6831845d55c74e7533b9fa45fbc2a20062ba711607aaacc4d0cc44788ac1759b

Analysis

max time kernel
6s
max time network
9s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16-08-2023 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sas.cer
Size

716B
MD5

36629362fafba1f33bb5c13137052c7e
SHA1

fac45c2e966bf8d6bd0f53d0020bb8fe9249be60
SHA256

6831845d55c74e7533b9fa45fbc2a20062ba711607aaacc4d0cc44788ac1759b
SHA512

ecfde1545eb918ae3fca6daf9a14a1573649bc68a0c47c2402082868deb2401a9063d64066a2d375c25f166188f97e760fad552f2ccca35f160279b9fc99a393

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2096	rundll32.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\SystemCertificates\CA\Certificates\FAC45C2E966BF8D6BD0F53D0020BB8FE9249BE60\Blob = 04000000010000001000000036629362fafba1f33bb5c13137052c7e0f00000001000000200000004c7889433cdb2e1145334703b5f91beb3ac88d40ed9e71a2bc301afdcde55258140000000100000014000000cd3a11949fbc9c9516eb874149544a9c551fedac1900000001000000100000008afbf678fd92bee3200dd9bd9770b99d030000000100000014000000fac45c2e966bf8d6bd0f53d0020bb8fe9249be602000000001000000cc020000308202c8308201b0a00302010202046e9e8d0a300d06092a864886f70d01010b05003015311330110603550403130a676f6f672e6c6f63616c301e170d3233303830373134333433395a170d3330303830373134333433395a3015311330110603550403130a676f6f672e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100b997f4acc861a70d19a55a548d84a8c9347755edcfdbdb6e2aac9bcc48fcff80a2c632763f3d28935fbb82a5d3fa2bcc9e352d1ccec85f1bc351ccc8d120ddd86557a5c01187fabd4c3a94ca6be92e5d4a2d1a6086751a9ca2983b5841e16d220654e1abfdc296d0ac318497e3f849de258d7c4a37a7b2c22430513d94dbd35ce6484467caa5395be449e710c8bd2d5dcbd6711a01ce1274a53cd64f25d04b419b8f080823f44e3ea08b9df4c5f0f9dc6d03f9409ed04fd34141ad841a7a91c440f18c0c3bcae6572348e834d35bdcc641a4a1e76edbb4cd1b3ca5ca1c6452756e33c4a6c824f4ca3f0e2ffef92f4cac5760b0b67e35ab5c089e035dfa5a1db30203010001a320301e300f0603551d130101ff040530030101ff300b0603551d0f040403020186300d06092a864886f70d01010b050003820101000cc23c11b6a150e1033a0dd50be8bcebda3d6b2fd467e237d6b85d824e565561314536a769bf9749953e0f9d38acd22f1473f0ba2ec3f396a68424269cbc60572e8af3e1e47943f0816aebbc51e1f21d90a40e88d7444b3750d4ede6f788129667fd798f38eb6b1523ea1ea2c3c9bcf3f57326977cb67a72e2f152e01fc8f60650981bac2e65371a126b4acb4cf8687ddb755f85268e41340789de7164d314eaea57aacb9bae0dd1594d3ae2cc72cfb98fc12f401cca03dfbc7fd3a96ebd69c3c591d7e91475a9fa3d59549a4b9fcfd0ec027a5abc6d9f66cd38885a2bc96e21b2fe91f3c2c11f09f12ba0dcb4dde951df9b7d4f45026414f937217cb7042a48	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\SystemCertificates\REQUEST	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\SystemCertificates\CA\Certificates\FAC45C2E966BF8D6BD0F53D0020BB8FE9249BE60	rundll32.exe

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe cryptext.dll,CryptExtOpenCER C:\Users\Admin\AppData\Local\Temp\sas.cer
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab7BD6.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9053.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit