abebd3a601c204a7ba0b99ee1ec45ad8143d502c5b51c2b3353942b81fe6ddf3

General

Target

147ed0a890a96750cc0b596f46ac7e20.exe
Size

2.6MB
MD5

147ed0a890a96750cc0b596f46ac7e20
SHA1

6bfb421f6bccf2a80b0756a9ae9289d300f51ee4
SHA256

abebd3a601c204a7ba0b99ee1ec45ad8143d502c5b51c2b3353942b81fe6ddf3
SHA512

d7fd1380d9242d76b415c8e33a128c96c7f5167aed2db9d428df4c1e84dc49bbf532c20648895702b71fd5abd01f101bb68b7b8dac0585743ea934ecefa7b28d
SSDEEP

49152:pqe3f6aqzDYP6QkO6U6HP6Rbt2sAoHCL+WuTmuKwEL:ASi1DYP6Qk/U6iRbtbAoHCK5NKXL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1532	147ed0a890a96750cc0b596f46ac7e20.tmp

Loads dropped DLL 3 IoCs

pid	Process
2560	147ed0a890a96750cc0b596f46ac7e20.exe
1532	147ed0a890a96750cc0b596f46ac7e20.tmp
1532	147ed0a890a96750cc0b596f46ac7e20.tmp

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	147ed0a890a96750cc0b596f46ac7e20.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	147ed0a890a96750cc0b596f46ac7e20.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	147ed0a890a96750cc0b596f46ac7e20.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	147ed0a890a96750cc0b596f46ac7e20.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1532	147ed0a890a96750cc0b596f46ac7e20.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 1532	2560	147ed0a890a96750cc0b596f46ac7e20.exe	28
PID 2560 wrote to memory of 1532	2560	147ed0a890a96750cc0b596f46ac7e20.exe	28
PID 2560 wrote to memory of 1532	2560	147ed0a890a96750cc0b596f46ac7e20.exe	28
PID 2560 wrote to memory of 1532	2560	147ed0a890a96750cc0b596f46ac7e20.exe	28
PID 2560 wrote to memory of 1532	2560	147ed0a890a96750cc0b596f46ac7e20.exe	28
PID 2560 wrote to memory of 1532	2560	147ed0a890a96750cc0b596f46ac7e20.exe	28
PID 2560 wrote to memory of 1532	2560	147ed0a890a96750cc0b596f46ac7e20.exe	28

C:\Users\Admin\AppData\Local\Temp\147ed0a890a96750cc0b596f46ac7e20.exe
"C:\Users\Admin\AppData\Local\Temp\147ed0a890a96750cc0b596f46ac7e20.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\is-C1OK8.tmp\147ed0a890a96750cc0b596f46ac7e20.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-C1OK8.tmp\147ed0a890a96750cc0b596f46ac7e20.tmp" /SL5="$70122,1793774,899584,C:\Users\Admin\AppData\Local\Temp\147ed0a890a96750cc0b596f46ac7e20.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
915a495fe553301f56d931b65048de5b

SHA1
dfba93622b8d300cdf39d24ce4bcba9d0c3fa7f0

SHA256
fb37ff22cfbb7161c2ffaa5865aa69b1ee32b5d6b96e370e04d683e9e87e47e0

SHA512
c5d208fbbb3d4a315ab14ef5ba4d43653ebd503168bcffe7da7ed51209d73ac7a0060bc2973220fd9c71528868d5ca38c2e63afbf720f9984eaa04ce2e01734f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab538E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar53B1.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-58QQE.tmp\loader.gif

Filesize
10KB

MD5
042bbc484750db9686ac84d4ab62f771

SHA1
522e02ad62a95884fe50efc5d04a26593103c12a

SHA256
0a649da66beb5627ca167029ed8560c4a07f3cd611db37514a734230e00d637f

SHA512
cb347ebb856805a1a76511a724d52ff027ba79567c4a327ecfbcbf0e3a158048bf68755359623d2f4082760edf7b7ba665a057f229a3932c8fcc9fbae6294530

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C1OK8.tmp\147ed0a890a96750cc0b596f46ac7e20.tmp

Filesize
695KB

MD5
31673bca52c736725145789b49d6c0c4

SHA1
ad2441b2eed270259d073cf238df161b2ebdeb22

SHA256
97fe1ee974cf8e945c28b8a8f4390283a7522311c0556d129af9074be4adf391

SHA512
de78a471cd68c1253792ae4c7e098073c6ef8b9e3f08e9ee33fe3f08e58ed86a30ede749b6aec682ae2e525d53f4f9d87de4bd43cc793827f0cedb1fd8c9cb4d

Download Submit
\Users\Admin\AppData\Local\Temp\is-58QQE.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-58QQE.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
8b03d5f13240d4395654ac0074a95728

SHA1
89d0f5039379fdda7719fa8b5ab3a46a92e3a064

SHA256
f88d2226bbac1b61dbc22c968721f4b9f961c0a6aa75d88f303649bc930007d6

SHA512
bb8e2d2c34e8c2d84c1c9579130b8dcded2fa90dbc6d2dc6f54c9114f13a32941571c57a25e16e42e4652eda52201ceb560ba5a726fce1f053613e51752d52a3

Download Submit
\Users\Admin\AppData\Local\Temp\is-C1OK8.tmp\147ed0a890a96750cc0b596f46ac7e20.tmp

Filesize
1024KB

MD5
5d37322f9fa1382723246dba0913bf69

SHA1
98ef77992c78af1f6ebd8aacfc407c2c7d841c33

SHA256
51e92981bb2af775e3ecfecc27bc084a3827d1215c2e80786b8b90c8d80543ba

SHA512
6c0b87d73a3be329f4acbd7e15ce326343047359db7baf398cfec041fcbce4503c0d27d4b2d6d69b39c68775865322bf25253f94ea1fb2517cfcb6e96ade59a7

Download Submit
memory/1532-134-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1532-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1532-22-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1532-135-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1532-138-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1532-140-0x00000000077D0000-0x00000000077DF000-memory.dmp

Filesize
60KB

Download
memory/1532-146-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2560-1-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2560-21-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2560-148-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing