f980e92af3341650819ca6c985294ebe0aa78d38bdfe249536d7ec7f2efc6ecf

Analysis

max time kernel
141s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07/10/2023, 01:07 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f29445baa824f6729cbda3d90b15cec.exe
Size

2.8MB
MD5

0f29445baa824f6729cbda3d90b15cec
SHA1

572195b4193529d842653e678eeec7dc3544ee2f
SHA256

f980e92af3341650819ca6c985294ebe0aa78d38bdfe249536d7ec7f2efc6ecf
SHA512

a05bb0cb18d3c7e0ce5795397beeaee90078c272afccf5211d911eae4bc39078bed7da22c528e77ed4daea1c1b4e736c2f361cdb6e525e4132ba4793e433cc81
SSDEEP

49152:9qe3f6PUk/4g+H98AHaCfu6rtWBu1SSmqOIzDamifOL9T9vEXv:MSiPUk/XE9vBugtL1SNaRLh9vEXv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2468	0f29445baa824f6729cbda3d90b15cec.tmp

Loads dropped DLL 3 IoCs

pid	Process
2284	0f29445baa824f6729cbda3d90b15cec.exe
2468	0f29445baa824f6729cbda3d90b15cec.tmp
2468	0f29445baa824f6729cbda3d90b15cec.tmp

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\SOFTWARE\AVAST Software\Avast	0f29445baa824f6729cbda3d90b15cec.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir	0f29445baa824f6729cbda3d90b15cec.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	0f29445baa824f6729cbda3d90b15cec.tmp
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\SOFTWARE\AVG\AV\Dir	0f29445baa824f6729cbda3d90b15cec.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	0f29445baa824f6729cbda3d90b15cec.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	0f29445baa824f6729cbda3d90b15cec.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0f29445baa824f6729cbda3d90b15cec.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	0f29445baa824f6729cbda3d90b15cec.tmp

Modifies system certificate store 2 TTPs 8 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	0f29445baa824f6729cbda3d90b15cec.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	0f29445baa824f6729cbda3d90b15cec.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	0f29445baa824f6729cbda3d90b15cec.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	0f29445baa824f6729cbda3d90b15cec.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	0f29445baa824f6729cbda3d90b15cec.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	0f29445baa824f6729cbda3d90b15cec.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	0f29445baa824f6729cbda3d90b15cec.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	0f29445baa824f6729cbda3d90b15cec.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2468	0f29445baa824f6729cbda3d90b15cec.tmp
2468	0f29445baa824f6729cbda3d90b15cec.tmp
2468	0f29445baa824f6729cbda3d90b15cec.tmp
2468	0f29445baa824f6729cbda3d90b15cec.tmp
2468	0f29445baa824f6729cbda3d90b15cec.tmp
2468	0f29445baa824f6729cbda3d90b15cec.tmp
2468	0f29445baa824f6729cbda3d90b15cec.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2468	0f29445baa824f6729cbda3d90b15cec.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2468	0f29445baa824f6729cbda3d90b15cec.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2468	2284	0f29445baa824f6729cbda3d90b15cec.exe	28
PID 2284 wrote to memory of 2468	2284	0f29445baa824f6729cbda3d90b15cec.exe	28
PID 2284 wrote to memory of 2468	2284	0f29445baa824f6729cbda3d90b15cec.exe	28
PID 2284 wrote to memory of 2468	2284	0f29445baa824f6729cbda3d90b15cec.exe	28
PID 2284 wrote to memory of 2468	2284	0f29445baa824f6729cbda3d90b15cec.exe	28
PID 2284 wrote to memory of 2468	2284	0f29445baa824f6729cbda3d90b15cec.exe	28
PID 2284 wrote to memory of 2468	2284	0f29445baa824f6729cbda3d90b15cec.exe	28

C:\Users\Admin\AppData\Local\Temp\0f29445baa824f6729cbda3d90b15cec.exe
"C:\Users\Admin\AppData\Local\Temp\0f29445baa824f6729cbda3d90b15cec.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\is-1EFAN.tmp\0f29445baa824f6729cbda3d90b15cec.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1EFAN.tmp\0f29445baa824f6729cbda3d90b15cec.tmp" /SL5="$40150,1907617,1111552,C:\Users\Admin\AppData\Local\Temp\0f29445baa824f6729cbda3d90b15cec.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2468

Network

DNS

d3gsu8mttfdbfj.cloudfront.net

0f29445baa824f6729cbda3d90b15cec.tmp

Remote address:

8.8.8.8:53

Request

d3gsu8mttfdbfj.cloudfront.net

IN A

Response

d3gsu8mttfdbfj.cloudfront.net

IN A

18.239.47.16

d3gsu8mttfdbfj.cloudfront.net

IN A

18.239.47.114

d3gsu8mttfdbfj.cloudfront.net

IN A

18.239.47.70

d3gsu8mttfdbfj.cloudfront.net

IN A

18.239.47.43
POST

https://d3gsu8mttfdbfj.cloudfront.net/o

0f29445baa824f6729cbda3d90b15cec.tmp

Remote address:

18.239.47.16:443

Request

POST /o HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 114
Host: d3gsu8mttfdbfj.cloudfront.net

Response

HTTP/1.1 200 OK

Content-Type: application/json
Content-Length: 9914
Connection: keep-alive
Server: awselb/2.0
Date: Sat, 07 Oct 2023 01:08:02 GMT
x-true-request-id: a728ca92-e4a3-46e7-bb05-6293676920e2
x-robots-tag: none
expires: Thu, 01 Jan 1970 00:00:00 GMT
cache-control: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 40fb5e8791e3cb1337e56d76d11ee8fa.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: AMS58-P3
X-Amz-Cf-Id: 4CJ0D38ZRDNHZ_4-3JqlSVQhKXD6UiXxKzX49c6oaiI4dahmkOPbNQ==
POST

https://d3gsu8mttfdbfj.cloudfront.net/zbd

0f29445baa824f6729cbda3d90b15cec.tmp

Remote address:

18.239.47.16:443

Request

POST /zbd HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
Authorization: Signature=245029c3de8708aac8dda2c4433fc2d7811d7e6203320f591e5d196c82d60d55
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 267
Host: d3gsu8mttfdbfj.cloudfront.net

Response

HTTP/1.1 200 OK

Content-Type: application/json; charset=utf-8
Content-Length: 15
Connection: keep-alive
Date: Sat, 07 Oct 2023 01:08:02 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
X-Cache: Miss from cloudfront
Via: 1.1 40fb5e8791e3cb1337e56d76d11ee8fa.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: AMS58-P3
X-Amz-Cf-Id: gI_HS8rY5xckY031i8E9CYUPmwfo0BvODbymaOasStLBLp4vp8s9Mg==
POST

https://d3gsu8mttfdbfj.cloudfront.net/zbd

0f29445baa824f6729cbda3d90b15cec.tmp

Remote address:

18.239.47.16:443

Request

POST /zbd HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
Authorization: Signature=245029c3de8708aac8dda2c4433fc2d7811d7e6203320f591e5d196c82d60d55
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 335
Host: d3gsu8mttfdbfj.cloudfront.net

Response

HTTP/1.1 200 OK

Content-Type: application/json; charset=utf-8
Content-Length: 15
Connection: keep-alive
Date: Sat, 07 Oct 2023 01:08:03 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
X-Cache: Miss from cloudfront
Via: 1.1 40fb5e8791e3cb1337e56d76d11ee8fa.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: AMS58-P3
X-Amz-Cf-Id: kZfYIpsz8QaXg4gHJX-nU7y6Bhxb1_OCTFR6pmcflR11b7vjCRFG4A==
POST

https://d3gsu8mttfdbfj.cloudfront.net/zbd

0f29445baa824f6729cbda3d90b15cec.tmp

Remote address:

18.239.47.16:443

Request

POST /zbd HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
Authorization: Signature=245029c3de8708aac8dda2c4433fc2d7811d7e6203320f591e5d196c82d60d55
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 340
Host: d3gsu8mttfdbfj.cloudfront.net

Response

HTTP/1.1 200 OK

Content-Type: application/json; charset=utf-8
Content-Length: 15
Connection: keep-alive
Date: Sat, 07 Oct 2023 01:08:04 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
X-Cache: Miss from cloudfront
Via: 1.1 40fb5e8791e3cb1337e56d76d11ee8fa.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: AMS58-P3
X-Amz-Cf-Id: y4eKLnkHIj3qGLbFiuHTq7pt6TeGaYyb_VA0l8j7u2lnClXmLeCnNg==
GET

https://d3gsu8mttfdbfj.cloudfront.net/f/WebAdvisor/images/943/EN.png

0f29445baa824f6729cbda3d90b15cec.tmp

Remote address:

18.239.47.16:443

Request

GET /f/WebAdvisor/images/943/EN.png HTTP/1.1
Connection: Keep-Alive
User-Agent: Inno Setup 6.1.2
Host: d3gsu8mttfdbfj.cloudfront.net

Response

HTTP/1.1 200 OK

Content-Type: image/png
Content-Length: 48743
Connection: keep-alive
Date: Sat, 07 Oct 2023 01:08:04 GMT
Last-Modified: Wed, 23 Nov 2022 15:50:00 GMT
ETag: "4cfff8dc30d353cd3d215fd3a5dbac24"
x-amz-version-id: RW9gnZViDqHn6sjOaRWUaFg5F2z0vnXM
Accept-Ranges: bytes
Server: AmazonS3
X-Cache: Miss from cloudfront
Via: 1.1 a752e456797165fcc0a1e5de08b5353c.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: AMS58-P3
X-Amz-Cf-Id: pK9d_gLVJvdfAGWdECow749teSofCsPyIflmytHp8ap7B3X_Y21QTA==
GET

https://d3gsu8mttfdbfj.cloudfront.net/f/AVG/images/09052021/EN.png

0f29445baa824f6729cbda3d90b15cec.tmp

Remote address:

18.239.47.16:443

Request

GET /f/AVG/images/09052021/EN.png HTTP/1.1
Connection: Keep-Alive
User-Agent: Inno Setup 6.1.2
Host: d3gsu8mttfdbfj.cloudfront.net

Response

HTTP/1.1 200 OK

Content-Type: image/png
Content-Length: 117272
Connection: keep-alive
Last-Modified: Sun, 09 May 2021 15:28:17 GMT
x-amz-meta-cb-modifiedtime: Sun, 09 May 2021 11:51:26 GMT
x-amz-version-id: .utcIFjAtHpj_698Z_tKF.EXAH.IUiV8
Accept-Ranges: bytes
Server: AmazonS3
Date: Sat, 07 Oct 2023 01:08:04 GMT
ETag: "5ef5291810c454a35f76d976105f37cc"
X-Cache: Hit from cloudfront
Via: 1.1 a752e456797165fcc0a1e5de08b5353c.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: AMS58-P3
X-Amz-Cf-Id: XuQXQdxfFZC5Qb3MfwVTEbBAlM5KKx8WTHDlj5QMcn8-czvUCgbBhg==
Age: 19227

18.239.47.16:443

https://d3gsu8mttfdbfj.cloudfront.net/zbd

tls, http

0f29445baa824f6729cbda3d90b15cec.tmp

3.9kB
20.0kB
25
27

HTTP Request

POST https://d3gsu8mttfdbfj.cloudfront.net/o

HTTP Response

200

HTTP Request

POST https://d3gsu8mttfdbfj.cloudfront.net/zbd

HTTP Response

200

HTTP Request

POST https://d3gsu8mttfdbfj.cloudfront.net/zbd

HTTP Response

200

HTTP Request

POST https://d3gsu8mttfdbfj.cloudfront.net/zbd

HTTP Response

200
18.239.47.16:443

https://d3gsu8mttfdbfj.cloudfront.net/f/AVG/images/09052021/EN.png

tls, http

0f29445baa824f6729cbda3d90b15cec.tmp

4.2kB
179.0kB
75
137

HTTP Request

GET https://d3gsu8mttfdbfj.cloudfront.net/f/WebAdvisor/images/943/EN.png

HTTP Response

200

HTTP Request

GET https://d3gsu8mttfdbfj.cloudfront.net/f/AVG/images/09052021/EN.png

HTTP Response

200

8.8.8.8:53

d3gsu8mttfdbfj.cloudfront.net

dns

0f29445baa824f6729cbda3d90b15cec.tmp

75 B
139 B
1
1

DNS Request

d3gsu8mttfdbfj.cloudfront.net

DNS Response

18.239.47.16

18.239.47.114

18.239.47.70

18.239.47.43

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
644986cba62796e5e29f6c8fb41eaa7d

SHA1
4f9ff8e4ee606da7cb446382d14436c63cf57078

SHA256
514cba6cae6d8321fe83f5fe717c9684cf6c521a26a8be1c6f80deaca32f6cac

SHA512
54c1c335c3a549937c1eadd8ca51a2df88819ba6730442fc704c0d92defbd1d7592408c20389af12930f8c49fc7e512bb81d7b7e92bf8e47678ae035f8017b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5EF4.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5F35.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1EFAN.tmp\0f29445baa824f6729cbda3d90b15cec.tmp

Filesize
3.2MB

MD5
aadc16c8ad4312196df3aa1d9f6386d3

SHA1
ff4d78923e0d957e6a66b3c06efecc435c396c7a

SHA256
04fade43204ecbbb378114a023b3db4a3aebe8258ff3b3846156e80a9c5cf4a3

SHA512
51621ec71d530d75e4a537381edf03bc48b234dd861547c950573febf5709a1716ee797368854512edf1950a4e1f4f8bbe292417a0dd238600338a39e2454e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DN663.tmp\loader.gif

Filesize
10KB

MD5
f23a523b82ad9103a9ac1dcc33eca72f

SHA1
5363bb6b51923441ef56638576307cc252f05a71

SHA256
59853c413b0813ded6f1e557959768d6662f010f49884d36b62c13038fac739c

SHA512
514ec63f7ed80d0708f7e2355fad8a558b4dcf2d0122ff98fe7c3ca1f40e7cd04e8869ca7a3b95622c0848c0d99306d7e791b86ca69b9e240beae959ca6285be

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DN663.tmp\logo.png

Filesize
9KB

MD5
2c050a55ade91ca10c94c41fdceaa8cb

SHA1
178fd0ee1c184fe681d89bff0ff8b89392723a67

SHA256
43262c9cc6328d67007b97a8eb36c924d05d45a383349e61b067f35677e1ad6e

SHA512
425825cbe2a417f10832c37fc0e571ca3e3f9b940f93f9f8ec8fcff2df896a52ff753386c30e03836d588b6bf355323dbea2e3a0cbf756f8f3c7065335cbfeac

Download Submit
\Users\Admin\AppData\Local\Temp\is-1EFAN.tmp\0f29445baa824f6729cbda3d90b15cec.tmp

Filesize
3.2MB

MD5
aadc16c8ad4312196df3aa1d9f6386d3

SHA1
ff4d78923e0d957e6a66b3c06efecc435c396c7a

SHA256
04fade43204ecbbb378114a023b3db4a3aebe8258ff3b3846156e80a9c5cf4a3

SHA512
51621ec71d530d75e4a537381edf03bc48b234dd861547c950573febf5709a1716ee797368854512edf1950a4e1f4f8bbe292417a0dd238600338a39e2454e04

Download Submit
\Users\Admin\AppData\Local\Temp\is-DN663.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-DN663.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
e1f18a22199c6f6aa5d87b24e5b39ef1

SHA1
0dcd8f90b575f6f1d10d6789fe769fa26daafd0e

SHA256
62c56c8cf2ac6521ce047b73aa99b6d3952ca53f11d34b00e98d17674a2fc10d

SHA512
5a10a2f096adce6e7db3a40bc3ea3fd44d602966e606706ee5a780703f211de7f77656c79c296390baee1e008dc3ce327eaaf5d78bbae20108670c5bc809a190

Download Submit
memory/2284-131-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2284-0-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2468-134-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download
memory/2468-135-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2468-141-0x0000000003A60000-0x0000000003A6F000-memory.dmp

Filesize
60KB

Download
memory/2468-7-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2468-149-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download
memory/2468-150-0x0000000003A60000-0x0000000003A6F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.