97a3660e3d6f4fa4bf27ffad99d1d0a0495fa5f7c463bf2a0752d0f9c1387d4a

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08285378a795457ebdeb6e6c20f8ecca.exe
Size

947KB
MD5

08285378a795457ebdeb6e6c20f8ecca
SHA1

2ec9cf21a4fb24ec7c6be7f6503aa7695c19ffe9
SHA256

97a3660e3d6f4fa4bf27ffad99d1d0a0495fa5f7c463bf2a0752d0f9c1387d4a
SHA512

d40e98fbf26c2ee8ca7e9d3fa90c85c62f3f4524fcaef0c1b81cb9a7125162bed6104d55bd792b685dd9f801caf3606e22df39ba6d8e5fc8feb27f92a1ce2a64
SSDEEP

24576:1t/+S7t8st/FDlYP5nlgKGGuv8Cs9mBlmPYP:1kC1lYtlg5Guc9C

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1652	internal08285378a795457ebdeb6e6c20f8ecca.exe

Loads dropped DLL 2 IoCs

pid	Process
1792	08285378a795457ebdeb6e6c20f8ecca.exe
1792	08285378a795457ebdeb6e6c20f8ecca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	internal08285378a795457ebdeb6e6c20f8ecca.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	internal08285378a795457ebdeb6e6c20f8ecca.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2244	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1652	internal08285378a795457ebdeb6e6c20f8ecca.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1652	internal08285378a795457ebdeb6e6c20f8ecca.exe
1652	internal08285378a795457ebdeb6e6c20f8ecca.exe
1652	internal08285378a795457ebdeb6e6c20f8ecca.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1652	1792	08285378a795457ebdeb6e6c20f8ecca.exe	28
PID 1792 wrote to memory of 1652	1792	08285378a795457ebdeb6e6c20f8ecca.exe	28
PID 1792 wrote to memory of 1652	1792	08285378a795457ebdeb6e6c20f8ecca.exe	28
PID 1792 wrote to memory of 1652	1792	08285378a795457ebdeb6e6c20f8ecca.exe	28
PID 1792 wrote to memory of 1652	1792	08285378a795457ebdeb6e6c20f8ecca.exe	28
PID 1792 wrote to memory of 1652	1792	08285378a795457ebdeb6e6c20f8ecca.exe	28
PID 1792 wrote to memory of 1652	1792	08285378a795457ebdeb6e6c20f8ecca.exe	28
PID 1652 wrote to memory of 2880	1652	internal08285378a795457ebdeb6e6c20f8ecca.exe	30
PID 1652 wrote to memory of 2880	1652	internal08285378a795457ebdeb6e6c20f8ecca.exe	30
PID 1652 wrote to memory of 2880	1652	internal08285378a795457ebdeb6e6c20f8ecca.exe	30
PID 1652 wrote to memory of 2880	1652	internal08285378a795457ebdeb6e6c20f8ecca.exe	30
PID 2880 wrote to memory of 2244	2880	cmd.exe	32
PID 2880 wrote to memory of 2244	2880	cmd.exe	32
PID 2880 wrote to memory of 2244	2880	cmd.exe	32
PID 2880 wrote to memory of 2244	2880	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\08285378a795457ebdeb6e6c20f8ecca.exe
"C:\Users\Admin\AppData\Local\Temp\08285378a795457ebdeb6e6c20f8ecca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\nst199B.tmp\internal08285378a795457ebdeb6e6c20f8ecca.exe
  C:\Users\Admin\AppData\Local\Temp\nst199B.tmp\internal08285378a795457ebdeb6e6c20f8ecca.exe /baseInstaller='C:/Users/Admin/AppData/Local/Temp/08285378a795457ebdeb6e6c20f8ecca.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nst199B.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7989.bat" "C:\Users\Admin\AppData\Local\Temp\9981FB90477E41C4A92F10047A8D59B0\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3818056530-936619650-3554021955-1000\$I0ASFOG

Filesize
544B

MD5
45af270fb2552b9d667dcd226de34948

SHA1
52d714103863e2e73bcf8bc7c2e85b485956cc48

SHA256
f6a253ee28ba56bd1b5d4ca22f990d7d31967ad8158f862e5ebafbcb05b0b443

SHA512
61fcaba0f9ca8f368afd686a9ee0214b091f9fec207d55d950eaf3b5e34367c2eb51be906215d994f27861ebf93187511fbd1b2c379648058ddfdbedf24aab64

Download Submit
C:\$Recycle.Bin\S-1-5-21-3818056530-936619650-3554021955-1000\$IWX1I4K

Filesize
544B

MD5
fb22003c41b54fa2120ec3ca64300bdf

SHA1
79dbb75b129598fb6cb5f59450c2f5d91e79321d

SHA256
9eeeaadeffbfa8502714badaf698c78f26db15e3676a212a9b3524c236c3983d

SHA512
a8339c3b8f959c3a0d499084850603cde5c9c940009a16d15a64137736e1ad11ad37b79edc4f71c48db91ad8935508707271cf10486d994ac6e8b5d9112846f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d6c4c553f9b17bbddcd6f1cbda29ceb

SHA1
391ed18a9803448a3056de159880606321f73174

SHA256
88397d906e8cfeab2bd9dfa7c986cde9406a51b46bdc557f1726cdb248b4d846

SHA512
d6f7de944e4fffc92e92993c35278f911589167ca7fd9bb9c0ab2230078bd5139d54a9ad95dbc50c399a2f3c7005a20ca234eee9642e9adbb71e5d8aeea17e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7989.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\9981FB90477E41C4A92F10047A8D59B0\9981FB90477E41C4A92F10047A8D59B0_LogFile.txt

Filesize
3KB

MD5
0c0b50a6cf425e399c57ddc757ae347f

SHA1
a52c1ac8e65e851b4df43839274d7ce5c82976d6

SHA256
e0e2d82cdf429953a781ef966019548c93a57e3e6d8f9ad636793d2c8785ae9f

SHA512
fe587f2041758a4d931c728cb302d1e2c3bfde42e3390dcdb795a2c02a6f6711d9b6e0e21cb5d9e5a2a5cfa46749c5546d40c10a039c86885fb429602af6ef33

Download Submit
C:\Users\Admin\AppData\Local\Temp\9981FB90477E41C4A92F10047A8D59B0\9981FB90477E41C4A92F10047A8D59B0_LogFile.txt

Filesize
5KB

MD5
d3a31a5254aeb21e262ebd901a8bb8a2

SHA1
7bcc537afebf2d5c270d9652215686d47e56a3f1

SHA256
1f18c8370ab70f20bb273a653e255548052582c7f7bb8fdabdd6c6084684f48a

SHA512
eb2a4a30b0094a6549c16331938ee5fb0d98858641e272b92303ff276af4be49ab467edefdd2b2ea0aaa03a91cf6208d82e0cd7683264bcd4c07fba432b4773f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9981FB90477E41C4A92F10047A8D59B0\9981FB~1.TXT

Filesize
108KB

MD5
7c10ad4c3b119889938afda1f864acc3

SHA1
99eec09314de9a1238df78a3e0cbfd8f943139bb

SHA256
509f0befef8f1848e2f14d347293cc481110b09663b7544b5abda51564a25e2c

SHA512
099cf31ea40a80a1acb4895cf52b8f9dba8d1767da72c9c5a518f371a496ffb3b9dba76f449c2a929106f487b32e2c37761058afe9c48831e27ac7d1aeccacaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1D12.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar21A9.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\nst199B.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
\Users\Admin\AppData\Local\Temp\nst199B.tmp\internal08285378a795457ebdeb6e6c20f8ecca.exe

Filesize
1024KB

MD5
c2ee0cc2b19e1432104a5928cb001f69

SHA1
0632a0db2ed5b80a8938f1ff624ff7a008d834b4

SHA256
a48a1861a13ac72e5a65ec6418d63747ac6fd5aa45b44c07c1ea7e7e92da122f

SHA512
014d4a76e8e9171e4a6571d56fb292063022214b778099655d7eacb8665ab98c22e8242c2aba5249bd6a3ac815b86140220a2716dce40889886e80ad7894ccdf

Download Submit
memory/1652-79-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1792-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1792-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download