ec00a06be0873cc6cd634521df8b98c270cee73f7fe27e0c8af99fa6fc30fdee

General

Target

NEAS.d4527d5890cd52c81a1c4d8365aacd60.exe
Size

70KB
MD5

d4527d5890cd52c81a1c4d8365aacd60
SHA1

3896da469f7fa84a16c2fb12c9902a49c06eea4b
SHA256

ec00a06be0873cc6cd634521df8b98c270cee73f7fe27e0c8af99fa6fc30fdee
SHA512

0ab87bf374896544f79d095192cea164c7f2ff2966ec0b5c423ffaf28ad554fb35d80831c02f871467ab3edfdefc0f45971089b433825f60eb37235a149e948b
SSDEEP

1536:WZFJTafg3hnfq4yyFB1iRT9bPKzvcOZ70AKgAr:2FGgRfqI8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1224	retro.exe

Loads dropped DLL 1 IoCs

pid	Process
2732	NEAS.d4527d5890cd52c81a1c4d8365aacd60.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	retro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	retro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	retro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	retro.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2732	NEAS.d4527d5890cd52c81a1c4d8365aacd60.exe
1224	retro.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 1224	2732	NEAS.d4527d5890cd52c81a1c4d8365aacd60.exe	29
PID 2732 wrote to memory of 1224	2732	NEAS.d4527d5890cd52c81a1c4d8365aacd60.exe	29
PID 2732 wrote to memory of 1224	2732	NEAS.d4527d5890cd52c81a1c4d8365aacd60.exe	29
PID 2732 wrote to memory of 1224	2732	NEAS.d4527d5890cd52c81a1c4d8365aacd60.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.d4527d5890cd52c81a1c4d8365aacd60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d4527d5890cd52c81a1c4d8365aacd60.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\retro.exe
  "C:\Users\Admin\AppData\Local\Temp\retro.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5b8bfb67c1e9b49f4e95c73ddc17f2f

SHA1
46388ac432fc0c620c57bfe34d240e8be8be28eb

SHA256
45c778beb6e398b4113d92f5120d8e0273b8888888020d8261e328d7d16b94f5

SHA512
c47f4350a6312647b1f58cffc2a5d7e0635a330673ebea8ba4863869e95c0b3b83e98f26d6fb163d6df031759d76fb1d30d70a1d75cd1b9e96d1d17a433fa07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab26A5.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar26C7.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\retro.exe

Filesize
71KB

MD5
8e11a21dd6e2c5fe92ad0a1af0d69976

SHA1
5f1ab3525c0c7d019727ddde4eadbbbfbb2dd2c4

SHA256
a2ea4f35a39ce0281ac8c4465a937da844ef1fcd398cc5f6c5f5b5617dbc469f

SHA512
e67307225d4741b39727fcf2d68a4dadeb3388bfac320b946a3b92cbb515c94430b7b6fa8b27ce46506ddb2db7f9eb10c40bb00d7ff4615711b6c08b8248da36

Download Submit
C:\Users\Admin\AppData\Local\Temp\retro.exe

Filesize
71KB

MD5
8e11a21dd6e2c5fe92ad0a1af0d69976

SHA1
5f1ab3525c0c7d019727ddde4eadbbbfbb2dd2c4

SHA256
a2ea4f35a39ce0281ac8c4465a937da844ef1fcd398cc5f6c5f5b5617dbc469f

SHA512
e67307225d4741b39727fcf2d68a4dadeb3388bfac320b946a3b92cbb515c94430b7b6fa8b27ce46506ddb2db7f9eb10c40bb00d7ff4615711b6c08b8248da36

Download Submit
\Users\Admin\AppData\Local\Temp\retro.exe

Filesize
71KB

MD5
8e11a21dd6e2c5fe92ad0a1af0d69976

SHA1
5f1ab3525c0c7d019727ddde4eadbbbfbb2dd2c4

SHA256
a2ea4f35a39ce0281ac8c4465a937da844ef1fcd398cc5f6c5f5b5617dbc469f

SHA512
e67307225d4741b39727fcf2d68a4dadeb3388bfac320b946a3b92cbb515c94430b7b6fa8b27ce46506ddb2db7f9eb10c40bb00d7ff4615711b6c08b8248da36

Download Submit
memory/1224-26-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1224-18-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/1224-27-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2732-10-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2732-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2732-3-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2732-2-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/2732-1-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing