dda6174793b187854d3ad8f6c4a60a147b73210681323d13c1f31fabeb632728

General

Target

BestTrace3.7.3.exe
Size

834KB
MD5

2742aadc580b0398b56b6fe47fbdec19
SHA1

a8eafaf7f240a2fae9d0a6cdb8a99ac32af657ac
SHA256

dda6174793b187854d3ad8f6c4a60a147b73210681323d13c1f31fabeb632728
SHA512

f515fad4dda50006c5031c9becdde78466253398d8edc68000316398c3fdc5b806f46cf965d15f8a20b7214208ad8db803b7bb2eb55f64b24e9a8d8da3b87179
SSDEEP

24576:N6nVer7RRIEUlHFPAT3jWUPSB0P5gIuY+JGr5W:yVeR6EUphATjjPg0BRoJy5W

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2052	Best Trace.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	BestTrace3.7.3.exe
2372	BestTrace3.7.3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Best Trace.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Best Trace.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2052	Best Trace.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2052	Best Trace.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2052	Best Trace.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2052	2372	BestTrace3.7.3.exe	28
PID 2372 wrote to memory of 2052	2372	BestTrace3.7.3.exe	28
PID 2372 wrote to memory of 2052	2372	BestTrace3.7.3.exe	28
PID 2372 wrote to memory of 2052	2372	BestTrace3.7.3.exe	28

C:\Users\Admin\AppData\Local\Temp\BestTrace3.7.3.exe
"C:\Users\Admin\AppData\Local\Temp\BestTrace3.7.3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\Best Trace\Best Trace.exe
  "C:\Users\Admin\AppData\Local\Temp\Best Trace\Best Trace.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Best Trace\Best Trace.exe

Filesize
2.6MB

MD5
0d726cc2bc35760db8e502b24a8a0cef

SHA1
99efc7672d88c0c6e78e30dee0efc5849a7e7312

SHA256
9a2a44625099965603d22c0074ba0e965da139e2321c209a9b6956358eeced06

SHA512
1e192963bd13059ddb28b48d1027c1ff07b107578fdc2eba2c599dc96ef3cde452262c81f6b6b84abd9dab9ecc38d6899a7915d5c2f49f126faa4fd8cb4f2846

Download Submit
C:\Users\Admin\AppData\Local\Temp\Best Trace\simplified_chinese.lng

Filesize
12KB

MD5
d999df40557652ec6aa4bac940185796

SHA1
c688eecadf4d6ba1c35df228ca612d4e5832b01a

SHA256
2c6f04b2f52e36063f4dffb8bb1f03e49eb9c69685634fd22690104add3ec698

SHA512
5d38077e2e2972a1c335e88db3e8901e7c05d0970129852a66078721dabb7fd467d1a18a84e1eaffadc2bb68e5b1e611987e79d8df3e0fb757590001dfeac1ea

Download Submit
\Users\Admin\AppData\Local\Temp\Best Trace\Best Trace.exe

Filesize
2.6MB

MD5
0d726cc2bc35760db8e502b24a8a0cef

SHA1
99efc7672d88c0c6e78e30dee0efc5849a7e7312

SHA256
9a2a44625099965603d22c0074ba0e965da139e2321c209a9b6956358eeced06

SHA512
1e192963bd13059ddb28b48d1027c1ff07b107578fdc2eba2c599dc96ef3cde452262c81f6b6b84abd9dab9ecc38d6899a7915d5c2f49f126faa4fd8cb4f2846

Download Submit
\Users\Admin\AppData\Local\Temp\nsy76F6.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
memory/2052-66-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2052-77-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing