04cb991f7c25f60abc3773ccdc93595c272f0471b04fabf574839ac023b66989

Resubmissions

08-02-2023 13:40

230208-qyl7raae7z 10

Analysis

max time kernel
406s
max time network
452s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
08-02-2023 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

readerdc64_it_hi_mdr_install.exe
Size

1.2MB
MD5

8abb981279dad6371ad9526d9fcd5df8
SHA1

571d964f8d27859c0773c7747378b4c0139fffca
SHA256

04cb991f7c25f60abc3773ccdc93595c272f0471b04fabf574839ac023b66989
SHA512

d3ab76a2b35d92ce26b09d6f4f3579f3825ca1f21a71ab8ae24ad5b2266914489584c1d4af82996527757729cbdb7c6e2c1a63ad10b5bef3d3a6ae1731348817
SSDEEP

24576:pwMt9/dQCf51s2CF0ZwSr2bVwVuXE9WdHwTqC6po9kKSRnIN4Y:CMt9FQCz+EwSr2bQUdQB32INx

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

readerdc64_it_hi_mdr_install.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	readerdc64_it_hi_mdr_install.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

readerdc64_it_hi_mdr_install.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	readerdc64_it_hi_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	readerdc64_it_hi_mdr_install.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

readerdc64_it_hi_mdr_install.exe

pid process

1964 readerdc64_it_hi_mdr_install.exe
1964 readerdc64_it_hi_mdr_install.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

readerdc64_it_hi_mdr_install.exe

pid	process
1964	readerdc64_it_hi_mdr_install.exe
1964	readerdc64_it_hi_mdr_install.exe
1964	readerdc64_it_hi_mdr_install.exe
1964	readerdc64_it_hi_mdr_install.exe

C:\Users\Admin\AppData\Local\Temp\readerdc64_it_hi_mdr_install.exe
"C:\Users\Admin\AppData\Local\Temp\readerdc64_it_hi_mdr_install.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1964-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1964-56-0x0000000000C00000-0x0000000001039000-memory.dmp

Filesize
4.2MB

Download
memory/1964-57-0x0000000000150000-0x0000000000153000-memory.dmp

Filesize
12KB

Download
memory/1964-68-0x0000000000C00000-0x0000000001039000-memory.dmp

Filesize
4.2MB

Download