262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c

Analysis

max time kernel
85s
max time network
195s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 21:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe
Size

25KB
MD5

e85b4bdfb1169222b6984fbd603ff4c3
SHA1

f23f953551de269b28b1b22544f2e81a9ff95268
SHA256

262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c
SHA512

2f53b849636a2cd248bd5b187209f657319bb483f1685a599bb4d3e50214c3af5d2f10321e4390b300c87ef4d97d93a943a0eefbc5d3ccb3b5aa9a97cdf028c0
SSDEEP

192:oOImSC1GP8dyq5CVR3H5DpQsAHqskhkroIPAtpsMftVPHuY0GliDcvyqWNkCj69t:H1Gy+/HrQsAHq+rO7OYM+yq66lmhy

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1232	temper.exe
1624	temper.exe

Deletes itself 1 IoCs

pid	Process
1624	temper.exe

Loads dropped DLL 7 IoCs

pid	Process
1408	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe
1408	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe
1232	temper.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	checkip.dyndns.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1748 set thread context of 1408	1748	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe	28
PID 1232 set thread context of 1624	1232	temper.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1008	1624	WerFault.exe	30

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	temper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	temper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	temper.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1408	1748	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe	28
PID 1748 wrote to memory of 1408	1748	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe	28
PID 1748 wrote to memory of 1408	1748	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe	28
PID 1748 wrote to memory of 1408	1748	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe	28
PID 1748 wrote to memory of 1408	1748	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe	28
PID 1748 wrote to memory of 1408	1748	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe	28
PID 1748 wrote to memory of 1408	1748	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe	28
PID 1748 wrote to memory of 1408	1748	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe	28
PID 1408 wrote to memory of 1232	1408	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe	29
PID 1408 wrote to memory of 1232	1408	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe	29
PID 1408 wrote to memory of 1232	1408	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe	29
PID 1408 wrote to memory of 1232	1408	262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe	29
PID 1232 wrote to memory of 1624	1232	temper.exe	30
PID 1232 wrote to memory of 1624	1232	temper.exe	30
PID 1232 wrote to memory of 1624	1232	temper.exe	30
PID 1232 wrote to memory of 1624	1232	temper.exe	30
PID 1232 wrote to memory of 1624	1232	temper.exe	30
PID 1232 wrote to memory of 1624	1232	temper.exe	30
PID 1232 wrote to memory of 1624	1232	temper.exe	30
PID 1232 wrote to memory of 1624	1232	temper.exe	30
PID 1624 wrote to memory of 1008	1624	temper.exe	33
PID 1624 wrote to memory of 1008	1624	temper.exe	33
PID 1624 wrote to memory of 1008	1624	temper.exe	33
PID 1624 wrote to memory of 1008	1624	temper.exe	33

C:\Users\Admin\AppData\Local\Temp\262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe
"C:\Users\Admin\AppData\Local\Temp\262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe
  "C:\Users\Admin\AppData\Local\Temp\262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\temper.exe
    C:\Users\Admin\AppData\Local\Temp\temper.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Users\Admin\AppData\Local\Temp\temper.exe
      C:\Users\Admin\AppData\Local\Temp\temper.exe
      4⤵
      Executes dropped EXE
      Deletes itself
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1356
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temper.exe

Filesize
25KB

MD5
e85b4bdfb1169222b6984fbd603ff4c3

SHA1
f23f953551de269b28b1b22544f2e81a9ff95268

SHA256
262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c

SHA512
2f53b849636a2cd248bd5b187209f657319bb483f1685a599bb4d3e50214c3af5d2f10321e4390b300c87ef4d97d93a943a0eefbc5d3ccb3b5aa9a97cdf028c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temper.exe

Filesize
25KB

MD5
e85b4bdfb1169222b6984fbd603ff4c3

SHA1
f23f953551de269b28b1b22544f2e81a9ff95268

SHA256
262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c

SHA512
2f53b849636a2cd248bd5b187209f657319bb483f1685a599bb4d3e50214c3af5d2f10321e4390b300c87ef4d97d93a943a0eefbc5d3ccb3b5aa9a97cdf028c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temper.exe

Filesize
25KB

MD5
e85b4bdfb1169222b6984fbd603ff4c3

SHA1
f23f953551de269b28b1b22544f2e81a9ff95268

SHA256
262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c

SHA512
2f53b849636a2cd248bd5b187209f657319bb483f1685a599bb4d3e50214c3af5d2f10321e4390b300c87ef4d97d93a943a0eefbc5d3ccb3b5aa9a97cdf028c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\trinB7H.log

Filesize
206B

MD5
ef0a6ad42cc56f4003d107721861431f

SHA1
5e90bcf2603ccf67a680de11a7672f5e5b4fa810

SHA256
f4cfe05474c87c3e045d9119a5e243fc0aa37f73c385c6373ce61812ec92f973

SHA512
41d9bbcc02b0cd1bf928868296971bc960227ecc51ec504550b17c8868a2b83994b37a63d06e2fab3be0b527798082ce89440073a42dbe11850093ade8ecb948

Download Submit
\Users\Admin\AppData\Local\Temp\temper.exe

Filesize
25KB

MD5
e85b4bdfb1169222b6984fbd603ff4c3

SHA1
f23f953551de269b28b1b22544f2e81a9ff95268

SHA256
262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c

SHA512
2f53b849636a2cd248bd5b187209f657319bb483f1685a599bb4d3e50214c3af5d2f10321e4390b300c87ef4d97d93a943a0eefbc5d3ccb3b5aa9a97cdf028c0

Download Submit
\Users\Admin\AppData\Local\Temp\temper.exe

Filesize
25KB

MD5
e85b4bdfb1169222b6984fbd603ff4c3

SHA1
f23f953551de269b28b1b22544f2e81a9ff95268

SHA256
262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c

SHA512
2f53b849636a2cd248bd5b187209f657319bb483f1685a599bb4d3e50214c3af5d2f10321e4390b300c87ef4d97d93a943a0eefbc5d3ccb3b5aa9a97cdf028c0

Download Submit
\Users\Admin\AppData\Local\Temp\temper.exe

Filesize
25KB

MD5
e85b4bdfb1169222b6984fbd603ff4c3

SHA1
f23f953551de269b28b1b22544f2e81a9ff95268

SHA256
262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c

SHA512
2f53b849636a2cd248bd5b187209f657319bb483f1685a599bb4d3e50214c3af5d2f10321e4390b300c87ef4d97d93a943a0eefbc5d3ccb3b5aa9a97cdf028c0

Download Submit
\Users\Admin\AppData\Local\Temp\temper.exe

Filesize
25KB

MD5
e85b4bdfb1169222b6984fbd603ff4c3

SHA1
f23f953551de269b28b1b22544f2e81a9ff95268

SHA256
262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c

SHA512
2f53b849636a2cd248bd5b187209f657319bb483f1685a599bb4d3e50214c3af5d2f10321e4390b300c87ef4d97d93a943a0eefbc5d3ccb3b5aa9a97cdf028c0

Download Submit
\Users\Admin\AppData\Local\Temp\temper.exe

Filesize
25KB

MD5
e85b4bdfb1169222b6984fbd603ff4c3

SHA1
f23f953551de269b28b1b22544f2e81a9ff95268

SHA256
262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c

SHA512
2f53b849636a2cd248bd5b187209f657319bb483f1685a599bb4d3e50214c3af5d2f10321e4390b300c87ef4d97d93a943a0eefbc5d3ccb3b5aa9a97cdf028c0

Download Submit
\Users\Admin\AppData\Local\Temp\temper.exe

Filesize
25KB

MD5
e85b4bdfb1169222b6984fbd603ff4c3

SHA1
f23f953551de269b28b1b22544f2e81a9ff95268

SHA256
262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c

SHA512
2f53b849636a2cd248bd5b187209f657319bb483f1685a599bb4d3e50214c3af5d2f10321e4390b300c87ef4d97d93a943a0eefbc5d3ccb3b5aa9a97cdf028c0

Download Submit
\Users\Admin\AppData\Local\Temp\temper.exe

Filesize
25KB

MD5
e85b4bdfb1169222b6984fbd603ff4c3

SHA1
f23f953551de269b28b1b22544f2e81a9ff95268

SHA256
262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c

SHA512
2f53b849636a2cd248bd5b187209f657319bb483f1685a599bb4d3e50214c3af5d2f10321e4390b300c87ef4d97d93a943a0eefbc5d3ccb3b5aa9a97cdf028c0

Download Submit
memory/1232-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1408-57-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1408-54-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1624-70-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1748-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download