aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da

General

Target

aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.exe
Size

1.7MB
MD5

4e60fbfb9f6c7e9fe6935437253038eb
SHA1

7c020f139905f97885970f05230d3d74f00e1be7
SHA256

aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da
SHA512

b7a7686992208935d21db965280a69f8e44062009c547125d71dcde809fde39fe49d5312bab3ff8bed685b1fdda3cefcfd3762dd941922f40879df0ada7468f2
SSDEEP

24576:P4nXubIQGyxbPV0db26WLzJ0mYK421t0YKbDVfcqOlsoO0drNBuLy1zoHf2MPyn:Pqe3f6WJx5leDlMlsRmpgtfKn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1748	aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.tmp

Loads dropped DLL 2 IoCs

pid	Process
1104	aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.exe
1748	aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.tmp

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1748	1104	aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.exe	28
PID 1104 wrote to memory of 1748	1104	aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.exe	28
PID 1104 wrote to memory of 1748	1104	aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.exe	28
PID 1104 wrote to memory of 1748	1104	aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.exe	28
PID 1104 wrote to memory of 1748	1104	aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.exe	28
PID 1104 wrote to memory of 1748	1104	aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.exe	28
PID 1104 wrote to memory of 1748	1104	aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.exe	28

C:\Users\Admin\AppData\Local\Temp\aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.exe
"C:\Users\Admin\AppData\Local\Temp\aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\is-QP5L5.tmp\aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QP5L5.tmp\aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.tmp" /SL5="$70128,874175,831488,C:\Users\Admin\AppData\Local\Temp\aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55708e69fa2ee34320a155b9bf01a47e

SHA1
e3cb09c157d1d8d4200f66c70bf056de729edd6c

SHA256
049d10f6a26a6aa21446dcff170f8c9cbd02d645896fdcc22fe1a248edded84c

SHA512
8cb08a61ef7f402a4324f0401706c130853d4d5776dc703295bb19bb55e39106c266b14496df9a9026ee0c54df8860f5507c77413e2f583f3c28d2ddbc9239f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4D39.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4DE8.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QP5L5.tmp\aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.tmp

Filesize
3.0MB

MD5
0ee24b1e0f0078b25c512ec0e5c3e14d

SHA1
d292c7452b4417dfd2fc3094a58e8e9de917b513

SHA256
8288bfe42bf10dd76e709745317e4971283284e78c124d2d304543acb02a8e22

SHA512
416e50f5e2ff2cf34e7ab5cbbf7a522343b6b4669f09ea0a282e97005bdb861686bdff075ed58e27c392d4c1ff017aa67773863a4fd4981c40c7e61661d94b60

Download Submit
\Users\Admin\AppData\Local\Temp\is-ED99V.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-QP5L5.tmp\aa9a73d984e82c7858082c43ce3872a2dcaa6be3f31ce2f012882983798ac9da.tmp

Filesize
3.0MB

MD5
0ee24b1e0f0078b25c512ec0e5c3e14d

SHA1
d292c7452b4417dfd2fc3094a58e8e9de917b513

SHA256
8288bfe42bf10dd76e709745317e4971283284e78c124d2d304543acb02a8e22

SHA512
416e50f5e2ff2cf34e7ab5cbbf7a522343b6b4669f09ea0a282e97005bdb861686bdff075ed58e27c392d4c1ff017aa67773863a4fd4981c40c7e61661d94b60

Download Submit
memory/1104-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1104-175-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1104-187-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1748-61-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1748-179-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/1748-181-0x0000000003750000-0x000000000375F000-memory.dmp

Filesize
60KB

Download
memory/1748-177-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1748-185-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/1748-176-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing