7864276e1cbc8514a689f02feb136c174a1f95122ba0be09f545f3b461c495ef

Analysis

max time kernel
101s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3gwin.exe
Size

763KB
MD5

fa059b2050377de9c7a249ce122435b3
SHA1

027bd7085e3b0eaf1fea958fba1ade1263212e08
SHA256

7864276e1cbc8514a689f02feb136c174a1f95122ba0be09f545f3b461c495ef
SHA512

34a219cc779e8998b23c5c5a5f954cbe5cb5a9a214091b66328de9d3660f002824c1daf9871fff369e727df271020502d03875b305ecdd6d27fe367c3066774f
SSDEEP

12288:vOU3w/En5sXwyoU/OIs4cXLc+u7UgRw5mYv6Dxdbb1bCUNjnTp/I:vOChOIU/OI1uL3mzmmYERbDTVI

Score

6^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2620	InstallFramework.exe

Loads dropped DLL 1 IoCs

pid	Process
2868	3gwin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	3gwin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	3gwin.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2620	2868	3gwin.exe	32
PID 2868 wrote to memory of 2620	2868	3gwin.exe	32
PID 2868 wrote to memory of 2620	2868	3gwin.exe	32
PID 2868 wrote to memory of 2620	2868	3gwin.exe	32
PID 2868 wrote to memory of 2620	2868	3gwin.exe	32
PID 2868 wrote to memory of 2620	2868	3gwin.exe	32
PID 2868 wrote to memory of 2620	2868	3gwin.exe	32

C:\Users\Admin\AppData\Local\Temp\3gwin.exe
"C:\Users\Admin\AppData\Local\Temp\3gwin.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\Admin\AppData\Local\Temp\" /SILENT
  2⤵
  - Executes dropped EXE
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\Admin\AppData\Local\Temp\" /SILENT /RELANCE
    3⤵
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe

Filesize
12.0MB

MD5
5d31b02243eb327ecd1ed04e4ad94e80

SHA1
7c0610cb6d6a422e4789fac3cdaf614b4505a1d5

SHA256
b6f46070b17718af11488e68340869bfb4f754a9d2e1362b43c69b49505a9a4a

SHA512
6dc4cd03a8abfcf8d9792467883736686eb9d6bca5c600432f47325cac681a659fd19c164f1c74fbbe178ebdd798de324c6c01b112ec3e6ef188cdf8b16f0bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe

Filesize
9.7MB

MD5
a95e4d392a597feaa365756f6a239a7c

SHA1
c34d0af4a11611ee1bfb3004aa8692001f2b77d7

SHA256
0c05748e99c418554e3b3c2c320326104210f2041154b55e8917ba694bbf4eda

SHA512
782727b6efa4dbc6da520324467cce5909e3993fee59a2c4caf1c61eb9b225265196e49e49206c16bc61cf85ef7f6e6391463863807082ce3037a1ae2080f72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe

Filesize
3.0MB

MD5
b4652c6705d97e7fc61901df3ab17c0e

SHA1
889cf9d4c8ee528b912dc26237b7fe8b64d93be1

SHA256
7c22afdb14f6c252ca6c7f6759a24df6babb73ce75d3eb4bd54b764c66e68e53

SHA512
b544903400f6cbc496ac87cb86d281aee5ee68c37ad99a8cff1c53166680353169dd17071d8b7902f47d5396011d47864bacbdd3bbfb0e96f08464d81dfbfd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe

Filesize
2.2MB

MD5
f98f29cc7a222878b47fb2f23d60ebd4

SHA1
195ab89b782188ea3e24609d2ef26dab2dbe203d

SHA256
b9b4aaaf3f42259b0fdccb9f08dcf61553e5318e3455e697bb6e9784cbda6f8b

SHA512
d2a463bc833b18fab39f55a6bc53cc0e37c5a60098a942cf71a4e6e7501db167113df14ee3197821824d8360318cc4b9a1fd48748919f78173943247d4411928

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd280mdl.dll

Filesize
192KB

MD5
3cb0d790abd8d62b47ae7994be62abcd

SHA1
949fe08bcd25f1d23f0fb8c156079ad6c1ced12c

SHA256
9dc2d9d53c06868e2fbf94fc1d9f9bb2e6dc205326d6091136c1c97755789405

SHA512
5e794e0633eb75ef9fe4445fdf5de473791e0bcc4021e0894e1ca4c8fc72efa48e4196e23e91a498382b29f1942e9ea2c4190b1ad954429b121cb0a0520dc74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd280obj.dll

Filesize
1.4MB

MD5
2c3c78418219a9d73f24bf32bb868ebb

SHA1
4fa134acdfb3eac8b76fe123a32af06a4fd2371d

SHA256
e79b58381de70804e68b6f06b5e969864721002fb3db43537129704058348fe9

SHA512
c2291ca0c1a167c354b12c96f14982fdd379c8c4b5d84477446d841c87ca186480dbdf25f6903c1b7fe85d5338b44a6a55d5773d9fad3a4501fc1e5d8e0a7165

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd280pdf.dll

Filesize
1.4MB

MD5
644dba924edd3e295910cfb6c0ec4b15

SHA1
d03b3d126edf8c4c532e08cd203fc43f6f6f1362

SHA256
4628e0536f58a3d9fef9dea064675797508caf5a057539eb58dea21e58eac9d4

SHA512
7ee20d97b1c7f7a25ee427dce96af8556a33b24b1ec0653a343425b87e00558561dc89585c39eefd5d73958d7eed3c2e10de7033084c42df1902a38b2e3e6c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd280pnt.dll

Filesize
1024KB

MD5
54c2e8987ed9f7845bedb7cec9fb07d4

SHA1
4b61beff57f11f628721681cd4919f0228748372

SHA256
bc348b13373ad21192f917c49f43bc38a76b785ac82ef9f35008c2cd6591f99b

SHA512
fa2c61f8d4e11de24726a220c2e003fed07fcdd34c8e56d4fb923b38cc75e2f1cc98d575eda9fdf7208936ae348e0c0bb9b363fc1742b7cba124d576201d84ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd280std.dll

Filesize
1.7MB

MD5
a019094b546c65e1c8d339fefcf8ef37

SHA1
8dc82de7fbbc0d9d9fcc0c0bd780fb11e413ad7c

SHA256
117cc71debaef87c8f662c0983a4457fbe6594787fb21cdc2e04147dd7f2ef06

SHA512
86349977fbccbe15d2ef2b5a8ced33224303d0ee3ee3e4650c94c820a892a872fef7ada572b9a368f1077881a99f39442aacf5335e9abc4571e8136612b59575

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd280vm.dll

Filesize
2.1MB

MD5
1944e544e022eee4968131e069e28e5e

SHA1
42d08e0e898302fac42fdf398950a57fba686c27

SHA256
39ce7969e6607635d5190b01f4cda7cc2002cd8559333621f5d84de43ab48ce7

SHA512
1e0f65a37451f4fc4380d856ccb58c41774b452a93393a3cf1e4a89310da00a3e3fa29aaf9d70ca32f64218ae520361420b5eced45f479d5563e725d601774e5

Download Submit
\Users\Admin\AppData\Local\Temp\InstallFramework.exe

Filesize
9.2MB

MD5
5c798777999732ab589f5494e254ac3b

SHA1
a0a7f0e3c41dce69a56cdba490428f52e7f3e920

SHA256
e3bd156d8710be3485e98adee9cb26648aa8be2813d5d382d384d2446fcf4f1d

SHA512
5e8cc02f86c09216d7d40c2bb5fbabd8d5f333f21f9bc0eb8e467c64c5a2e533f65feeb475af746d0b990982cda6bd5d48b6ae83b9c97d998af6c748f9ccaeec

Download Submit
\Users\Admin\AppData\Local\Temp\InstallFramework.exe

Filesize
1024KB

MD5
eeb5d71cf0bd36f08f3e7399befe4816

SHA1
13b492d16cc39d31c9ec43abfe745c4cda7f8897

SHA256
b1bb734f97d25056983514ff1d14693c61464cf325b51c6f12a552a556cd09c7

SHA512
0ee9d4c8d810f99a2ef4e27f9af9d8f73fc3941114544ece33eff033c941a799d546b2ad02ca202467e2caf119271cdcb5186df70bd1ef8d86c6cf2d5baf0585

Download Submit
\Users\Admin\AppData\Local\Temp\wd280com.dll

Filesize
42KB

MD5
2694b9ab3d1f56c66375d53e8e843e1d

SHA1
1e4d7b615c0e456aaf17ce1c4c2d17c0ca893d62

SHA256
01f18fea8d7d311a331a6c2f42c84db001d49da35613393cf548b7b4775229d4

SHA512
6cedaac5fe8cb904340cee04c5ed625a4f9199232ae8c2b8d7e7b143c1942c76ac0ec9d66c2b6188a47f4591961657d0a4161c214b4c02f61adcc3b222e4697b

Download Submit
\Users\Admin\AppData\Local\Temp\wd280mdl.dll

Filesize
128KB

MD5
502f93fff6ae38a7b619d63b43080947

SHA1
e3ae164720631c23597ebba8639402ebf999036e

SHA256
4d854d0fd9065929faba6db83d17f82df90468e5dfba37efd9e1103f5d451d42

SHA512
9a25a911e9dab50de709d5715389205f469d8b83a8a646efb0acaca9389b6481bae5bb3e9a4e2b18ed549d6d46943c1f1249022c1432e6e2e12013a04a52035e

Download Submit
\Users\Admin\AppData\Local\Temp\wd280obj.dll

Filesize
1.8MB

MD5
33ba642f77d74739f9577b6532316e25

SHA1
9b46955d78240c2e1a03fd1c878acbd6a261af70

SHA256
46a06ec35c3363042b7b5d8139643638bd9224097f8023909b757d3fab5f723a

SHA512
bcc97d88c1af6c46d09c0d0481a59b99f49acbe60de1e846763de8a7a70d1d0601308c4f2841f11c49a6da7c8f32b3fa813703fb0c182ce17b6f5b8c49c8e59c

Download Submit
\Users\Admin\AppData\Local\Temp\wd280pdf.dll

Filesize
1.3MB

MD5
2daffe88d313df5d544a92263c865e7e

SHA1
808ece5630f411418e0b1e4b924af05d547d697a

SHA256
efc9e3b18d87f864ff81f057ec8603601e6ade7f66cecbf5c6d7727a2bd2454d

SHA512
5c4ffe1c714b79fccc7cd036e441c26e1f4bca00b6a8024346624fb0eacfae7aa0009f49f0f17cfa16f6aae4dbfe55d52b3365e9fc3291dd4ab1f4f1a00089ef

Download Submit
\Users\Admin\AppData\Local\Temp\wd280pnt.dll

Filesize
960KB

MD5
681e8784919ba0d40cfcb04d2e18e0ae

SHA1
77c131197c552d26dfd7a20e4ee789473e8346e9

SHA256
765805d6c15e3cd80bd09694b6d1a49b58ec84bcd972265358a887f78f097a6d

SHA512
af990d90aaba96591893aa818018a91313954d8b0fc4ee5f0edd06e9fa61df9ac6f3f3f5b3027ef1063de0fe5f6ef5c487448b78c5093e3df553495882157286

Download Submit
\Users\Admin\AppData\Local\Temp\wd280std.dll

Filesize
960KB

MD5
f4f86d81522184e6248f1bd5d27f3b1b

SHA1
f08af5e34a6087b03e233fe10acb7512e19a77d5

SHA256
c3eb7179226b2c7e4633398e159c41bb3d69bd18d7e78c5b881e7e9419e7f8fa

SHA512
33bc416fb6c3c44f996ad969df2d8796f4bdbb24396e73240b930a404e9f3404447a6d26948eb9d939d695ae03b8b7450ededbf029eb0de257cda26e6ea31b20

Download Submit
\Users\Admin\AppData\Local\Temp\wd280vm.dll

Filesize
1.5MB

MD5
8b970193bf977a7401061d4217703849

SHA1
8a795d14d5cc5c3a4717f0057c5ee7ed5f8bec08

SHA256
b44d7f119b4ace4723be0627392cdbdee240d5fd9d70d153acb15e384f5cb186

SHA512
a68dc53926ce04621fd82e22be0271c9d7fe5a07d170275238a2aeed350a679bea3e04312574f9b6e3b977dcc3a7f298cce24267d28cad7c4a060711792728a0

Download Submit
memory/2868-180-0x0000000003DD0000-0x0000000003DE0000-memory.dmp

Filesize
64KB

Download
memory/2868-175-0x0000000003DD0000-0x0000000003DE0000-memory.dmp

Filesize
64KB

Download
memory/2868-271-0x0000000003CA0000-0x0000000003CE0000-memory.dmp

Filesize
256KB

Download
memory/2868-1-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2868-17-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2868-308-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download