3e7dce10819838dedd22f4e0dc4e13aba896c8b0f55bd89698dae0d2536288ca

General

Target

3e7dce10819838dedd22f4e0dc4e13aba896c8b0f55bd89698dae0d2536288ca.exe
Size

660KB
MD5

46b6f9f68d411763278322eaf5ac9b5e
SHA1

86460b4ca0dde101bb678f8f85d5805db4829c6f
SHA256

3e7dce10819838dedd22f4e0dc4e13aba896c8b0f55bd89698dae0d2536288ca
SHA512

c13e082ab5a761bcf8baab76df14bb0f689fd3df458da1a4d52e7423aa0c4204d746741085b6ffa660dbe2998c33f96d8e559ea0923038d55d498b6239c4c7a4
SSDEEP

12288:MNYl/0Val4cy904tJbk9apbgRVLcZrTg6GluiYfGyh:/l4cy7vo92gnLmqluiYfv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2836	trust_a.exe

Loads dropped DLL 2 IoCs

pid	Process
1276	3e7dce10819838dedd22f4e0dc4e13aba896c8b0f55bd89698dae0d2536288ca.exe
2892	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 2836	1276	3e7dce10819838dedd22f4e0dc4e13aba896c8b0f55bd89698dae0d2536288ca.exe	28
PID 1276 wrote to memory of 2836	1276	3e7dce10819838dedd22f4e0dc4e13aba896c8b0f55bd89698dae0d2536288ca.exe	28
PID 1276 wrote to memory of 2836	1276	3e7dce10819838dedd22f4e0dc4e13aba896c8b0f55bd89698dae0d2536288ca.exe	28
PID 2836 wrote to memory of 308	2836	trust_a.exe	30
PID 2836 wrote to memory of 308	2836	trust_a.exe	30
PID 2836 wrote to memory of 308	2836	trust_a.exe	30
PID 2836 wrote to memory of 2888	2836	trust_a.exe	31
PID 2836 wrote to memory of 2888	2836	trust_a.exe	31
PID 2836 wrote to memory of 2888	2836	trust_a.exe	31
PID 2836 wrote to memory of 2852	2836	trust_a.exe	32
PID 2836 wrote to memory of 2852	2836	trust_a.exe	32
PID 2836 wrote to memory of 2852	2836	trust_a.exe	32
PID 2836 wrote to memory of 2236	2836	trust_a.exe	33
PID 2836 wrote to memory of 2236	2836	trust_a.exe	33
PID 2836 wrote to memory of 2236	2836	trust_a.exe	33

C:\Users\Admin\AppData\Local\Temp\3e7dce10819838dedd22f4e0dc4e13aba896c8b0f55bd89698dae0d2536288ca.exe
"C:\Users\Admin\AppData\Local\Temp\3e7dce10819838dedd22f4e0dc4e13aba896c8b0f55bd89698dae0d2536288ca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\TrustRootCATool_v35_23A3510h\trust_a.exe
  "C:\Users\Admin\AppData\Local\Temp\TrustRootCATool_v35_23A3510h\trust_a.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /C" echo 23A3510h "
    3⤵
    PID:308
- - C:\Windows\system32\findstr.exe
    findstr "B"
    3⤵
    PID:2888
- - C:\Windows\System32\certutil.exe
    C:\Windows\System32\certutil.exe -hashfile wget.exe SHA256
    3⤵
    PID:2852
- - C:\Windows\system32\findstr.exe
    findstr /i C12B228674CEEA82771B80F16DFF8EB6811DB16E72AC52E29595328E6120EBAD "wget.exe.sha256"
    3⤵
    PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TrustRootCATool_v35_23A3510h\trust_a.exe

Filesize
358KB

MD5
88783b5b71030769f8df32522f01fa98

SHA1
44b1658803e9f361ea20486b78f0fcc272098d84

SHA256
43a49448f72ece7dba4565da75b2a15d46424c6d2a59cf2279ef9e0163b22512

SHA512
440bd67aedbef133e427df3b04c8f2cf61593176b9d58e2ca0bb4a5036d9675e2317789574d89bc7661a029879fc50a988c063306f4e858942e7e56014e613ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrustRootCATool_v35_23A3510h\trust_a.exe

Filesize
358KB

MD5
88783b5b71030769f8df32522f01fa98

SHA1
44b1658803e9f361ea20486b78f0fcc272098d84

SHA256
43a49448f72ece7dba4565da75b2a15d46424c6d2a59cf2279ef9e0163b22512

SHA512
440bd67aedbef133e427df3b04c8f2cf61593176b9d58e2ca0bb4a5036d9675e2317789574d89bc7661a029879fc50a988c063306f4e858942e7e56014e613ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrustRootCATool_v35_23A3510h\wget.exe

Filesize
634KB

MD5
2321752d9f5440d72b345f59cdb14f76

SHA1
f657278fe4029a798c1eb7dbd1111a634930c865

SHA256
c12b228674ceea82771b80f16dff8eb6811db16e72ac52e29595328e6120ebad

SHA512
6b39072c9c164acc5ce37ea9ef71efca01c5b64794ff347a5e0d7c8a65978851ac722c5ac62d7162f8d0926332f6af914bcbaf157b301f0fd3c7df39878f6987

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrustRootCATool_v35_23A3510h\wget.exe.sha256

Filesize
181B

MD5
9bd44f0f98708194f6aa8def08aa42e6

SHA1
6fee04beb23eb7cfabd9f223c84d9b753a5c366b

SHA256
1c5cf2cad29f0870e7b1ad23ff1c7df2702b5a405d44282d57ae3e52d224046b

SHA512
c73869ba380a1e6eb0c75d2becfded9408a71f88cd216da772e5b5bb691534992d1280ed5f95533ef148066d8884c05b12ccb151077c6eff63993384ed61296b

Download Submit
\Users\Admin\AppData\Local\Temp\TrustRootCATool_v35_23A3510h\trust_a.exe

Filesize
358KB

MD5
88783b5b71030769f8df32522f01fa98

SHA1
44b1658803e9f361ea20486b78f0fcc272098d84

SHA256
43a49448f72ece7dba4565da75b2a15d46424c6d2a59cf2279ef9e0163b22512

SHA512
440bd67aedbef133e427df3b04c8f2cf61593176b9d58e2ca0bb4a5036d9675e2317789574d89bc7661a029879fc50a988c063306f4e858942e7e56014e613ec

Download Submit
\Users\Admin\AppData\Local\Temp\TrustRootCATool_v35_23A3510h\trust_a.exe

Filesize
358KB

MD5
88783b5b71030769f8df32522f01fa98

SHA1
44b1658803e9f361ea20486b78f0fcc272098d84

SHA256
43a49448f72ece7dba4565da75b2a15d46424c6d2a59cf2279ef9e0163b22512

SHA512
440bd67aedbef133e427df3b04c8f2cf61593176b9d58e2ca0bb4a5036d9675e2317789574d89bc7661a029879fc50a988c063306f4e858942e7e56014e613ec

Download Submit
memory/2836-77-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing