8471b910ca27f0ca1408d5fbea466040c85de6963e99b97b496a937f241cdf23

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	$_3_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	$_3_.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2188	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2188	$_3_.exe
2188	$_3_.exe
2188	$_3_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2468	2188	$_3_.exe	29
PID 2188 wrote to memory of 2468	2188	$_3_.exe	29
PID 2188 wrote to memory of 2468	2188	$_3_.exe	29
PID 2188 wrote to memory of 2468	2188	$_3_.exe	29

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\11439.bat" "C:\Users\Admin\AppData\Local\Temp\8338C3EE1600496BBE2D0EB20A39E787\""
  2⤵
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\$ICB8I0U

Filesize
544B

MD5
29778b61d531e59b95ab8a7a2f2622f2

SHA1
8c23bfdc9203173fd0f9051a586129f72db9e791

SHA256
35ed40cfec4c3709ced51d1529ab6eab6f3b33d489f399048a7501d8dffbb268

SHA512
24370f5876be743416db5b6574dc0994383ea073b6a11e21641493bb1ea9e7fa2e0c32ca3dc8caf0c03f5dc80b8364ffc4e5da98152a50c52fa0c0c09baec6c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0af98b93df90fcc3845973be5ade330

SHA1
d0c2cbaf33d55d6099475ac1ed248a5fd62f5634

SHA256
69573dca82f66e9f33f76cc516a8923ebee5e50f082a01d0a74e08e1d034e50b

SHA512
2561cb0ffd120e34b3fab7f34bd91270a814398591d247a7a0bb458fac3503aa13aae36088f3e332382de94566bddf959f9a298b57450db2cde3eced42e49548

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1f5c439d4393b0e55af72452d5b5f6a

SHA1
af282fbb1abc0ddf2f4525087a83f147cbe73b18

SHA256
de481fe6c164ebb20a83a87e96d8a95b8366564cc294e5ed8ed173c1672779ca

SHA512
fd5bbc5f7a778fdd7f8614ab8e03ef469424ca26417955db42976fe3414ae6144431b690fd7dbc0dea33c7836d0c4af785c5529328c0212955c2fb1f82e5d4c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0e859533b092432a4e19dd7474d25bef

SHA1
d5c28fd414dfd23aed908d7165f346f634b86f18

SHA256
66056b23178d6be011dcae56d2fb2a5e7e637c24d70e298d95ab78caccf48a03

SHA512
957d835e6dd3633c5c9c59b44acf34c19e5d0a1d760ae9de576a98a92243da4b2c22e422081bb73ec2f3e17050510e1e2dd5b521c112cd0a501c4f8a10907559

Download Submit
C:\Users\Admin\AppData\Local\Temp\11439.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\8338C3EE1600496BBE2D0EB20A39E787\8338C3EE1600496BBE2D0EB20A39E787_LogFile.txt

Filesize
2KB

MD5
495a5ed93e69f02fb3fcaf73e6903db4

SHA1
113c638fc30b4910f7581328faf3149a40233220

SHA256
982347ebed406df37b78d900b217710d9f1bac097a703b1c5a8ac90f1951dc95

SHA512
2907a0106d756666d69d94cb644f778fe07654a079128e86be3f602a6d30113db1219725425ebe3d6e25e5be57b875a1259a1501092d66f9e442132a41c95220

Download Submit
C:\Users\Admin\AppData\Local\Temp\8338C3EE1600496BBE2D0EB20A39E787\8338C3EE1600496BBE2D0EB20A39E787_LogFile.txt

Filesize
5KB

MD5
9aa24e2f84ae1865a20d51267a04df42

SHA1
c3e66321e31469fa6a3c0d2f6bf3b2033839865b

SHA256
6af44c99ef1f28caa497ecea4b46d20cdce9e1ced46e155855d6def0cdf1863d

SHA512
26dd4e1eb9667e83fcbc1b77b9975d3149f17ce30f3344a1878a3ebcc6b567670f60997d6af08b529bd08d49fe4830fbce7cabf8af78f80cf0abf6bd4d2e86da

Download Submit
C:\Users\Admin\AppData\Local\Temp\8338C3EE1600496BBE2D0EB20A39E787\8338C3EE1600496BBE2D0EB20A39E787_LogFile.txt

Filesize
2KB

MD5
a5a2c6c1908b0ba224e4584793af448d

SHA1
930d95cbc2acbe1575cd98f3ce7fdd59829b532c

SHA256
4a2017097dfd15217e8d4e5fd821334672c3b15b7d28746463a9f40ed4939609

SHA512
f6cd25733e83eb1606087cbfeb9a2e8a8e7543039a70a12090e6fab462159180a8e6cce39a7693198a6a6660560e036ebfc1e5046f3d53174423254681c5b424

Download Submit
C:\Users\Admin\AppData\Local\Temp\8338C3EE1600496BBE2D0EB20A39E787\8338C3~1.TXT

Filesize
25KB

MD5
77d1edcfb917fe8f41216bb2a91e6797

SHA1
a3124d9807b1133564c95c1d3ff403335fef0069

SHA256
6b2587f2904613996863df04881cb672c2602dd97a872a4caef9e93a1370ad68

SHA512
f052965fe9ddd00350157acb40f4bd38839dda4bd34c4715e44e277425f2cc943ffb3f98cf2da3dda84a41354beb2d27cc5594f0f91eef674e79813fc9189167

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9E5.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2188-65-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download