16a6b731a1ed644dfcf898bf8a42246266c12c4f29b75ef0af60e9e2a22f86a0

General

Target

527c0a92f14411fd7cbb755d680eac7a.exe
Size

754KB
MD5

527c0a92f14411fd7cbb755d680eac7a
SHA1

8df3dbe928757deee5a78b1859cc8c802ed01685
SHA256

16a6b731a1ed644dfcf898bf8a42246266c12c4f29b75ef0af60e9e2a22f86a0
SHA512

31d56df65f7c543f222728d2e3671d5d98cf063405c3f74b73ede70b0f80c53ed06d11e4134161283a5e6466c0b0c9d09f0c640e742e6c62bda11fc111afd35a
SSDEEP

12288:7BhyRKF9Je6ouxOtgwl0VgcLD7cFM1MY1S1jeqcpfpu9ljNq3jbGNDmUAMNKoNNl:/oKF9JlCWTHDcFhY1SuUlNWjbqmUjNbB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2536	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1812	527c0a92f14411fd7cbb755d680eac7a.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1812	527c0a92f14411fd7cbb755d680eac7a.exe
1812	527c0a92f14411fd7cbb755d680eac7a.exe
2536	setup.exe
2536	setup.exe
2536	setup.exe
2536	setup.exe
2536	setup.exe
2536	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2536	1812	527c0a92f14411fd7cbb755d680eac7a.exe	28
PID 1812 wrote to memory of 2536	1812	527c0a92f14411fd7cbb755d680eac7a.exe	28
PID 1812 wrote to memory of 2536	1812	527c0a92f14411fd7cbb755d680eac7a.exe	28
PID 1812 wrote to memory of 2536	1812	527c0a92f14411fd7cbb755d680eac7a.exe	28
PID 1812 wrote to memory of 2536	1812	527c0a92f14411fd7cbb755d680eac7a.exe	28
PID 1812 wrote to memory of 2536	1812	527c0a92f14411fd7cbb755d680eac7a.exe	28
PID 1812 wrote to memory of 2536	1812	527c0a92f14411fd7cbb755d680eac7a.exe	28

C:\Users\Admin\AppData\Local\Temp\527c0a92f14411fd7cbb755d680eac7a.exe
"C:\Users\Admin\AppData\Local\Temp\527c0a92f14411fd7cbb755d680eac7a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  C:\Users\Admin\AppData\Local\Temp\setup.exe relaunch
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
92KB

MD5
7998b3dfdee9f0f438041129afc04137

SHA1
91af42e290aabd48cc681a8b22cc4f591c253e1c

SHA256
86ecceb247874b6965b0ff93cc8e305f3e062f43bd3c6fa4221361a2618fbff3

SHA512
d2893314658e14f51873a38d3e49bcddd806e174222735e7acd9806adf1363b706140ebc30cb789c1ef84749b27a4c5f17a3b57bd9a6c061d9aeba8946c61bfb

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
754KB

MD5
527c0a92f14411fd7cbb755d680eac7a

SHA1
8df3dbe928757deee5a78b1859cc8c802ed01685

SHA256
16a6b731a1ed644dfcf898bf8a42246266c12c4f29b75ef0af60e9e2a22f86a0

SHA512
31d56df65f7c543f222728d2e3671d5d98cf063405c3f74b73ede70b0f80c53ed06d11e4134161283a5e6466c0b0c9d09f0c640e742e6c62bda11fc111afd35a

Download Submit
memory/1812-0-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/1812-4-0x0000000002740000-0x00000000029AD000-memory.dmp

Filesize
2.4MB

Download
memory/1812-7-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/1812-99-0x0000000002740000-0x00000000029AD000-memory.dmp

Filesize
2.4MB

Download
memory/2536-9-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/2536-98-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing