166499205a2dbd87be3f4832628fbb86565fe6a7a05cd27eed3f67ee6c48ccdc

General

Target

759b4fca4e0f83ea18b5805237ef7eab.exe
Size

152KB
MD5

759b4fca4e0f83ea18b5805237ef7eab
SHA1

c53c03a167771e68ec2aa5d4e9b1192fcc715fcc
SHA256

166499205a2dbd87be3f4832628fbb86565fe6a7a05cd27eed3f67ee6c48ccdc
SHA512

73bc2689a902d39534aae9abfe1ce073e32c00f0267344e6fef8d053ee389d3fb46d312cf8bdd3d288cc3f3337dcd3ebeae6a38d7220f22189aa79a910670ad5
SSDEEP

3072:X8s1Gp7KusH9Cz7LNdzzxCnJ5MHfPRmLu9W9F3OeXLx/AYHu2:M3pZnf5hz4nJ65mLmWqebxoYh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5620	norths.exe

Loads dropped DLL 3 IoCs

pid	Process
3076	759b4fca4e0f83ea18b5805237ef7eab.exe
3076	759b4fca4e0f83ea18b5805237ef7eab.exe
3076	759b4fca4e0f83ea18b5805237ef7eab.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	norths.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	norths.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	norths.exe
File created	C:\Windows\assembly\Desktop.ini	norths.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	norths.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	norths.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	norths.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	norths.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5620	norths.exe
5620	norths.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 5620	3076	759b4fca4e0f83ea18b5805237ef7eab.exe	85
PID 3076 wrote to memory of 5620	3076	759b4fca4e0f83ea18b5805237ef7eab.exe	85
PID 3076 wrote to memory of 5620	3076	759b4fca4e0f83ea18b5805237ef7eab.exe	85

C:\Users\Admin\AppData\Local\Temp\759b4fca4e0f83ea18b5805237ef7eab.exe
"C:\Users\Admin\AppData\Local\Temp\759b4fca4e0f83ea18b5805237ef7eab.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\nsl55C3.tmp\norths.exe
  C:\Users\Admin\AppData\Local\Temp\nsl55C3.tmp\norths.exe /dT201303141140 /e5363385 /u50d1d9d5-cf90-407c-820a-35e05bc06f2f
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:5620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsl55C3.tmp\System.dll

Filesize
21KB

MD5
5ebc73650256e9c8ddbcda231db829a1

SHA1
988d4535e18754ab2a6248abae96c5697d7dbcd5

SHA256
1eaa543842df7795404184e8892a1654b0773dbc9bd8b54c7fdb9e68f4355493

SHA512
b21266e76fc7263af982a1336a766e47ccf348ed56b305dbb09f03574c9b2a7309f12200e80d86f9a251381be6e87a41206447f11c51899cb31fba10da1d5270

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl55C3.tmp\VPatch.dll

Filesize
10KB

MD5
20ee82203544c4f831a7dc1650e7ec51

SHA1
671affb8e32f06777483782197173af254e02548

SHA256
69a00c14562ea5a71f6196b307292fa6d8b1a2fc02368020f40c84b3b0a1a83a

SHA512
4dabcc0cfebb36cfe57fa05777224f45c04c84031cfecf4184bd95d2b148ce18a6c91655320e69c1709e740a261e1e25effc8395fed91d0fc61b18f9a9f7685f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl55C3.tmp\norths.exe

Filesize
261KB

MD5
aa00bd7622a1c4207dd474f7887f5f38

SHA1
23fdb3d65ba502c9987066d0c425ea6bd1d26523

SHA256
4513217d4e02ea5ff4521565b2a24f3a2521a6cfcd034f3f43af4fb4ad8ba73f

SHA512
c7cdefc4eb068c23bbe34ca5c43ef74afe8a31289201f4acf6864084543fe6ab75a5df5064bca620b45a50f945121406add4272b5aec157acaade1202f613ea6

Download Submit
memory/5620-22-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/5620-24-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download
memory/5620-23-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/5620-38-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download
memory/5620-37-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download
memory/5620-40-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing