23661cf1ddcd3e3a1c467d3d1c4f0b8cc288648602fb138b925c5b5daffd5755

General

Target

0ad3a168339c1ea019a3450fe22b49fb.exe
Size

754KB
MD5

0ad3a168339c1ea019a3450fe22b49fb
SHA1

af0f0bfed710c4a81820f1ce1913c764fbb507ec
SHA256

23661cf1ddcd3e3a1c467d3d1c4f0b8cc288648602fb138b925c5b5daffd5755
SHA512

9aba80b5df361d9ab6d83ed7dd8202ab66db7d3fe33b781ede7e66f9e621efdc5c1abaf37d62c1a9cb221ae24dd1b9dfbc635190446eac4d0f046474a4222897
SSDEEP

12288:iBhyRKF9Je6ouxOtgwl0VgcLD7cFM1MY1S1jeqcpfpu9ljNq3jbGNDmUAMNKoNNB:+oKF9JlCWTHDcFhY1SuUlNWjbqmUjNbt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2772	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
2212	0ad3a168339c1ea019a3450fe22b49fb.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	setup.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2212	0ad3a168339c1ea019a3450fe22b49fb.exe
2212	0ad3a168339c1ea019a3450fe22b49fb.exe
2772	setup.exe
2772	setup.exe
2772	setup.exe
2772	setup.exe
2772	setup.exe
2772	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2772	2212	0ad3a168339c1ea019a3450fe22b49fb.exe	24
PID 2212 wrote to memory of 2772	2212	0ad3a168339c1ea019a3450fe22b49fb.exe	24
PID 2212 wrote to memory of 2772	2212	0ad3a168339c1ea019a3450fe22b49fb.exe	24
PID 2212 wrote to memory of 2772	2212	0ad3a168339c1ea019a3450fe22b49fb.exe	24
PID 2212 wrote to memory of 2772	2212	0ad3a168339c1ea019a3450fe22b49fb.exe	24
PID 2212 wrote to memory of 2772	2212	0ad3a168339c1ea019a3450fe22b49fb.exe	24
PID 2212 wrote to memory of 2772	2212	0ad3a168339c1ea019a3450fe22b49fb.exe	24

C:\Users\Admin\AppData\Local\Temp\0ad3a168339c1ea019a3450fe22b49fb.exe
"C:\Users\Admin\AppData\Local\Temp\0ad3a168339c1ea019a3450fe22b49fb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  C:\Users\Admin\AppData\Local\Temp\setup.exe relaunch
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07e79727fe2163e76365bba9a03166ed

SHA1
9b7a4e64f8e4b6a18cdbbfea88ed52eb5a5dd34a

SHA256
383a4def2edb997416166536f74681e6b17f24bbcda25733a9af5875fa4e15f8

SHA512
65a5fcef7e782bf639ca91ce3187ec40504d86e83a10ae92ba06a79bd63485fe7d6a25c9ab6a3968198827465baa0ff0cdcd264afe643c9b1682ffa8ea376439

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c19a6881e2230498ab583f1279a133f

SHA1
5c2b820874b37040aca83709e26ea4f872410813

SHA256
5da8b4a6bf68767007161644bdf3907b2e23076090e6563433557d1e156fe5d5

SHA512
9f4773379a58c4dd9a07880b30c1635a4309dfce19ee46996c8230de9532eb3f001d04986664e088540ec1aa01ae0c21a56a6e250b45cb47f06347722b4ea9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6386.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar63B8.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
537KB

MD5
697ae1949b07dab883002d207c0839e5

SHA1
fd693b4f9833515a9ba060a2b2d7f49145bf2012

SHA256
3f66cd12bd7101689688a400c44bdd0ac296ef711269b481efe750926e1cba3c

SHA512
c0e0edf734995f7ce75c16c7135460de5d3fafbbeade579a0606fa082b09b59e4be2c59e1e9ccd3865ecc131d4c2f299e2813e2f6daee8f5982464b2300e0f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
527KB

MD5
e57fce96051a7dbea592e0f9f35867a4

SHA1
1ba9514e81eb20163f7d1cf5b5be5769aacb3ed4

SHA256
df93e2e293a267e33f0c830c4bcfef37c48e401d98e3d47e8a440751498740fc

SHA512
b35d50a44c8b43c8d93b86fa517bc14ebe544f9cad176f884225ee7eb3f513e345e75ca055be0fec50727c10d2eed3e585614018f0b51280fc1570be2254ca68

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
1KB

MD5
e322b0e5ca1a5dbd0cb5dcebcb779fe2

SHA1
7c344fabdc6f6a5dd251c545e0708f0ed5bb059d

SHA256
a821fcac01bf6e0f549687188bb12191394a612d2b57b42a4c54ea22196574d2

SHA512
5e6fc025fa8753df7c8621c3750dacb4ca8e115dfd43e0527bcc4a97b2e6f5a164b9a0f3bbbaffedb44977f1fc287d8330be9bc07b04056946998fdd3956d751

Download Submit
memory/2212-7-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/2212-0-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/2212-4-0x0000000002610000-0x000000000287D000-memory.dmp

Filesize
2.4MB

Download
memory/2212-105-0x0000000002610000-0x000000000287D000-memory.dmp

Filesize
2.4MB

Download
memory/2772-9-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/2772-95-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/2772-103-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing