f72ee83436cb1f82366bfaafb14a4c0cb99826c02166fc0bd21fb6e7eb5190c6

General

Target

SecuriteInfo.com.Adware.Downware.20091.25676.15900.exe
Size

1.7MB
MD5

68a70ef9d99e94926e7231e00e136890
SHA1

5486bb9e8ad619d60e627efb13b1eb474a47c94f
SHA256

f72ee83436cb1f82366bfaafb14a4c0cb99826c02166fc0bd21fb6e7eb5190c6
SHA512

f5b55a4b05ce5598b2997625a659c24ba9b3f6f6bf27da02b2dab07384e062761de906b3c41abb77dd60cfe8dcd6b680ae3595249b046d713ae671b3edabff7c
SSDEEP

24576:O7FUDowAyrTVE3U5FFdj79NTMazaDNfBFLDnDoxJlPWZ67Po6EFd1it8OgqL7X:OBuZrEUz9NwazalBVsPWU7Po6Z8/qL

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2016	SecuriteInfo.com.Adware.Downware.20091.25676.15900.tmp

Loads dropped DLL 2 IoCs

pid	Process
816	SecuriteInfo.com.Adware.Downware.20091.25676.15900.exe
2016	SecuriteInfo.com.Adware.Downware.20091.25676.15900.tmp

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	SecuriteInfo.com.Adware.Downware.20091.25676.15900.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	SecuriteInfo.com.Adware.Downware.20091.25676.15900.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	SecuriteInfo.com.Adware.Downware.20091.25676.15900.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	SecuriteInfo.com.Adware.Downware.20091.25676.15900.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2016	SecuriteInfo.com.Adware.Downware.20091.25676.15900.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2016	816	SecuriteInfo.com.Adware.Downware.20091.25676.15900.exe	28
PID 816 wrote to memory of 2016	816	SecuriteInfo.com.Adware.Downware.20091.25676.15900.exe	28
PID 816 wrote to memory of 2016	816	SecuriteInfo.com.Adware.Downware.20091.25676.15900.exe	28
PID 816 wrote to memory of 2016	816	SecuriteInfo.com.Adware.Downware.20091.25676.15900.exe	28
PID 816 wrote to memory of 2016	816	SecuriteInfo.com.Adware.Downware.20091.25676.15900.exe	28
PID 816 wrote to memory of 2016	816	SecuriteInfo.com.Adware.Downware.20091.25676.15900.exe	28
PID 816 wrote to memory of 2016	816	SecuriteInfo.com.Adware.Downware.20091.25676.15900.exe	28

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Adware.Downware.20091.25676.15900.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Adware.Downware.20091.25676.15900.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\is-PK9GO.tmp\SecuriteInfo.com.Adware.Downware.20091.25676.15900.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PK9GO.tmp\SecuriteInfo.com.Adware.Downware.20091.25676.15900.tmp" /SL5="$50150,875149,815616,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Adware.Downware.20091.25676.15900.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e3d634d058ae97d9767f68165581bcb

SHA1
fe7cca2e967caa433938a414fbed9fd53559727f

SHA256
17688e26abad5442d2243825943a0e59afced0f444d5da08d066063dee75fbde

SHA512
cef38573fdb1849eafc6338a36276b9d641419e8b962fbb6aad030fcf07b364211dde98db8eb5cd391487b1d829cb9b314c938b151fc8624bf694c92501784bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3999.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar39DA.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E8JNI.tmp\Logo.png

Filesize
7KB

MD5
5424804c80db74e1304535141a5392c6

SHA1
6d749f3b59672b0c243690811ec3240ff2eced8e

SHA256
9b7e2ea77e518b50e5dd78e0faec509e791949a7c7f360a967c9ee204a8f1412

SHA512
6c7364b9693ce9cbbdbca60ecef3911dfe3d2d836252d7650d34506d2aa41fc5892028ba93f2619caf7edb06576fddae7e5f91f5844b5c3a47f54ca39f84cc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E8JNI.tmp\uTorrent.png

Filesize
9KB

MD5
cd3f5b72f3ecc90e946a38e3822b1d99

SHA1
901af8f4017dc55438b7fca85049039a8aefc136

SHA256
f3eca5d467e45c741e9a072aff31bba4db5e91713631dbc4b735a6032fef43e7

SHA512
ca61fca0b5dafd6fbd8f36fb1e524907bc29350226a7f2e4a22f0f563eb2e8c9cd90fe5e413df379d0aa2fd3a0817ade7bba03a2a07a2559ace9404d31275889

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PK9GO.tmp\SecuriteInfo.com.Adware.Downware.20091.25676.15900.tmp

Filesize
3.0MB

MD5
ea05563cc277258f747f1de0f7a7a740

SHA1
1e01ba7aa914ff64b3d860ecc7b98c1f575f5f2b

SHA256
e1f87b525e1381dbbdda258581d078664acf90de2211df88e543233112be900a

SHA512
7c9baa27e48088183e55352444e41e388dfc74751c1790c0bcaf2e97c9a5ad37c95265061bd6922d9ca1d26390c76e0688d4281b90465ec485a8e42da0f2dbbb

Download Submit
\Users\Admin\AppData\Local\Temp\is-E8JNI.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-PK9GO.tmp\SecuriteInfo.com.Adware.Downware.20091.25676.15900.tmp

Filesize
578KB

MD5
a5f47b8b9fbd54ec860f57e46c5edf9c

SHA1
8a5d313504b31433c1ad5b8090adf1846321c7fb

SHA256
261dbf0aa0614522dcf5cb6fd472a7624db728a7e99515afaeea71697e480678

SHA512
985e03cc947a2d8a97768ecc5e6630432190c97798fed78fea197a57db7a1b54372de68785ea170e8e2f482776034f6385bc85ecc56123a3d1914cf9b9eac595

Download Submit
memory/816-0-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/816-136-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2016-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2016-126-0x0000000003900000-0x000000000390F000-memory.dmp

Filesize
60KB

Download
memory/2016-137-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2016-138-0x0000000003900000-0x000000000390F000-memory.dmp

Filesize
60KB

Download
memory/2016-142-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing