d68523b9ed98b18a2df3cd413eb6f476d1c6f5d818607b83b1424b4d61ea8149

General

Target

833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe
Size

1.7MB
MD5

99a9fbd5fee72ce51585309390a46717
SHA1

ff39c56312090a909c2c0c82629c552a3b252a98
SHA256

833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa
SHA512

97f9a98fb48c8281818163d3dbe66fa246e1fe6a5a67f15175419992b0ca389cbe086e457177c21ce9c99ff05a1e0b508812cdf30220090a438dd8c94f73c6b7
SSDEEP

24576:R4nXubIQGyxbPV0db26Wmd0l4sv1Et9uGpckT52zedlq89Ws5uIzk5aM/phdO7:Rqe3f61mZSffPMWrQ0ZkA

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp

pid process

1216 833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp
Loads dropped DLL 1 IoCs

Processes:

833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe

pid process

1376 833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe

pid	process
1216	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp

pid	process
1376	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp

pid process

1216 833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp

pid	process
1216	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe

description	pid	process	target process
PID 1376 wrote to memory of 1216	1376	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp
PID 1376 wrote to memory of 1216	1376	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp
PID 1376 wrote to memory of 1216	1376	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp
PID 1376 wrote to memory of 1216	1376	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp
PID 1376 wrote to memory of 1216	1376	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp
PID 1376 wrote to memory of 1216	1376	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp
PID 1376 wrote to memory of 1216	1376	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe	833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp

C:\Users\Admin\AppData\Local\Temp\833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe
"C:\Users\Admin\AppData\Local\Temp\833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\is-FUD8N.tmp\833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FUD8N.tmp\833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp" /SL5="$70126,831488,831488,C:\Users\Admin\AppData\Local\Temp\833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c9077af325954904727f416ee196badd

SHA1
96524fafad3a2bad29dfc4bc9c14378911eef302

SHA256
2e746907640c91aff3b15267be8eb8917c86fa0b9a063b4daed6b13ee7c15122

SHA512
47b751aa2d3a7c2b44932262d8286b6fca6481dbab7100d20c347ee44b7afd44b691b490bcda96c39d9fa5be00300cc1edbae4b5452aa1e37188466fdc8bff18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar300E.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FUD8N.tmp\833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp
Filesize
3.0MB

MD5
0c229cd26910820581b5809c62fe5619

SHA1
28c0630385b21f29e3e2bcc34865e5d15726eaa0

SHA256
abfa49a915d2e0a82561ca440365e6a2d59f228533b56a8f78addf000a1081b3

SHA512
b8ff3dc65f7c0e03721572af738ec4886ba895dc70c1a41a3ce8c8abe0946d167cec71913017fd11d5892452db761ea88901a5a09a681ae779dd531edbb83a2a

Download Submit
\Users\Admin\AppData\Local\Temp\is-FUD8N.tmp\833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa.tmp
Filesize
3.0MB

MD5
0c229cd26910820581b5809c62fe5619

SHA1
28c0630385b21f29e3e2bcc34865e5d15726eaa0

SHA256
abfa49a915d2e0a82561ca440365e6a2d59f228533b56a8f78addf000a1081b3

SHA512
b8ff3dc65f7c0e03721572af738ec4886ba895dc70c1a41a3ce8c8abe0946d167cec71913017fd11d5892452db761ea88901a5a09a681ae779dd531edbb83a2a

Download Submit
memory/1216-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1216-185-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/1216-186-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1216-188-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/1376-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1376-184-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing