donot_downloader | 21989a16f64302716a565599f469f5a97fb4a1b14ff6ed1896d2650866e12d6c

General

Target

kpryt.bin.dll
Size

554KB
MD5

5c09c68b5bb3996f903218bc0e101025
SHA1

d566450d11dff5ac3611c4215b28fef2a14a0d8c
SHA256

21989a16f64302716a565599f469f5a97fb4a1b14ff6ed1896d2650866e12d6c
SHA512

fd83ff5d4514629fabf2e3d88a536604b235c9f48d756816829650737687b73ec7ddc98782771720b2d9c843764f7893e7f3bf6f7f9bbdad1958cce53d9658b9

Score

10^/10

rat donot_downloader

Malware Config

Signatures

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1088 wrote to memory of 1068	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1068	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1068	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1068	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1068	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1068	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1068	1088	rundll32.exe	rundll32.exe

Blacklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

4 1068 rundll32.exe
6 1068 rundll32.exe
8 1068 rundll32.exe
Donot APT Downloader
A downloader used by Donot APT group to download further modules.
rat donot_downloader

flow	pid	process
4	1068	rundll32.exe
6	1068	rundll32.exe
8	1068	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\kpryt.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\kpryt.bin.dll,#1
2⤵
- Blacklisted process makes network request
- Modifies system certificate store
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing