416718d9930e9b17539d9581be3ac4fa607c685c0da970d0dd159cac607d22c8

General

Target

DOCUMENT.EXE
Size

773KB
MD5

d29189ac735f5a778334853c17de6a3f
SHA1

df709ca030fbf8e46d5c36cc58820aee1bda5096
SHA256

92f3596778824929bff1a64b43bc00c97f229de8d136dd6751a4972bba237bf3
SHA512

61ccdd1d6e87dc3c5c09f2e9c2f0cb6e0fa1e8386f73bee8c322e331cf5e994d063cc795e509947d9c6a26efdb125dcbdc8c557549b1cce6143b72239a6895ed

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DOCUMENT.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Iwatrrhi = "C:\\Users\\Public\\Libraries\\Iwatrrhi\\ihrrtawI.url"	DOCUMENT.EXE

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

DOCUMENT.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\99FFECFDF3082D3EBA0474CA04B3C21F659B85D9\Blob = 140000000100000014000000132735607e1c7112018342ca37a88124ac7f375a03000000010000001400000099ffecfdf3082d3eba0474ca04b3c21f659b85d90f0000000100000020000000d2575d2f9b18d793a355862720ed072f3868a1097a02ca62e14f44697b0d23152000000001000000f9020000308202f5308201dda003020102021022b40c450622a1fbe8bc5fc171287fdf300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231313032373133303030305a170d3236313032363133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b950b75a5aaf2b3f636ef9de5e378ef10a095d0ba868824e30f918a2863489be523da024a22c04bc89d4b891adcdcc12600f7880a3df5526025fb01d8a8473bd0c7fa3aeedd151bd9b474f1f374ac0c6d2d4b829d60ba1341d657fcc0ee0325e598c62d1dc3f6119b76c891fe00750f11af999839a5c128e1c356118597ef5cd6e1c58adebfced52f1796afe3c89a509008337e60a2f77eb61be45099e0b8b45e297bf773394d06fa281f4498b0ef5b041d9ecad7ae4ff906685a046767a2ea41f1c43615a0e3879dae8ca9c9c7a703dd6a35fa670aae9169508aa4a677387803fd1460874bae89a581afd2eb6aba974050a581116216a054fdfed4aab4c6aad0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414132735607e1c7112018342ca37a88124ac7f375a300d06092a864886f70d01010b050003820101000d50cb320ffd73276b7635a568bd32be8644add949c18226856222675c4078174ae50160cb6d5824bfd5d7a3c4d16a933535c935dcb03a1b7bdae8a48e9063153bfa051ea2273222f9bd2c71e40743aa283c1c314e6d7987fe8d88a5da96bed10db7a78ec7627152cf74263d46222a1be3288fe5dfe26d0ac52bb23f7813e771ba247613d8093d82220f67b41a226b149ee96d989ac566383daaf38293ea29b694a2fae626e52a6ce02cc4ab363e9b560de62cd4875d76f2e2e34fda94095f2d73a8d5d170d827edcc6632c5881f7d2d511f102fa495d74cede362a70e20792770f2742eb0ae360b5a46706e2382414db95b57f607de3efcab4ecd9e259698af	DOCUMENT.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\99FFECFDF3082D3EBA0474CA04B3C21F659B85D9\Blob = 190000000100000010000000ce093238feda33ecec00de7cc6f487350f0000000100000020000000d2575d2f9b18d793a355862720ed072f3868a1097a02ca62e14f44697b0d231503000000010000001400000099ffecfdf3082d3eba0474ca04b3c21f659b85d9140000000100000014000000132735607e1c7112018342ca37a88124ac7f375a2000000001000000f9020000308202f5308201dda003020102021022b40c450622a1fbe8bc5fc171287fdf300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231313032373133303030305a170d3236313032363133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b950b75a5aaf2b3f636ef9de5e378ef10a095d0ba868824e30f918a2863489be523da024a22c04bc89d4b891adcdcc12600f7880a3df5526025fb01d8a8473bd0c7fa3aeedd151bd9b474f1f374ac0c6d2d4b829d60ba1341d657fcc0ee0325e598c62d1dc3f6119b76c891fe00750f11af999839a5c128e1c356118597ef5cd6e1c58adebfced52f1796afe3c89a509008337e60a2f77eb61be45099e0b8b45e297bf773394d06fa281f4498b0ef5b041d9ecad7ae4ff906685a046767a2ea41f1c43615a0e3879dae8ca9c9c7a703dd6a35fa670aae9169508aa4a677387803fd1460874bae89a581afd2eb6aba974050a581116216a054fdfed4aab4c6aad0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414132735607e1c7112018342ca37a88124ac7f375a300d06092a864886f70d01010b050003820101000d50cb320ffd73276b7635a568bd32be8644add949c18226856222675c4078174ae50160cb6d5824bfd5d7a3c4d16a933535c935dcb03a1b7bdae8a48e9063153bfa051ea2273222f9bd2c71e40743aa283c1c314e6d7987fe8d88a5da96bed10db7a78ec7627152cf74263d46222a1be3288fe5dfe26d0ac52bb23f7813e771ba247613d8093d82220f67b41a226b149ee96d989ac566383daaf38293ea29b694a2fae626e52a6ce02cc4ab363e9b560de62cd4875d76f2e2e34fda94095f2d73a8d5d170d827edcc6632c5881f7d2d511f102fa495d74cede362a70e20792770f2742eb0ae360b5a46706e2382414db95b57f607de3efcab4ecd9e259698af	DOCUMENT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\99FFECFDF3082D3EBA0474CA04B3C21F659B85D9	DOCUMENT.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\99FFECFDF3082D3EBA0474CA04B3C21F659B85D9\Blob = 0f0000000100000020000000d2575d2f9b18d793a355862720ed072f3868a1097a02ca62e14f44697b0d231503000000010000001400000099ffecfdf3082d3eba0474ca04b3c21f659b85d92000000001000000f9020000308202f5308201dda003020102021022b40c450622a1fbe8bc5fc171287fdf300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231313032373133303030305a170d3236313032363133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b950b75a5aaf2b3f636ef9de5e378ef10a095d0ba868824e30f918a2863489be523da024a22c04bc89d4b891adcdcc12600f7880a3df5526025fb01d8a8473bd0c7fa3aeedd151bd9b474f1f374ac0c6d2d4b829d60ba1341d657fcc0ee0325e598c62d1dc3f6119b76c891fe00750f11af999839a5c128e1c356118597ef5cd6e1c58adebfced52f1796afe3c89a509008337e60a2f77eb61be45099e0b8b45e297bf773394d06fa281f4498b0ef5b041d9ecad7ae4ff906685a046767a2ea41f1c43615a0e3879dae8ca9c9c7a703dd6a35fa670aae9169508aa4a677387803fd1460874bae89a581afd2eb6aba974050a581116216a054fdfed4aab4c6aad0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414132735607e1c7112018342ca37a88124ac7f375a300d06092a864886f70d01010b050003820101000d50cb320ffd73276b7635a568bd32be8644add949c18226856222675c4078174ae50160cb6d5824bfd5d7a3c4d16a933535c935dcb03a1b7bdae8a48e9063153bfa051ea2273222f9bd2c71e40743aa283c1c314e6d7987fe8d88a5da96bed10db7a78ec7627152cf74263d46222a1be3288fe5dfe26d0ac52bb23f7813e771ba247613d8093d82220f67b41a226b149ee96d989ac566383daaf38293ea29b694a2fae626e52a6ce02cc4ab363e9b560de62cd4875d76f2e2e34fda94095f2d73a8d5d170d827edcc6632c5881f7d2d511f102fa495d74cede362a70e20792770f2742eb0ae360b5a46706e2382414db95b57f607de3efcab4ecd9e259698af	DOCUMENT.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

DOCUMENT.EXE

description	pid	process	target process
PID 1012 wrote to memory of 1796	1012	DOCUMENT.EXE	mobsync.exe
PID 1012 wrote to memory of 1796	1012	DOCUMENT.EXE	mobsync.exe
PID 1012 wrote to memory of 1796	1012	DOCUMENT.EXE	mobsync.exe
PID 1012 wrote to memory of 1796	1012	DOCUMENT.EXE	mobsync.exe
PID 1012 wrote to memory of 1796	1012	DOCUMENT.EXE	mobsync.exe
PID 1012 wrote to memory of 1796	1012	DOCUMENT.EXE	mobsync.exe
PID 1012 wrote to memory of 1796	1012	DOCUMENT.EXE	mobsync.exe
PID 1012 wrote to memory of 1796	1012	DOCUMENT.EXE	mobsync.exe

C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE
"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\mobsync.exe
C:\Windows\System32\mobsync.exe
2⤵
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1012-55-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1012-56-0x0000000000371000-0x0000000000385000-memory.dmp

Filesize
80KB

Download
memory/1012-57-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1796-58-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1796-59-0x0000000000000000-mapping.dmp

Download
memory/1796-65-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads