5bfda493997fdfcdefa475efef15f647e7f81972d82e341aa6b4a74c7ebdbb4f0c3d57f130d6a6368ed68076d7192ea5cd7e342d890203010001a38201fe308201fa30120603551d130101ff040830060101ff02010030700603551d20046930673065060b6086480186f845010717033056302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f637073302a06082b06010505070202301e1a1c68747470733a2f2f7777772e766572697369676e2e636f6d2f727061300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e67696630340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e766572697369676e2e636f6d2f706361332d67352e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d301d0603551d250416301406082b0601050507030206082b0601050507030330280603551d110421301fa41d301b3119301706035504031310566572695369676e4d504b492d322d38301d0603551d0e04160414cf99a9ea7b26f44bc98e8fd7f00526efe3d2a79d301f0603551d230418301680147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d010105050003820101005622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3	97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D6AEE31631F7ABC56B9DE8ABECCC4108A626B104	97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D6AEE31631F7ABC56B9DE8ABECCC4108A626B104\Blob = 030000000100000014000000d6aee31631f7abc56b9de8abeccc4108a626b10420000000010000008f0400003082048b30820373a00302010202100c8ee0c90d6a89158804061ee241f9af300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3238303830313132303030305a3044310b300906035504061302555331153013060355040a130c446967694365727420496e63311e301c06035504031315446967694365727420476c6f62616c20434120473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d3487cbef305865d5bd52f854e4be086ad15ac61cf5baf3e6a0a47fb9a7691600b8a6bcdcfdc577e60980be454d956ed21cc02b65a815f976aee022f2327b86dd4b0e70602780b1f5ca99936febbac1b05fa57cd81104067d6308b5835d49661bed08c7a979f1af922e6142fa9c6e8011fabf8260fac8e4d2c32391d819b8d1c65b21cdb61a8892f60e7ebc24a18c46f2ae9109209ed17d1002be67def0489144e33a1b20f97879fb3a0cd2fbc2cecb88368313d1fd54a9010190b8195d6297651f93676d0b7097a384ad76f8cbf137c39edbaae90fc95f77b7809365e74931e25f0ffd4adae686bc6ff0fd535f1556e4849f8f8b8ef88f8f15e1177aadf02b30203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d307b0603551d1f047430723037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7447322e63726c3037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7447322e63726c303d0603551d200436303430320604551d2000302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053301d0603551d0e04160414246e2b2dd06a925151256901aa9a47a689e74020301f0603551d230418301680144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b050003820101000b398491f997ebaa81af84e95a3892fce26c59bf36c845a7310311e106c0ac32c75a5529da4f4002f5a1deb0eddec0f8f6759d76b987fe41807acf5de300c65b02e69b7862c9dcb8629a77ed8908d74bc5fd43d5622327c404596d713f235bead9f2e724276ff49580db962ce4548bcfea19d97f5599517a0e2d183d785852bc6368570bdd44b3574a60e6c870705b87286ad73b4e524519af24069248111a8baeac181257ac03cbb8f4bdca260ea7c1dde333efc055300d95594e9c033606f8c08f14999c4d2a9ec1e17d3baf72a745ba1396294e19d01a9806f4379417ada318ba3eb0010c95d6293520357df51060e4f768621eec19e124f28711ace90880	97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe

pid	process
916	97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe
916	97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe

pid process

916 97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe

pid process

916 97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe

pid process

916 97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe

C:\Users\Admin\AppData\Local\Temp\97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe
"C:\Users\Admin\AppData\Local\Temp\97257c50e8ebd6943173366ec2270c31c5ad9ecc589575c794306fd49c8afd8d.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tmp84DF.tmp

Filesize
4KB

MD5
661e8ccf7182f1ad0b3774fef08b633d

SHA1
d571cb2a1263af6251c75ae5fe2249fff3fab72a

SHA256
7124ce12edbe629ab084b603901ba8dec0cb497bca0f74f9e953f9e8e82a3066

SHA512
0ad26d4027e89afd5f388ecd701da4de8b447bde8dd1c4d8582bcad3e52833d92eaabaf1fe235e83bdfc320231927ac2b5420c47e0ecb3a8fc3c2cb3a75fe7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp850F.tmp

Filesize
1KB

MD5
78ff5e740204e0e244a6d43d7b078f39

SHA1
097008df39ff9f8b23834981bfb31f58e70d92ef

SHA256
c13116656282407ad0eaf70d8eb4981c92e559d1f9174c50fb1d2931fbacf6ec

SHA512
7ecba0fc2dc8056ba73482a143fc22b1e0d83e3e02430010dc5aafeb73d2c62cf960f2bd25d3ce5345b952ba999fbfb9fcac9c3aa86963f1221c3c1d60e12781

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads