d6dda35121b08926af752fa94a6c7ed813ad6173d770dab74512c7e1bd519adc

General

Target

57c657d65e6f838951a7765587d0b0e6.exe
Size

1.6MB
MD5

57c657d65e6f838951a7765587d0b0e6
SHA1

b5f4f3081036f1769a80b7dd885b6bffd1a8911a
SHA256

d6dda35121b08926af752fa94a6c7ed813ad6173d770dab74512c7e1bd519adc
SHA512

c8c96844076adebd798c6df13b4791ebfd81871505ae2a919dfe8a300d55f58b44877173bdfe951b510d46ba0269ec877cc3b6b6bd5325b9ad92e1685879bb63
SSDEEP

49152:fZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9Q:fGIjR1Oh0Tk

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	57c657d65e6f838951a7765587d0b0e6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	57c657d65e6f838951a7765587d0b0e6.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2988	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2376	57c657d65e6f838951a7765587d0b0e6.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2376	57c657d65e6f838951a7765587d0b0e6.exe
2376	57c657d65e6f838951a7765587d0b0e6.exe
2376	57c657d65e6f838951a7765587d0b0e6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2216	2376	57c657d65e6f838951a7765587d0b0e6.exe	29
PID 2376 wrote to memory of 2216	2376	57c657d65e6f838951a7765587d0b0e6.exe	29
PID 2376 wrote to memory of 2216	2376	57c657d65e6f838951a7765587d0b0e6.exe	29
PID 2376 wrote to memory of 2216	2376	57c657d65e6f838951a7765587d0b0e6.exe	29
PID 2216 wrote to memory of 2988	2216	cmd.exe	31
PID 2216 wrote to memory of 2988	2216	cmd.exe	31
PID 2216 wrote to memory of 2988	2216	cmd.exe	31
PID 2216 wrote to memory of 2988	2216	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\57c657d65e6f838951a7765587d0b0e6.exe
"C:\Users\Admin\AppData\Local\Temp\57c657d65e6f838951a7765587d0b0e6.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\9258.bat" "C:\Users\Admin\AppData\Local\Temp\4374B08AD36E438BAC629C31AA0BC1B2\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3e58424086f0de7a56641cf0543ff76f

SHA1
2c5f72013f3be0c74777bffd2ae0dde9dad69693

SHA256
0f3150cc0d7407f1ea7a9979134b2e1be828ec703b00f44450a5c503df166211

SHA512
565fbe1eeb00219d4ea932f499471b3f4afd1ff7dbe8cd09f8f2293919634158eeb75e0d84bb7acf1e4f82ce97e2147e6d0e3acc72179bc95be7d5501582d9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4374B08AD36E438BAC629C31AA0BC1B2\4374B08AD36E438BAC629C31AA0BC1B2_LogFile.txt

Filesize
6KB

MD5
77f2ba98d33c9e9fc1f8a0b698f002c6

SHA1
5b5273a1bf246dcb0c6b790479d29067e38070b3

SHA256
6ed3649b1dfc6a454aa1d15bffee0a5983db6c223964f6cf71749ca318c69931

SHA512
8cbe8ff9704c75121d7e5f918c5678918d7be2d4e8d7e555ef4373ccc45070e4f62f5a945f352c50225a608f7fdddb9693490c263f50148c4e937fcdfc58cb5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4374B08AD36E438BAC629C31AA0BC1B2\4374B08AD36E438BAC629C31AA0BC1B2_LogFile.txt

Filesize
2KB

MD5
46e69ab266cc0d472bced1636ce790d9

SHA1
ef5dff1127fa30bfd3eb4f1807894b3c1898ecae

SHA256
646c959688ad2ca0c8ff88915338415702e9d3b2b3d4d4d862c453f8230eec33

SHA512
7fe04dd29ec68ea055410a15d614a29a16e2487526bd26a3ceac5497870172146043ee039da38e1940c98ad6b77614f1533801088aa47b9b06b06c7a076c038e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4374B08AD36E438BAC629C31AA0BC1B2\4374B0~1.TXT

Filesize
100KB

MD5
03859a1aa69a0cab0789db7579868cad

SHA1
cee8e2f4ca4f661c180918bc0facc343c30cdadd

SHA256
9415abedb43f963e01127fa86e2a9e931f398fbd8361988e785054e3342b4ee7

SHA512
cf27aba3116aba9497fa0b4dbdce8d6d98151561f10423bc406046bf04bd06142ed00cb6d6caf83ef848ef1f096717d78fcefe1a16c7527320e17c7206cc26f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9258.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar120F.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2376-63-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing