53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd

General

Target

53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.exe
Size

1.9MB
MD5

b21565ad467257f5bded3df6da27cc12
SHA1

5a55768ebd69a2a31aac377153133135f3cd500a
SHA256

53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd
SHA512

49b8670ea05d8231558011ba13242c78b2ae356ca76cbe0fc001d49379aeb930cfabaf0a915430e1ed6c95081e58f49ce9e177034feba55ae0ebbc39c05921bc
SSDEEP

49152:Oat7AeQ2T0K5x+5ddADpNoH3KA4V/O9ZrqWj:P9AeQO+5ddAU2V/O9Jj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2172	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp
2876	Offercast2801_ARS_.exe
2552	Offercast2801_ARS_.exe

Loads dropped DLL 5 IoCs

pid	Process
2544	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.exe
2172	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp
2172	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp
2172	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp
2876	Offercast2801_ARS_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	Offercast2801_ARS_.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Offercast2801_ARS_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Offercast2801_ARS_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Offercast2801_ARS_.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2876	Offercast2801_ARS_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2172	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2876	Offercast2801_ARS_.exe
2876	Offercast2801_ARS_.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2172	2544	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.exe	28
PID 2544 wrote to memory of 2172	2544	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.exe	28
PID 2544 wrote to memory of 2172	2544	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.exe	28
PID 2544 wrote to memory of 2172	2544	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.exe	28
PID 2544 wrote to memory of 2172	2544	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.exe	28
PID 2544 wrote to memory of 2172	2544	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.exe	28
PID 2544 wrote to memory of 2172	2544	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.exe	28
PID 2172 wrote to memory of 2876	2172	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp	29
PID 2172 wrote to memory of 2876	2172	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp	29
PID 2172 wrote to memory of 2876	2172	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp	29
PID 2172 wrote to memory of 2876	2172	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp	29
PID 2172 wrote to memory of 2876	2172	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp	29
PID 2172 wrote to memory of 2876	2172	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp	29
PID 2172 wrote to memory of 2876	2172	53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp	29
PID 2876 wrote to memory of 2552	2876	Offercast2801_ARS_.exe	30
PID 2876 wrote to memory of 2552	2876	Offercast2801_ARS_.exe	30
PID 2876 wrote to memory of 2552	2876	Offercast2801_ARS_.exe	30
PID 2876 wrote to memory of 2552	2876	Offercast2801_ARS_.exe	30
PID 2876 wrote to memory of 2552	2876	Offercast2801_ARS_.exe	30
PID 2876 wrote to memory of 2552	2876	Offercast2801_ARS_.exe	30
PID 2876 wrote to memory of 2552	2876	Offercast2801_ARS_.exe	30

C:\Users\Admin\AppData\Local\Temp\53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.exe
"C:\Users\Admin\AppData\Local\Temp\53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\is-NA8AB.tmp\53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NA8AB.tmp\53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp" /SL5="$400F8,1731734,54272,C:\Users\Admin\AppData\Local\Temp\53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\is-7KSUE.tmp\Offercast2801_ARS_.exe
    "C:\Users\Admin\AppData\Local\Temp\is-7KSUE.tmp\Offercast2801_ARS_.exe" -b -pid ARS
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\is-7KSUE.tmp\Offercast2801_ARS_.exe
      "C:\Users\Admin\AppData\Local\Temp\is-7KSUE.tmp\Offercast2801_ARS_.exe" -b -pid ARS -se -ppd 2876
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\APNAnalytics.xml

Filesize
2KB

MD5
69b7c2ec83f0f95c81dc6e35aa2f6de5

SHA1
3d23dc65204565a67b4c0702a63cb83d79053e06

SHA256
14269f2558d9af0259153dfc77f43831f1a4d3f15dcb628e3e7a48cc3054c755

SHA512
a2194a56c2269beb8290a288c745a39ac18a75b7adc58f436b76764b595ad77c0b7e59f08458b03a85be9d5f33af2bc5a3792836abe48d8aa7c8325bcfd01c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\apn_pip_local\objectmodel.js

Filesize
1KB

MD5
452a7be33226b83f62bb477cfefb624e

SHA1
387902216ccbc6d8f014214ad61723b5198e635a

SHA256
afa1881d3b2b142fa20a47c7bec3ac0d3d6e2dfc427e335e2911f68c77ea9fc0

SHA512
1ec70a941c056af2adfc6d997638814b88ee1ce5acc66139bcc82c3cf730fbdcd99248e8d627cc95cd4016a9a08d77e20ca4d9d1b6f465ac0aa91e51eb07fb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\apn_pip_local\orchestrator.html

Filesize
12KB

MD5
fdd740a29f5849b4082b4267c045e33e

SHA1
f859657d5b5d244218d7a4b051681a042eaecb87

SHA256
1c784689cbe6f5597d72e6a672fbd5d7d536e288e2b6fc3c0f55d67d2fd86752

SHA512
28a159d0fc5f9fc3697329b6286b33ce66115b9892dfd18d777d7ad188a0b443e28082693914c3ac1d42d6504a6aacfc09948219dd1f9e48a08ca64608fefda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\apn_pip_local\rules.js

Filesize
59KB

MD5
3572bcd67fc5eaf8dfcb25f4b72ee953

SHA1
3bc098ff722a946a578910a11b579ab9df6e283a

SHA256
0553a1835f064dc2c48db4864b30d2b74013c69f59f5fdc7b5851d1d1915c3fe

SHA512
9fb62873367dc82cdc7bf4da3066e09dbca14b7fd198a65e8264bae2bde0f9c29a38e82e23354ee89ed071b8af2417d29fae21896fa09c3efd3dabee759a8e7e

Download Submit
\Users\Admin\AppData\Local\Temp\is-7KSUE.tmp\Offercast2801_ARS_.exe

Filesize
997KB

MD5
3eb7286bf1d179d2deb77f342656ccf2

SHA1
a50bd1060c8f84fc00403cabd87c83ca24741ff4

SHA256
9ac9365008d86c530c88ce79750a1e104c085dea1e382808565eab07f46aaa9a

SHA512
5db91a7fcc92df3ac2aeaedc397a9fbf6f7485a4591320ed6377be53410880b2cf2579cae587b2fb6be66834832e3f37863865be81a063a09bde7129ff1ead64

Download Submit
\Users\Admin\AppData\Local\Temp\is-7KSUE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NA8AB.tmp\53b7f2151531e8b241dac9466fef8c27cd05aa317b3066f40b9cec3669912abd.tmp

Filesize
688KB

MD5
67c5a4f36e1c91a3b85e440edd7ad026

SHA1
e49ea0e558ed682498cc61b3070e4c402fbf0912

SHA256
99c299d6565ab53d9af66e0146737dc0ecfbc52ecf4740825b552db0cc4210c6

SHA512
40522d4645ece0db9888ea40d1a11356aa5efc191184a0b97cb54a6c243532b1fc306e9095bbfa1f5dc02c8e52b709650230d1383532136e56caea3dc19a973e

Download Submit
memory/2172-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2172-92-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2172-93-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2544-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2544-91-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2552-51-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/2876-23-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2876-96-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads