90a6d0f62beed5411805473a26142ae3233795a46aeaf69a12bcf61e00210073

Resubmissions

23/02/2024, 13:21

240223-ql155sha77 7

23/02/2024, 13:18

240223-qkdy8agd7v 7

23/02/2024, 13:01

240223-p9mf8agh27 7

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Notion_software_x64.exe
Size

2.9MB
MD5

ad3f5742da2944f54842c969fd2ce856
SHA1

f85235d4c05fa8e55304fc2203e479f21df1e95f
SHA256

90a6d0f62beed5411805473a26142ae3233795a46aeaf69a12bcf61e00210073
SHA512

505458aa1e676570dfa1a3b1d4676dad168c53f0dcbf6aa7de1e47b231f6f093ec73988c6fb458dc5f396a2190b6626e009c8528d0e0fce3f3ec4756aba2c48f
SSDEEP

49152:2cW4fkb5s/q0p5V+1Z6etmae/Sst23aWdf/fiZD2YmMZ3CJdL8PU61zb:2X405Kqg+1ZZQaeKsE3aO3PYm2xPUCH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2392	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3024	Notion_software_x64.tmp
2644	Notion_software_x64.tmp

Loads dropped DLL 4 IoCs

pid	Process
2544	Notion_software_x64.exe
3024	Notion_software_x64.tmp
2648	Notion_software_x64.exe
2644	Notion_software_x64.tmp

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CBA0C11027D8BA59BFFA3C5EDD8DD5DF09DBE882\Blob = 040000000100000010000000bb6076be49678891d5f53700a5e0f3660f0000000100000020000000cc086bb4cf152d205c11a3d829392667a3fc24af2712e19f5e3f7e17b179b921030000000100000014000000cba0c11027d8ba59bffa3c5edd8dd5df09dbe882140000000100000014000000d07c9b18c0a60b881cc85abaf87b5752f3930cbe2000000001000000f9020000308202f5308201dda00302010202101568315bd287febff8215fe7812f6035300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303231393139303030305a170d3239303231373139303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100d38120f9a090dd7c2259faaf65b872934dec092b495b3d31defe70b9e22be7a609a43cbafc7f343b3be7eeabd048a0ab50bd267530afbe3d7dd60ca608f9d7c3ff6da0f0cbc29faf8e94a1ba48001d1b943a80c6a8cc2fbf31023bfacab97bdb9611c10fa92a482a509fcccbd945b3dea53eb19a2146737bdb880792d2d03fbca874d78d7136f7a5d98fefe6bf3644473d0121971cc61f1941992a6f2b8f3858b0c46f31752237fea9d0a021c29ce11245316f07c408df1a691dd4af9fbbc22eb94a089ced30f0b37b1551f46d5fca9467d53abdc8d0a0793c3ddb9c902fcdf563ed73ed21c4f3334bf12aa40b8a4eae86e4eb1d8ee9af7552164a0d20ee856b0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414d07c9b18c0a60b881cc85abaf87b5752f3930cbe300d06092a864886f70d01010b0500038201010048f950cffdac582fe909258dd8e058e445d4025ba090d195e8d956f1ed66082159f5b678aec41e2ea06fb5710136701d5312d8efe9047c6b32e98b05bf7accac67d18ded5ab874b2898d0cf3783bea52429d13c27fa991f6b2f5bc20c99856f32b6c347af9fad98c9d8acb93c6f2c5594ec2c0c2a9f7a2cc022789b687042e5d8cb83c7f9ef17036cb5f9d96ec580cbfde8d00c863f3f79aa015b112ac31bdf05dfddfb8240516761bf8d7bb1dc45590d1a17d10e910a7b3847eacb7e0f14240186a8ac3973853c9ca3d967df4befaca2b5a408c8e09582ff837bda49f02f913d471b2725729795ddf1a41396a7be970fb36840d32d6cb9846da83f2031cf8fe	Notion_software_x64.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CBA0C11027D8BA59BFFA3C5EDD8DD5DF09DBE882\Blob = 190000000100000010000000ec1362732f6034246c6ad4861fea1981140000000100000014000000d07c9b18c0a60b881cc85abaf87b5752f3930cbe030000000100000014000000cba0c11027d8ba59bffa3c5edd8dd5df09dbe8820f0000000100000020000000cc086bb4cf152d205c11a3d829392667a3fc24af2712e19f5e3f7e17b179b921040000000100000010000000bb6076be49678891d5f53700a5e0f3662000000001000000f9020000308202f5308201dda00302010202101568315bd287febff8215fe7812f6035300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303231393139303030305a170d3239303231373139303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100d38120f9a090dd7c2259faaf65b872934dec092b495b3d31defe70b9e22be7a609a43cbafc7f343b3be7eeabd048a0ab50bd267530afbe3d7dd60ca608f9d7c3ff6da0f0cbc29faf8e94a1ba48001d1b943a80c6a8cc2fbf31023bfacab97bdb9611c10fa92a482a509fcccbd945b3dea53eb19a2146737bdb880792d2d03fbca874d78d7136f7a5d98fefe6bf3644473d0121971cc61f1941992a6f2b8f3858b0c46f31752237fea9d0a021c29ce11245316f07c408df1a691dd4af9fbbc22eb94a089ced30f0b37b1551f46d5fca9467d53abdc8d0a0793c3ddb9c902fcdf563ed73ed21c4f3334bf12aa40b8a4eae86e4eb1d8ee9af7552164a0d20ee856b0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414d07c9b18c0a60b881cc85abaf87b5752f3930cbe300d06092a864886f70d01010b0500038201010048f950cffdac582fe909258dd8e058e445d4025ba090d195e8d956f1ed66082159f5b678aec41e2ea06fb5710136701d5312d8efe9047c6b32e98b05bf7accac67d18ded5ab874b2898d0cf3783bea52429d13c27fa991f6b2f5bc20c99856f32b6c347af9fad98c9d8acb93c6f2c5594ec2c0c2a9f7a2cc022789b687042e5d8cb83c7f9ef17036cb5f9d96ec580cbfde8d00c863f3f79aa015b112ac31bdf05dfddfb8240516761bf8d7bb1dc45590d1a17d10e910a7b3847eacb7e0f14240186a8ac3973853c9ca3d967df4befaca2b5a408c8e09582ff837bda49f02f913d471b2725729795ddf1a41396a7be970fb36840d32d6cb9846da83f2031cf8fe	Notion_software_x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CBA0C11027D8BA59BFFA3C5EDD8DD5DF09DBE882	Notion_software_x64.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CBA0C11027D8BA59BFFA3C5EDD8DD5DF09DBE882\Blob = 0f0000000100000020000000cc086bb4cf152d205c11a3d829392667a3fc24af2712e19f5e3f7e17b179b921030000000100000014000000cba0c11027d8ba59bffa3c5edd8dd5df09dbe8822000000001000000f9020000308202f5308201dda00302010202101568315bd287febff8215fe7812f6035300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303231393139303030305a170d3239303231373139303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100d38120f9a090dd7c2259faaf65b872934dec092b495b3d31defe70b9e22be7a609a43cbafc7f343b3be7eeabd048a0ab50bd267530afbe3d7dd60ca608f9d7c3ff6da0f0cbc29faf8e94a1ba48001d1b943a80c6a8cc2fbf31023bfacab97bdb9611c10fa92a482a509fcccbd945b3dea53eb19a2146737bdb880792d2d03fbca874d78d7136f7a5d98fefe6bf3644473d0121971cc61f1941992a6f2b8f3858b0c46f31752237fea9d0a021c29ce11245316f07c408df1a691dd4af9fbbc22eb94a089ced30f0b37b1551f46d5fca9467d53abdc8d0a0793c3ddb9c902fcdf563ed73ed21c4f3334bf12aa40b8a4eae86e4eb1d8ee9af7552164a0d20ee856b0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414d07c9b18c0a60b881cc85abaf87b5752f3930cbe300d06092a864886f70d01010b0500038201010048f950cffdac582fe909258dd8e058e445d4025ba090d195e8d956f1ed66082159f5b678aec41e2ea06fb5710136701d5312d8efe9047c6b32e98b05bf7accac67d18ded5ab874b2898d0cf3783bea52429d13c27fa991f6b2f5bc20c99856f32b6c347af9fad98c9d8acb93c6f2c5594ec2c0c2a9f7a2cc022789b687042e5d8cb83c7f9ef17036cb5f9d96ec580cbfde8d00c863f3f79aa015b112ac31bdf05dfddfb8240516761bf8d7bb1dc45590d1a17d10e910a7b3847eacb7e0f14240186a8ac3973853c9ca3d967df4befaca2b5a408c8e09582ff837bda49f02f913d471b2725729795ddf1a41396a7be970fb36840d32d6cb9846da83f2031cf8fe	Notion_software_x64.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CBA0C11027D8BA59BFFA3C5EDD8DD5DF09DBE882\Blob = 140000000100000014000000d07c9b18c0a60b881cc85abaf87b5752f3930cbe030000000100000014000000cba0c11027d8ba59bffa3c5edd8dd5df09dbe8820f0000000100000020000000cc086bb4cf152d205c11a3d829392667a3fc24af2712e19f5e3f7e17b179b9212000000001000000f9020000308202f5308201dda00302010202101568315bd287febff8215fe7812f6035300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303231393139303030305a170d3239303231373139303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100d38120f9a090dd7c2259faaf65b872934dec092b495b3d31defe70b9e22be7a609a43cbafc7f343b3be7eeabd048a0ab50bd267530afbe3d7dd60ca608f9d7c3ff6da0f0cbc29faf8e94a1ba48001d1b943a80c6a8cc2fbf31023bfacab97bdb9611c10fa92a482a509fcccbd945b3dea53eb19a2146737bdb880792d2d03fbca874d78d7136f7a5d98fefe6bf3644473d0121971cc61f1941992a6f2b8f3858b0c46f31752237fea9d0a021c29ce11245316f07c408df1a691dd4af9fbbc22eb94a089ced30f0b37b1551f46d5fca9467d53abdc8d0a0793c3ddb9c902fcdf563ed73ed21c4f3334bf12aa40b8a4eae86e4eb1d8ee9af7552164a0d20ee856b0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414d07c9b18c0a60b881cc85abaf87b5752f3930cbe300d06092a864886f70d01010b0500038201010048f950cffdac582fe909258dd8e058e445d4025ba090d195e8d956f1ed66082159f5b678aec41e2ea06fb5710136701d5312d8efe9047c6b32e98b05bf7accac67d18ded5ab874b2898d0cf3783bea52429d13c27fa991f6b2f5bc20c99856f32b6c347af9fad98c9d8acb93c6f2c5594ec2c0c2a9f7a2cc022789b687042e5d8cb83c7f9ef17036cb5f9d96ec580cbfde8d00c863f3f79aa015b112ac31bdf05dfddfb8240516761bf8d7bb1dc45590d1a17d10e910a7b3847eacb7e0f14240186a8ac3973853c9ca3d967df4befaca2b5a408c8e09582ff837bda49f02f913d471b2725729795ddf1a41396a7be970fb36840d32d6cb9846da83f2031cf8fe	Notion_software_x64.tmp

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2644	Notion_software_x64.tmp
2644	Notion_software_x64.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2644	Notion_software_x64.tmp

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 3024	2544	Notion_software_x64.exe	28
PID 2544 wrote to memory of 3024	2544	Notion_software_x64.exe	28
PID 2544 wrote to memory of 3024	2544	Notion_software_x64.exe	28
PID 2544 wrote to memory of 3024	2544	Notion_software_x64.exe	28
PID 2544 wrote to memory of 3024	2544	Notion_software_x64.exe	28
PID 2544 wrote to memory of 3024	2544	Notion_software_x64.exe	28
PID 2544 wrote to memory of 3024	2544	Notion_software_x64.exe	28
PID 3024 wrote to memory of 2648	3024	Notion_software_x64.tmp	30
PID 3024 wrote to memory of 2648	3024	Notion_software_x64.tmp	30
PID 3024 wrote to memory of 2648	3024	Notion_software_x64.tmp	30
PID 3024 wrote to memory of 2648	3024	Notion_software_x64.tmp	30
PID 3024 wrote to memory of 2648	3024	Notion_software_x64.tmp	30
PID 3024 wrote to memory of 2648	3024	Notion_software_x64.tmp	30
PID 3024 wrote to memory of 2648	3024	Notion_software_x64.tmp	30
PID 2648 wrote to memory of 2644	2648	Notion_software_x64.exe	31
PID 2648 wrote to memory of 2644	2648	Notion_software_x64.exe	31
PID 2648 wrote to memory of 2644	2648	Notion_software_x64.exe	31
PID 2648 wrote to memory of 2644	2648	Notion_software_x64.exe	31
PID 2648 wrote to memory of 2644	2648	Notion_software_x64.exe	31
PID 2648 wrote to memory of 2644	2648	Notion_software_x64.exe	31
PID 2648 wrote to memory of 2644	2648	Notion_software_x64.exe	31
PID 2644 wrote to memory of 2360	2644	Notion_software_x64.tmp	37
PID 2644 wrote to memory of 2360	2644	Notion_software_x64.tmp	37
PID 2644 wrote to memory of 2360	2644	Notion_software_x64.tmp	37
PID 2644 wrote to memory of 2360	2644	Notion_software_x64.tmp	37
PID 2644 wrote to memory of 2392	2644	Notion_software_x64.tmp	33
PID 2644 wrote to memory of 2392	2644	Notion_software_x64.tmp	33
PID 2644 wrote to memory of 2392	2644	Notion_software_x64.tmp	33
PID 2644 wrote to memory of 2392	2644	Notion_software_x64.tmp	33
PID 2644 wrote to memory of 2440	2644	Notion_software_x64.tmp	36
PID 2644 wrote to memory of 2440	2644	Notion_software_x64.tmp	36
PID 2644 wrote to memory of 2440	2644	Notion_software_x64.tmp	36
PID 2644 wrote to memory of 2440	2644	Notion_software_x64.tmp	36

C:\Users\Admin\AppData\Local\Temp\Notion_software_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Notion_software_x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\is-0S6B2.tmp\Notion_software_x64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0S6B2.tmp\Notion_software_x64.tmp" /SL5="$500F4,893978,804352,C:\Users\Admin\AppData\Local\Temp\Notion_software_x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\Notion_software_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\Notion_software_x64.exe" /verysilent /sp-
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\is-O9GCM.tmp\Notion_software_x64.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-O9GCM.tmp\Notion_software_x64.tmp" /SL5="$600F4,893978,804352,C:\Users\Admin\AppData\Local\Temp\Notion_software_x64.exe" /verysilent /sp-
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\d.cmd""
        5⤵
        Deletes itself
        
        PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\d.cmd""
        5⤵
        
        PID:2440
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\d.cmd""
        5⤵
        
        PID:2360

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d.cmd

Filesize
154B

MD5
1db5e799399b27d788546c7b55b4052b

SHA1
7a7230bcab44baf97a597e1ec4d890909516ae7d

SHA256
b0e8a7b034729d2d291d3fd4107c56d63c443dab6b47b96e03dcc286339b6252

SHA512
d2b9251f1140f45dfe3adebaeb65f14f6738bb3bb4cc78cd668a02203b565180f777c4613060edbb697e585ab14c532e26aa8a96ce7fdeb25eac3fdb054b1861

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O9GCM.tmp\Notion_software_x64.tmp

Filesize
585KB

MD5
7022d32cb69bb84ea7cc08a6b6feb73e

SHA1
53b0836fa5868e09cac47ecb3c49aef3a2ca4c65

SHA256
8418b78060728a8bc746a38eb654faeee0c766f62ddc26258dd124d1cc1dd2ce

SHA512
f57622c97b8ca7e6a23b651fee58c698afd687d361e981eda7eb83acff18b7c2553af173c6d481f4c98497bdd1c0c32a94c16bd23c2f85ceb6961d6ecc4e7d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O9GCM.tmp\Notion_software_x64.tmp

Filesize
980KB

MD5
c08fc623e716f1e12b3da8c90a5e5cb7

SHA1
fa30832661480653047ada8ae2e6ba60a4108645

SHA256
f0097d4893269e71024a33984f907b5b2168c5faba145482e2d2e229fd27bd6c

SHA512
895b10dda00bb0eed0bbc01bec9f485d25a19508c86b7537a45c9d9463dc40df635d0d9a80e6125d2732f406e1f47dc1df3eaa4e108bd78e6bb1f3a6fa2ba8ac

Download Submit
\Users\Admin\AppData\Local\Temp\is-0S6B2.tmp\Notion_software_x64.tmp

Filesize
2.5MB

MD5
1dcf9c8a4079eb9eb62a43f3933c06d7

SHA1
8b1cf6ba1e73c79fb69196e656751493e8846b98

SHA256
4691461f311be862bb1517daecff7af451d96e26b5d803a1b08d5e1a97e782e5

SHA512
02f7d825be11122e0b81904b152d7d4ad652411a1731f272bc8353d3279ecaa52f1363e99df9f25bc9d38e1851ee51cbf0c11186e02ad19c5c04ad3b25b00f8e

Download Submit
\Users\Admin\AppData\Local\Temp\is-O9GCM.tmp\Notion_software_x64.tmp

Filesize
926KB

MD5
3a72c57892cfe5f4d7666ef516f615af

SHA1
cec4986faf7b73ddc5678ca1860af5593338aa51

SHA256
e8fe20783ffe26d418aff7c9dfddf683b425f1e51843cfca10a3049c35c89e3f

SHA512
00490fc7f6ad43a9f28e18711cc7b095d5cb95ec71e66af61edabb8003c90d3646f3c450833443de2ca825a89e359cc6893aa384d1f955b3b66b7cc05da0e543

Download Submit
\Users\Admin\AppData\Local\Temp\is-QITO1.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
memory/2544-20-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2544-1-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2644-26-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2644-39-0x0000000000400000-0x000000000068C000-memory.dmp

Filesize
2.5MB

Download
memory/2648-17-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2648-41-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3024-16-0x0000000000400000-0x000000000068C000-memory.dmp

Filesize
2.5MB

Download
memory/3024-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download