2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15

Analysis

max time kernel
128s
max time network
135s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
Size

8.5MB
MD5

181598b1efd5cadf471a942e81a6e4f3
SHA1

73b54509cfeb632fbd83edae8c1faf6645a9b953
SHA256

2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15
SHA512

a26c373b30abbbdb9d309faa7f87dcfb5f9977d2336a879d905ab82b3ffbe2a3964a0e7495d54e512ec6c3933a22dc83609d1ae763a7771d378f0f0ff3ac422c
SSDEEP

196608:Vif7B6X6Ko54CO+hQiTgsVzwkzHL4Q5rxg1/9uY/QueuzUsh8vMoc7PBArjeG0Zd:Vi4qK6BjhQrewoHX5rx29uZueuxh8UL/

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 20 IoCs

Processes:

rundll32.exe

flow	pid	process
4	788	rundll32.exe
8	788	rundll32.exe
9	788	rundll32.exe
13	788	rundll32.exe
15	788	rundll32.exe
17	788	rundll32.exe
19	788	rundll32.exe
21	788	rundll32.exe
23	788	rundll32.exe
24	788	rundll32.exe
26	788	rundll32.exe
27	788	rundll32.exe
29	788	rundll32.exe
31	788	rundll32.exe
33	788	rundll32.exe
35	788	rundll32.exe
36	788	rundll32.exe
37	788	rundll32.exe
38	788	rundll32.exe
39	788	rundll32.exe

Executes dropped EXE 2 IoCs

Processes:

file.exe2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe

pid process

1252 file.exe
1984 2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1348 cmd.exe

pid	process
1252	file.exe
1984	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe

pid	process
1348	cmd.exe

Loads dropped DLL 12 IoCs

Processes:

2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exefile.execmd.exe2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exerundll32.exe

pid	process
1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
1252	file.exe
1252	file.exe
1252	file.exe
1348	cmd.exe
1984	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
1984	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
788	rundll32.exe
788	rundll32.exe
788	rundll32.exe
788	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 12 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\LOL_V3132_1202_20D.exe.org	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\LOL_V3132_1202_20D.exe.org	nsis_installer_2
\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	nsis_installer_2

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rundll32.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exefile.execmd.exe

description	pid	process	target process
PID 1424 wrote to memory of 1348	1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	cmd.exe
PID 1424 wrote to memory of 1348	1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	cmd.exe
PID 1424 wrote to memory of 1348	1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	cmd.exe
PID 1424 wrote to memory of 1348	1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	cmd.exe
PID 1424 wrote to memory of 1348	1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	cmd.exe
PID 1424 wrote to memory of 1348	1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	cmd.exe
PID 1424 wrote to memory of 1348	1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	cmd.exe
PID 1424 wrote to memory of 1252	1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	file.exe
PID 1424 wrote to memory of 1252	1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	file.exe
PID 1424 wrote to memory of 1252	1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	file.exe
PID 1424 wrote to memory of 1252	1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	file.exe
PID 1424 wrote to memory of 1252	1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	file.exe
PID 1424 wrote to memory of 1252	1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	file.exe
PID 1424 wrote to memory of 1252	1424	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	file.exe
PID 1252 wrote to memory of 788	1252	file.exe	rundll32.exe
PID 1252 wrote to memory of 788	1252	file.exe	rundll32.exe
PID 1252 wrote to memory of 788	1252	file.exe	rundll32.exe
PID 1252 wrote to memory of 788	1252	file.exe	rundll32.exe
PID 1252 wrote to memory of 788	1252	file.exe	rundll32.exe
PID 1252 wrote to memory of 788	1252	file.exe	rundll32.exe
PID 1252 wrote to memory of 788	1252	file.exe	rundll32.exe
PID 1252 wrote to memory of 1976	1252	file.exe	cmd.exe
PID 1252 wrote to memory of 1976	1252	file.exe	cmd.exe
PID 1252 wrote to memory of 1976	1252	file.exe	cmd.exe
PID 1252 wrote to memory of 1976	1252	file.exe	cmd.exe
PID 1252 wrote to memory of 1976	1252	file.exe	cmd.exe
PID 1252 wrote to memory of 1976	1252	file.exe	cmd.exe
PID 1252 wrote to memory of 1976	1252	file.exe	cmd.exe
PID 1348 wrote to memory of 1984	1348	cmd.exe	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
PID 1348 wrote to memory of 1984	1348	cmd.exe	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
PID 1348 wrote to memory of 1984	1348	cmd.exe	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
PID 1348 wrote to memory of 1984	1348	cmd.exe	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
PID 1348 wrote to memory of 1984	1348	cmd.exe	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
PID 1348 wrote to memory of 1984	1348	cmd.exe	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
PID 1348 wrote to memory of 1984	1348	cmd.exe	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe

C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
"C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_ms0443.bat" "C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe""
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
"C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984

C:\Users\Admin\AppData\Local\Temp\file.exe
C:\Users\Admin\AppData\Local\Temp\file.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\3E3A.dll",ADB_Release
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\3E3A.bat" "
3⤵
PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe

Filesize
7.6MB

MD5
79e02ce2e90fcbed9f5bca4c006258cb

SHA1
9bf0c29ee460c236df9737b2ae742387117624a5

SHA256
1d4858117e4d9d40fa80cb35f80831495d3fea7c28ba6b37ae21f71d4ed808c4

SHA512
2266e209630fbcf69668d023104077928fa87d25e4acf30eaaeb6e1c9b5d7e58888cf0c52186bdc06144a736c7912562fe27da4dc85aee7f23ad82c8d5f7702f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe

Filesize
7.6MB

MD5
79e02ce2e90fcbed9f5bca4c006258cb

SHA1
9bf0c29ee460c236df9737b2ae742387117624a5

SHA256
1d4858117e4d9d40fa80cb35f80831495d3fea7c28ba6b37ae21f71d4ed808c4

SHA512
2266e209630fbcf69668d023104077928fa87d25e4acf30eaaeb6e1c9b5d7e58888cf0c52186bdc06144a736c7912562fe27da4dc85aee7f23ad82c8d5f7702f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E3A.bat

Filesize
139B

MD5
a5eee97ec05705a63d460bccfdf4677e

SHA1
2214827f82c6dd75c25c873ea003b36e384090c5

SHA256
ffd219b7717c6499b05f43d919cc048ed7db3a7360a08cecb2314b559aabafcd

SHA512
ae5a383ca6c0e2da633cc32660c804d161a1ef56b44c2f742f5e8ba11024642d34622f05888ea59b9ebe9c29d32214ce13a5b888f885189b6f5ce1af776e38ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E3A.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOL_V3132_1202_20D.exe.org

Filesize
7.6MB

MD5
79e02ce2e90fcbed9f5bca4c006258cb

SHA1
9bf0c29ee460c236df9737b2ae742387117624a5

SHA256
1d4858117e4d9d40fa80cb35f80831495d3fea7c28ba6b37ae21f71d4ed808c4

SHA512
2266e209630fbcf69668d023104077928fa87d25e4acf30eaaeb6e1c9b5d7e58888cf0c52186bdc06144a736c7912562fe27da4dc85aee7f23ad82c8d5f7702f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ms0443.bat

Filesize
244B

MD5
efea808d80666c662b0b84d95c81c067

SHA1
f6a70b4042a8212781b99c7b9835112ff790f69b

SHA256
77587e869ff17ad0d9ac69676d95ec6ad89515dad05cfbd74eef69355607e4ce

SHA512
2ef9dd6dd0ad2db2ac11dbe3b3552f770c7aaf0c82b23c7d677921cc31136f667d249b82d1c9add1b60ec5c9af4f0b058178c91c91e481e70ae2bfa1a7ea288f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe

Filesize
7.6MB

MD5
79e02ce2e90fcbed9f5bca4c006258cb

SHA1
9bf0c29ee460c236df9737b2ae742387117624a5

SHA256
1d4858117e4d9d40fa80cb35f80831495d3fea7c28ba6b37ae21f71d4ed808c4

SHA512
2266e209630fbcf69668d023104077928fa87d25e4acf30eaaeb6e1c9b5d7e58888cf0c52186bdc06144a736c7912562fe27da4dc85aee7f23ad82c8d5f7702f

Download Submit
\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe

Filesize
7.6MB

MD5
79e02ce2e90fcbed9f5bca4c006258cb

SHA1
9bf0c29ee460c236df9737b2ae742387117624a5

SHA256
1d4858117e4d9d40fa80cb35f80831495d3fea7c28ba6b37ae21f71d4ed808c4

SHA512
2266e209630fbcf69668d023104077928fa87d25e4acf30eaaeb6e1c9b5d7e58888cf0c52186bdc06144a736c7912562fe27da4dc85aee7f23ad82c8d5f7702f

Download Submit
\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe

Filesize
7.6MB

MD5
79e02ce2e90fcbed9f5bca4c006258cb

SHA1
9bf0c29ee460c236df9737b2ae742387117624a5

SHA256
1d4858117e4d9d40fa80cb35f80831495d3fea7c28ba6b37ae21f71d4ed808c4

SHA512
2266e209630fbcf69668d023104077928fa87d25e4acf30eaaeb6e1c9b5d7e58888cf0c52186bdc06144a736c7912562fe27da4dc85aee7f23ad82c8d5f7702f

Download Submit
\Users\Admin\AppData\Local\Temp\3E3A.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\3E3A.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\3E3A.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\3E3A.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
memory/788-67-0x0000000000000000-mapping.dmp

Download
memory/1252-58-0x0000000000000000-mapping.dmp

Download
memory/1348-55-0x0000000000000000-mapping.dmp

Download
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1976-68-0x0000000000000000-mapping.dmp

Download
memory/1984-74-0x0000000000000000-mapping.dmp

Download