f87dc94bb2343d1693a87c773f53a793f5a8b5f589cd9048a6533c8db8e41abe

General

Target

736cafa831b40e66fe1c41a5db6e5926.exe
Size

1.1MB
MD5

736cafa831b40e66fe1c41a5db6e5926
SHA1

edfdbbacd95b4353f7dd9f7e73f04f400954bc98
SHA256

f87dc94bb2343d1693a87c773f53a793f5a8b5f589cd9048a6533c8db8e41abe
SHA512

b34185f31444243fdf38206d72d27f5254dd43a13147f73ef7b4da1ab698f8a894cf0954d3319c37dab55034a35ee9fb573712ba2f610c24a1a02e19035f89d2
SSDEEP

24576:VMKso1KxHzTDfGOH4T48mAymAyMhCn8BezIN6fkXcyPF+u9QzGR0nalY7e5cPytM:VMKsEizT7cT48mnmlMhCn8BezIN6fkXz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2292	In-Cyber.com.exe

Loads dropped DLL 1 IoCs

pid	Process
2976	736cafa831b40e66fe1c41a5db6e5926.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	In-Cyber.com.exe
File opened (read-only)	\??\L:	In-Cyber.com.exe
File opened (read-only)	\??\P:	In-Cyber.com.exe
File opened (read-only)	\??\T:	In-Cyber.com.exe
File opened (read-only)	\??\A:	In-Cyber.com.exe
File opened (read-only)	\??\G:	In-Cyber.com.exe
File opened (read-only)	\??\V:	In-Cyber.com.exe
File opened (read-only)	\??\K:	In-Cyber.com.exe
File opened (read-only)	\??\M:	In-Cyber.com.exe
File opened (read-only)	\??\N:	In-Cyber.com.exe
File opened (read-only)	\??\O:	In-Cyber.com.exe
File opened (read-only)	\??\W:	In-Cyber.com.exe
File opened (read-only)	\??\E:	In-Cyber.com.exe
File opened (read-only)	\??\H:	In-Cyber.com.exe
File opened (read-only)	\??\I:	In-Cyber.com.exe
File opened (read-only)	\??\Y:	In-Cyber.com.exe
File opened (read-only)	\??\R:	In-Cyber.com.exe
File opened (read-only)	\??\S:	In-Cyber.com.exe
File opened (read-only)	\??\U:	In-Cyber.com.exe
File opened (read-only)	\??\X:	In-Cyber.com.exe
File opened (read-only)	\??\B:	In-Cyber.com.exe
File opened (read-only)	\??\J:	In-Cyber.com.exe
File opened (read-only)	\??\Q:	In-Cyber.com.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	In-Cyber.com.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	In-Cyber.com.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2292	2976	736cafa831b40e66fe1c41a5db6e5926.exe	28
PID 2976 wrote to memory of 2292	2976	736cafa831b40e66fe1c41a5db6e5926.exe	28
PID 2976 wrote to memory of 2292	2976	736cafa831b40e66fe1c41a5db6e5926.exe	28
PID 2976 wrote to memory of 2292	2976	736cafa831b40e66fe1c41a5db6e5926.exe	28

C:\Users\Admin\AppData\Local\Temp\736cafa831b40e66fe1c41a5db6e5926.exe
"C:\Users\Admin\AppData\Local\Temp\736cafa831b40e66fe1c41a5db6e5926.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\~sfx001FA9A326\In-Cyber.com.exe
  "C:\Users\Admin\AppData\Local\Temp\~sfx001FA9A326\In-Cyber.com.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~sfx001FA9A326\AxInterop.WMPLib.dll

Filesize
48KB

MD5
67d1e153ac4b4eef355c8ef653b8a972

SHA1
5b1c7b72ad0531bfe2df24b9987f778381de450a

SHA256
68bf6675a9c2669fdf1d4f82de364197f2534e8f0673c46f71447f0ccd7bb8cd

SHA512
869cbba2d94b16cb13adcf0ec100451d183ac785d30ac55929ba147d9eb12342d494b058e656b5048038d2719d92a30aef4075ea42b12460022f791a8ed4f423

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx001FA9A326\Interop.WMPLib.dll

Filesize
268KB

MD5
2722ef18cea318904b47011fa1066cba

SHA1
3c4a74eadeb9b7f3b3810e8bbe9372974b16b4de

SHA256
327dd2fa418229de9fa3b2d05cba24c68566d8239967859634f0acba116265b6

SHA512
bc2b9a2f76f7491d8964f400e6a526074460a17eec5ffeb3b7c8931773b0fae45ab9713478285da4e63f08e21c24487fe89ae6b528437b617bfa99cf4c9814e0

Download Submit
\Users\Admin\AppData\Local\Temp\~sfx001FA9A326\In-Cyber.com.exe

Filesize
654KB

MD5
18b154408485068cb920bb4ea1b64d72

SHA1
58ad3ce31b4b0416d2cf108c576d67776db35ba7

SHA256
0ed22c66d4d02b8c4c97924de0c7491c89729aa15987f1c22bae68888df6674d

SHA512
ee82208e018f94f39e926f74a15119eb0823bb3dd983e7e152fcab302a8a1c427a0d4b6fd73c411b4891d33c1eb3dd0e11d720c7b69ff83f1fa4833dc1b1cffa

Download Submit
memory/2292-22-0x0000000000C00000-0x0000000000C80000-memory.dmp

Filesize
512KB

Download
memory/2292-19-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2292-21-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/2292-18-0x0000000000C00000-0x0000000000C80000-memory.dmp

Filesize
512KB

Download
memory/2292-17-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2292-24-0x000000001B350000-0x000000001B396000-memory.dmp

Filesize
280KB

Download
memory/2292-25-0x0000000000C00000-0x0000000000C80000-memory.dmp

Filesize
512KB

Download
memory/2292-26-0x000000001BAF0000-0x000000001BAF1000-memory.dmp

Filesize
4KB

Download
memory/2292-27-0x0000000000C00000-0x0000000000C80000-memory.dmp

Filesize
512KB

Download
memory/2292-44-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2292-45-0x0000000000C00000-0x0000000000C80000-memory.dmp

Filesize
512KB

Download
memory/2976-43-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing