b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3

General

Target

b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
Size

135KB
MD5

a22e749e93e700349342efb123affe50
SHA1

2582ab409a295e10e1b54462a46fdc61a9b5beaa
SHA256

b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3
SHA512

bce75b7e7022f7ba8434f2f61f4cd23a94b2e24fa318c8b3696ee67d2c91ecdfa116071437f5b274b65bf28bb47e410080556f176d1bbab71ed150add56a35b3
SSDEEP

3072:jmA6SzGc9rRUi9zcjBf020BaSwr2mrm6ks+gO6r682:6AFzGc9rRUgzc9fz0Bp2DmJNghmb

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 4148	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	79
PID 1860 wrote to memory of 4148	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	79
PID 1860 wrote to memory of 4148	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	79
PID 1860 wrote to memory of 4504	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	80
PID 1860 wrote to memory of 4504	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	80
PID 1860 wrote to memory of 4504	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	80
PID 1860 wrote to memory of 1392	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	83
PID 1860 wrote to memory of 1392	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	83
PID 1860 wrote to memory of 1260	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	84
PID 1860 wrote to memory of 1260	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	84
PID 1860 wrote to memory of 4232	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	85
PID 1860 wrote to memory of 4232	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	85
PID 1860 wrote to memory of 3104	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	86
PID 1860 wrote to memory of 3104	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	86
PID 1860 wrote to memory of 2032	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	87
PID 1860 wrote to memory of 2032	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	87
PID 1860 wrote to memory of 1284	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	88
PID 1860 wrote to memory of 1284	1860	b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe	88

C:\Users\Admin\AppData\Local\Temp\b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe
"C:\Users\Admin\AppData\Local\Temp\b8530172c75b4bc015af84448161265cd56b48c8d92e97e623ab5bf0fdcd3fe3.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\CMD.exe
  "CMD"
  2⤵
  PID:4148
- C:\Windows\SysWOW64\CMD.exe
  "CMD"
  2⤵
  PID:4504
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1392
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1260
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:4232
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3104
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2032
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1860-132-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/1860-135-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/1860-136-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4148-133-0x0000000000000000-mapping.dmp

Download
memory/4504-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing