99a6966aea833fa53e11681cb19b336abd176eb1e477fdde957ec11954e7086d

General

Target

MultiExploitBuilderV1.exe
Size

2.2MB
MD5

b9fa659bd0b2b103521c686ecf3da2c7
SHA1

21427801d6d99aff543964fe8f685faa196cf8f2
SHA256

99a6966aea833fa53e11681cb19b336abd176eb1e477fdde957ec11954e7086d
SHA512

c25bd26b8e9aba2df095e1a964a8a92c25b800a7604330ca6ee1ece89e6b680897af216905ecb40b4a4d7228a1fe857c11707248590839e7ecd2ef6c431a05d4
SSDEEP

49152:bqe3f6lnC3KqopqB8YwuJQ9iEpWHGG2J/:WSi1qKqBOSwTCwR

Score

8^/10

discovery persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Executes dropped EXE 1 IoCs

pid	Process
1996	MultiExploitBuilderV1.tmp

Loads dropped DLL 2 IoCs

pid	Process
1160	MultiExploitBuilderV1.exe
1996	MultiExploitBuilderV1.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchOptimizer.exe	MultiExploitBuilderV1.tmp
File opened for modification	C:\Windows\system32\SearchUI.exe	MultiExploitBuilderV1.tmp
File created	C:\Windows\system32\is-993FU.tmp	MultiExploitBuilderV1.tmp
File created	C:\Windows\system32\is-3MASG.tmp	MultiExploitBuilderV1.tmp
File created	C:\Windows\system32\is-3BDUS.tmp	MultiExploitBuilderV1.tmp

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reduce Memory\ReduceMemory.exe	MultiExploitBuilderV1.tmp
File created	C:\Program Files\Reduce Memory\unins000.dat	MultiExploitBuilderV1.tmp
File created	C:\Program Files\Reduce Memory\is-5E7L7.tmp	MultiExploitBuilderV1.tmp
File created	C:\Program Files\Reduce Memory\is-M4FL0.tmp	MultiExploitBuilderV1.tmp
File created	C:\Program Files\Reduce Memory\is-R1RMU.tmp	MultiExploitBuilderV1.tmp
File created	C:\Program Files\Reduce Memory\is-1GI0Q.tmp	MultiExploitBuilderV1.tmp
File opened for modification	C:\Program Files\Reduce Memory\unins000.dat	MultiExploitBuilderV1.tmp

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2524	sc.exe
3012	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	MultiExploitBuilderV1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	MultiExploitBuilderV1.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1996	MultiExploitBuilderV1.tmp
1996	MultiExploitBuilderV1.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1996	MultiExploitBuilderV1.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1996	MultiExploitBuilderV1.tmp

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1996	1160	MultiExploitBuilderV1.exe	28
PID 1160 wrote to memory of 1996	1160	MultiExploitBuilderV1.exe	28
PID 1160 wrote to memory of 1996	1160	MultiExploitBuilderV1.exe	28
PID 1160 wrote to memory of 1996	1160	MultiExploitBuilderV1.exe	28
PID 1160 wrote to memory of 1996	1160	MultiExploitBuilderV1.exe	28
PID 1160 wrote to memory of 1996	1160	MultiExploitBuilderV1.exe	28
PID 1160 wrote to memory of 1996	1160	MultiExploitBuilderV1.exe	28
PID 1996 wrote to memory of 2888	1996	MultiExploitBuilderV1.tmp	29
PID 1996 wrote to memory of 2888	1996	MultiExploitBuilderV1.tmp	29
PID 1996 wrote to memory of 2888	1996	MultiExploitBuilderV1.tmp	29
PID 1996 wrote to memory of 2888	1996	MultiExploitBuilderV1.tmp	29
PID 2888 wrote to memory of 2524	2888	cmd.exe	31
PID 2888 wrote to memory of 2524	2888	cmd.exe	31
PID 2888 wrote to memory of 2524	2888	cmd.exe	31
PID 2888 wrote to memory of 3012	2888	cmd.exe	32
PID 2888 wrote to memory of 3012	2888	cmd.exe	32
PID 2888 wrote to memory of 3012	2888	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\MultiExploitBuilderV1.exe
"C:\Users\Admin\AppData\Local\Temp\MultiExploitBuilderV1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\is-EKM6P.tmp\MultiExploitBuilderV1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EKM6P.tmp\MultiExploitBuilderV1.tmp" /SL5="$30150,1485076,837632,C:\Users\Admin\AppData\Local\Temp\MultiExploitBuilderV1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-8JMQP.tmp\env.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\system32\sc.exe
      sc create SearchOptimizer binpath= "C:\Windows\System32\SearchOptimizer.exe" start=auto
      4⤵
      Launches sc.exe
      PID:2524
  - - C:\Windows\system32\sc.exe
      sc start SearchOptimizer
      4⤵
      Launches sc.exe
      PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SearchUI\ver.txt

Filesize
75B

MD5
3e9b283396ce48fe6410ffaa5b3a7ef7

SHA1
08ce48281fc5fb2dcb69034120ace5d02233d4c8

SHA256
bea122a004eb8d1dc88a38636f77cf73ccf20c5cbf39061b967e7d23cc995158

SHA512
27dce7901a94f2dc163e2c8b35ced9bc63d1737ac87df9b385aec6b662d04df8a7b472c31458dd67109014a18be4150e4eecdfc661c44f44c0d4764d3175f6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8JMQP.tmp\env.bat

Filesize
126B

MD5
7af82eba781e242f1d31d84426fe6d46

SHA1
8922e100cbbefe0bea303350fec65ad9e7d2c6bf

SHA256
e542c65b51318d3b6308e6f9cddf56cfb9e5702c688b089739a8087677acbbfe

SHA512
22a5ee800cd4c0e1e2e57ec1818631a8d94641023b282b05df754ca6cbbae08d7b935de879780c3170ec8cc0c6897fa1be5d868e7cf04ce35af39d5adde69a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EKM6P.tmp\MultiExploitBuilderV1.tmp

Filesize
2.9MB

MD5
1f4bdf4d6f2b4fd5f8e60e8be2e86c5b

SHA1
5da410b4f14949b46cc7995f4f8f480a2de25a70

SHA256
711308c01e6c633293062aca47ba61df0baadc980ebf2ff66e0fb39e5e537477

SHA512
2436d25866cf93a53116038f715919c82e21a8171fe0a68ffefa5283fb07824d74ec4c89f870e018fc2326beab89d6bdfd0249d6fc9f078859427bc351b837e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EKM6P.tmp\MultiExploitBuilderV1.tmp

Filesize
2.9MB

MD5
1f4bdf4d6f2b4fd5f8e60e8be2e86c5b

SHA1
5da410b4f14949b46cc7995f4f8f480a2de25a70

SHA256
711308c01e6c633293062aca47ba61df0baadc980ebf2ff66e0fb39e5e537477

SHA512
2436d25866cf93a53116038f715919c82e21a8171fe0a68ffefa5283fb07824d74ec4c89f870e018fc2326beab89d6bdfd0249d6fc9f078859427bc351b837e8

Download Submit
\Program Files\Reduce Memory\ReduceMemory.exe

Filesize
776KB

MD5
0d626331715cc35aa377a8503f85c92a

SHA1
26aad89595f00068151d3676297ceec394e718af

SHA256
3e541100c869dba06ee62252a9661e5a06c2e685a7ddd5288ea1358703412385

SHA512
6dcdc39672dd00873c55753ba02ad05dc61ef028a4de385d5af38f30c4959342ac25f0ae936a19fb29100a49ab379f16f5288578434e1aea83b03e596d999996

Download Submit
\Users\Admin\AppData\Local\Temp\is-EKM6P.tmp\MultiExploitBuilderV1.tmp

Filesize
2.9MB

MD5
1f4bdf4d6f2b4fd5f8e60e8be2e86c5b

SHA1
5da410b4f14949b46cc7995f4f8f480a2de25a70

SHA256
711308c01e6c633293062aca47ba61df0baadc980ebf2ff66e0fb39e5e537477

SHA512
2436d25866cf93a53116038f715919c82e21a8171fe0a68ffefa5283fb07824d74ec4c89f870e018fc2326beab89d6bdfd0249d6fc9f078859427bc351b837e8

Download Submit
memory/1160-1-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1160-43-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1996-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1996-12-0x0000000001FB0000-0x00000000020F0000-memory.dmp

Filesize
1.2MB

Download
memory/1996-13-0x0000000001FB0000-0x00000000020F0000-memory.dmp

Filesize
1.2MB

Download
memory/1996-45-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/1996-46-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1996-47-0x0000000001FB0000-0x00000000020F0000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing