ad2d81fdca6722c9e02c7661ee9c3d6cd83599820d17e4a1d6667f02b4079d22

General

Target

NEAS.45c67e82d5e3084172b7ed17a021c4f0.exe
Size

21KB
MD5

45c67e82d5e3084172b7ed17a021c4f0
SHA1

59aba63c4ce1dc10678443839d770b6445cb37b2
SHA256

ad2d81fdca6722c9e02c7661ee9c3d6cd83599820d17e4a1d6667f02b4079d22
SHA512

3e44413768997eaad8db76cba8e34d0cbfbde0ed2c154841fc71487d3f613c45ecc1f9cad6e823a4cf176c267ff835edc3f1c988839e71c9ef99ed10422f385a
SSDEEP

384:lFFxBmppyRGn3SDyD+w5zYQ/T6Mg7+fKZ:zFxIppD+CT677+S

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2340	fulik.exe

Loads dropped DLL 2 IoCs

pid	Process
1620	NEAS.45c67e82d5e3084172b7ed17a021c4f0.exe
1620	NEAS.45c67e82d5e3084172b7ed17a021c4f0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	fulik.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	fulik.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2340	1620	NEAS.45c67e82d5e3084172b7ed17a021c4f0.exe	28
PID 1620 wrote to memory of 2340	1620	NEAS.45c67e82d5e3084172b7ed17a021c4f0.exe	28
PID 1620 wrote to memory of 2340	1620	NEAS.45c67e82d5e3084172b7ed17a021c4f0.exe	28
PID 1620 wrote to memory of 2340	1620	NEAS.45c67e82d5e3084172b7ed17a021c4f0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.45c67e82d5e3084172b7ed17a021c4f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.45c67e82d5e3084172b7ed17a021c4f0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\fulik.exe
  "C:\Users\Admin\AppData\Local\Temp\fulik.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fulik.exe

Filesize
21KB

MD5
0449780393067d3be00bf2f02e04f9c0

SHA1
574cd36005c379f03b55894ed80881c47b9c2071

SHA256
22b36ccc210065f59eebf71e111238b34263f736b0d4c01d1cc329cfdf6ae89f

SHA512
be95556b85b82ef7980d5348106df7af6ea64aea5c3853af64335f5185cee28d69c4d9ed5b9de6756349d6300e8212fb63bfa2171cc4d9e24f71919d7f8c4b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\fulik.exe

Filesize
21KB

MD5
0449780393067d3be00bf2f02e04f9c0

SHA1
574cd36005c379f03b55894ed80881c47b9c2071

SHA256
22b36ccc210065f59eebf71e111238b34263f736b0d4c01d1cc329cfdf6ae89f

SHA512
be95556b85b82ef7980d5348106df7af6ea64aea5c3853af64335f5185cee28d69c4d9ed5b9de6756349d6300e8212fb63bfa2171cc4d9e24f71919d7f8c4b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\fulik.exe

Filesize
21KB

MD5
0449780393067d3be00bf2f02e04f9c0

SHA1
574cd36005c379f03b55894ed80881c47b9c2071

SHA256
22b36ccc210065f59eebf71e111238b34263f736b0d4c01d1cc329cfdf6ae89f

SHA512
be95556b85b82ef7980d5348106df7af6ea64aea5c3853af64335f5185cee28d69c4d9ed5b9de6756349d6300e8212fb63bfa2171cc4d9e24f71919d7f8c4b29

Download Submit
\Users\Admin\AppData\Local\Temp\fulik.exe

Filesize
21KB

MD5
0449780393067d3be00bf2f02e04f9c0

SHA1
574cd36005c379f03b55894ed80881c47b9c2071

SHA256
22b36ccc210065f59eebf71e111238b34263f736b0d4c01d1cc329cfdf6ae89f

SHA512
be95556b85b82ef7980d5348106df7af6ea64aea5c3853af64335f5185cee28d69c4d9ed5b9de6756349d6300e8212fb63bfa2171cc4d9e24f71919d7f8c4b29

Download Submit
\Users\Admin\AppData\Local\Temp\fulik.exe

Filesize
21KB

MD5
0449780393067d3be00bf2f02e04f9c0

SHA1
574cd36005c379f03b55894ed80881c47b9c2071

SHA256
22b36ccc210065f59eebf71e111238b34263f736b0d4c01d1cc329cfdf6ae89f

SHA512
be95556b85b82ef7980d5348106df7af6ea64aea5c3853af64335f5185cee28d69c4d9ed5b9de6756349d6300e8212fb63bfa2171cc4d9e24f71919d7f8c4b29

Download Submit
memory/1620-0-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2340-11-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing