fd11c4dfe3ec12ae0c668e7ac0896e356acbeb91b55899a15420b1510841f34e

General

Target

tmp.exe
Size

128KB
MD5

b19e1724a2a129acc3aa58cb9c47b026
SHA1

92babf7a1528297fd97afa47211100abb5b85423
SHA256

fd11c4dfe3ec12ae0c668e7ac0896e356acbeb91b55899a15420b1510841f34e
SHA512

a803a6d3fd71f1c9c46577e9af7f34dd3cab8bfc09d1f73310d9f7e6bfff039c23add8cfffd13d507970ff6b57852ef683bedbe69536782ecca7b30a9069dd76
SSDEEP

1536:KnEbVPAERLbgexvltYQpdI3jxdTGfLI1LaPO6LH6OoErcdkKsWjcdYrFSnr:dZAOLE4c3iLItam0H6oW6Yr4nr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2264	InstallCert.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\97D074033D6D0AA093CB6FFCB277D2311ED3F118	InstallCert.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\97D074033D6D0AA093CB6FFCB277D2311ED3F118\Blob = 03000000010000001400000097d074033d6d0aa093cb6ffcb277d2311ed3f1180200000001000000bc0000001c0000006c00000001000000200000000000000000000000020000007b00320041003600450039003900450042002d0045004600350035002d0034004600370044002d0042003200360035002d003800380039004300300031003800320036003600350030007d00000000004d006900630072006f0073006f006600740020005300740072006f006e0067002000430072007900700074006f0067007200610070006800690063002000500072006f007600690064006500720000002000000001000000f1020000308202ed308201d9a0030201020210aa5357f3c02917a945d70bb5b97ed852300906052b0e03021d050030123110300e06035504031307456e6a6f794974301e170d3132313233313136303030305a170d3234313233313136303030305a30123110300e06035504031307456e6a6f79497430820122300d06092a864886f70d01010105000382010f003082010a0282010100d1846117252c027e08081855cdde319f84a61365bde379fb3ccd7d2995ed304a181d66339937acc48e6ff40022ef7e0b812b16f3a86590daf916360c704b8d207ffdcb5b22e920337b068a1531f1257db6a06428b901a0a79d697780eab4d69408e1f41f86a4b6be95f1dc9c8ab9430c908e7a5a9a09c8b46164269fc6d9a23c9e528011378a1f8610733d929bc3de905b9023a3edb1f1bbc979295a274fda82cfa125f9e128d68cf7421a45f30ea368cfab30424d2cfcb1a8b39086d585c95085228b34334de24c4cf5638f0d856e7fc1ba7701245e7fcb8c25506132e49a3aabfc4a57b0c4669030d3b302be6d2feb0bdabf691bf5a612fbf4b324cce4e4ff0203010001a347304530430603551d01043c303a80107058a7030f598bef6ed55117b237e8eda11430123110300e06035504031307456e6a6f7949748210aa5357f3c02917a945d70bb5b97ed852300906052b0e03021d05000382010100a845f340fb552087618d67fb7b679b691fe2c163b38a9858d0d3fde99f66e08dfcf7f6bf75b4ee1bd8a9819fd796f0b7fc309df2f5d60e86d121bb27d444ccb69a47068aa4466d648f5f4c8f4dc34e17d0d0bda6fc375a9415cedf934d949258453ad003d200992eb91c300b5d0a3f95a963ab697173b62210db1f4d5bf7eb083629d36c106faf63a4f58600a1eb738d27d8775d9667f724a4df16d79825bc67b6354ebd32eefa042c2878fe0d0d0eb41c04eed9ce9673ad2d83da5d1789f9c4c12e254e77c65e477a8168ef12c836f402a9661042aec0704df57a31c2dc308918d864b379ff031db736445a042a92d6fd97fb1bc0d5c6e0e7fc06a9529227b7	InstallCert.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2264	InstallCert.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2100	2680	tmp.exe	29
PID 2680 wrote to memory of 2100	2680	tmp.exe	29
PID 2680 wrote to memory of 2100	2680	tmp.exe	29
PID 2680 wrote to memory of 2100	2680	tmp.exe	29
PID 2100 wrote to memory of 2120	2100	cmd.exe	30
PID 2100 wrote to memory of 2120	2100	cmd.exe	30
PID 2100 wrote to memory of 2120	2100	cmd.exe	30
PID 2100 wrote to memory of 2528	2100	cmd.exe	32
PID 2100 wrote to memory of 2528	2100	cmd.exe	32
PID 2100 wrote to memory of 2528	2100	cmd.exe	32
PID 2100 wrote to memory of 2264	2100	cmd.exe	31
PID 2100 wrote to memory of 2264	2100	cmd.exe	31
PID 2100 wrote to memory of 2264	2100	cmd.exe	31
PID 2100 wrote to memory of 2264	2100	cmd.exe	31
PID 2100 wrote to memory of 2264	2100	cmd.exe	31
PID 2100 wrote to memory of 2264	2100	cmd.exe	31
PID 2100 wrote to memory of 2264	2100	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6A76.tmp\6A77.bat C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight" /v "AllowElevatedTrustAppsInBrowser" /t reg_dword /d 00000001 /f
    3⤵
    PID:2120
- - C:\Users\Admin\AppData\Local\Temp\InstallCert.exe
    "C:\Users\Admin\AppData\Local\Temp\installCert.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2264
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Silverlight" /v "AllowElevatedTrustAppsInBrowser" /t reg_dword /d 00000001 /f
    3⤵
    PID:2528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6A76.tmp\6A77.bat

Filesize
344B

MD5
5c1fbf8b011b831a6b7612f9400efc68

SHA1
3158a9d4424419426a3795ced2f9be7104c994d9

SHA256
ab041d43ce610b8d1c9521d041b97e964955fb46c93085bab4d253dde32cda2a

SHA512
8ca008e20870a924065475bb917c8f081830191b53108e6215528263aafa1b07a11aa2247391c4c8cc1e557eca3b57584caa351a3ba7b9808287c29665e45a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallCert.exe

Filesize
56KB

MD5
d7cf8d25470bdf04b768ea108097aa46

SHA1
50f9acd2fe6468d28a1823f215283623181ff57a

SHA256
7cd409db1dd5211460f3d029ec2ad46edc840d3104bfb3b9d6d46e8b98e4945f

SHA512
5990bd5cc1af3d1558de5b8385a7a32016f88df873e40ce49b541611854be6254762d3ade13a41b430222c753506b9357cead9b89bb715b61045ce46d49f6f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallCert.exe

Filesize
56KB

MD5
d7cf8d25470bdf04b768ea108097aa46

SHA1
50f9acd2fe6468d28a1823f215283623181ff57a

SHA256
7cd409db1dd5211460f3d029ec2ad46edc840d3104bfb3b9d6d46e8b98e4945f

SHA512
5990bd5cc1af3d1558de5b8385a7a32016f88df873e40ce49b541611854be6254762d3ade13a41b430222c753506b9357cead9b89bb715b61045ce46d49f6f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\slEnjoyIT.pfx

Filesize
2KB

MD5
ccebbf94d13f0b2869a878e95333c106

SHA1
20c2906bbc33daebd0e2df560ee846de80ed3484

SHA256
072dedef2b2b308385a94a68a96e21d3370ee049710e6c5c5a37ac7b4390810d

SHA512
0cd9237af8f6800a8b7fc94f0a7d19534345159b4086b9173cd7894446201a0294297ae4ab8cc2983129984f2a46d1907a6b421ae583eb6fa904df1a8470cd34

Download Submit

Analysis

Sharing