4f4858e376fe57069246525e2c132572fae46a5883c4350044437ffbc6816353

Reason

Machine shutdown

General

Target

4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.exe
Size

1.7MB
MD5

b3ce27015ed4fa069e3ae8937ae65d8d
SHA1

4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03
SHA256

4f4858e376fe57069246525e2c132572fae46a5883c4350044437ffbc6816353
SHA512

f79bc1925509bb79b43748daa47c109727f2098f478e90dd4193e3245506355e39480fcd69ac9805ec57177305c8b18b9038ef8b4b7ba9b35c4672def8ab8b3b
SSDEEP

24576:l7FUDowAyrTVE3U5FmyrGAmtCz+Azz52YTOBeYH5khC4zt/S7UjCIp59js8BM3TP:lBuZrEUfLzdP52HtyhdtKuCqbjsFb

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2256	4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.tmp

Loads dropped DLL 1 IoCs

pid	Process
2508	4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.exe

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2256	2508	4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.exe	28
PID 2508 wrote to memory of 2256	2508	4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.exe	28
PID 2508 wrote to memory of 2256	2508	4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.exe	28
PID 2508 wrote to memory of 2256	2508	4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.exe	28
PID 2508 wrote to memory of 2256	2508	4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.exe	28
PID 2508 wrote to memory of 2256	2508	4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.exe	28
PID 2508 wrote to memory of 2256	2508	4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.exe	28

C:\Users\Admin\AppData\Local\Temp\4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.exe
"C:\Users\Admin\AppData\Local\Temp\4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\is-SE91A.tmp\4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SE91A.tmp\4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.tmp" /SL5="$80120,841196,832512,C:\Users\Admin\AppData\Local\Temp\4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2256

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2400

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a73daace83f2aa9f3a7f102f077ff95d

SHA1
d27f9b074c04a610fba61fe2b90521e7d8adbd36

SHA256
c2b23a15c440c79586b9e0dcb9d0c546789145759a56fe416d7d2c90aaa41d59

SHA512
3a1b2e54ab585b0b99d514a344fbf1e0c1085f69f0e76c5abc2e7338e1962a09db68d011b643bb559853a4485e9109c7dd6e7b44774e9fd8cdd932f48f193e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar86F2.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SE91A.tmp\4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.tmp

Filesize
3.1MB

MD5
f88821c5b7bed387e89fe15440e51f47

SHA1
5eee6d85cdfb7e1933af56c14ac6177503595108

SHA256
04286899486eb28faaf119819bfdd433c509c7591294d26863079277d46f3487

SHA512
36e36d582359e37a499fa0606b5a90036529ace6a022e310d4332a980d412b8f1f5c353823489be66c5355e62aa00c140a51cc261c0e7800cb86442c24c64643

Download Submit
\Users\Admin\AppData\Local\Temp\is-SE91A.tmp\4e2ad5de0c8d85c84bc06e32bab068ef31d9cd03.tmp

Filesize
3.1MB

MD5
f88821c5b7bed387e89fe15440e51f47

SHA1
5eee6d85cdfb7e1933af56c14ac6177503595108

SHA256
04286899486eb28faaf119819bfdd433c509c7591294d26863079277d46f3487

SHA512
36e36d582359e37a499fa0606b5a90036529ace6a022e310d4332a980d412b8f1f5c353823489be66c5355e62aa00c140a51cc261c0e7800cb86442c24c64643

Download Submit
memory/2256-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2256-133-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2256-134-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2256-136-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2352-140-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2400-139-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2508-1-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2508-131-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2508-138-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Resubmissions

Analysis

Sharing

Errors