85c68afc84f2ff1b282b12c64c10f559c8de22a3e46b8cd03d09f95fb82f3a18

General

Target

a25c9e0db567e8860dd5b44bb1f78696.exe
Size

1.6MB
MD5

a25c9e0db567e8860dd5b44bb1f78696
SHA1

2b074514d036c658e181c4ceb33726e83eadee85
SHA256

85c68afc84f2ff1b282b12c64c10f559c8de22a3e46b8cd03d09f95fb82f3a18
SHA512

739a17492a14d9a0573bb885e475290f04382011f0eb5d495bc682b9a7781d59bb1ae0256594974f5cd97652b2af82aeda75cc84d4d99a70500aca198ece3363
SSDEEP

49152:/Zgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9E:/GIjR1Oh0To

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	a25c9e0db567e8860dd5b44bb1f78696.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	a25c9e0db567e8860dd5b44bb1f78696.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2172	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2372	a25c9e0db567e8860dd5b44bb1f78696.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2372	a25c9e0db567e8860dd5b44bb1f78696.exe
2372	a25c9e0db567e8860dd5b44bb1f78696.exe
2372	a25c9e0db567e8860dd5b44bb1f78696.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1644	2372	a25c9e0db567e8860dd5b44bb1f78696.exe	29
PID 2372 wrote to memory of 1644	2372	a25c9e0db567e8860dd5b44bb1f78696.exe	29
PID 2372 wrote to memory of 1644	2372	a25c9e0db567e8860dd5b44bb1f78696.exe	29
PID 2372 wrote to memory of 1644	2372	a25c9e0db567e8860dd5b44bb1f78696.exe	29
PID 1644 wrote to memory of 2172	1644	cmd.exe	31
PID 1644 wrote to memory of 2172	1644	cmd.exe	31
PID 1644 wrote to memory of 2172	1644	cmd.exe	31
PID 1644 wrote to memory of 2172	1644	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\a25c9e0db567e8860dd5b44bb1f78696.exe
"C:\Users\Admin\AppData\Local\Temp\a25c9e0db567e8860dd5b44bb1f78696.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7033.bat" "C:\Users\Admin\AppData\Local\Temp\CDE71F3719EB4A778769773F7A0CBB80\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a731244dcc698d0d144269489925eeb

SHA1
e0ff86a605ca6b531208d17f0d938c31bff9dfcb

SHA256
c0ea5b5a3cb333044a734a86b2720452fe00e55c5c5c268dd6ab29a658bd2c9c

SHA512
f3987a521c4957a0617ba7331d9dab26d409a3fb1383249576ad399cbe72ded66d6cb92f998bd09d594f8546e050d2852b2ed038df5ce85fb8237af49c5193fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7033.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDE71F3719EB4A778769773F7A0CBB80\CDE71F3719EB4A778769773F7A0CBB80_LogFile.txt

Filesize
4KB

MD5
6e2b7ac666a3de38e070622b85adf51a

SHA1
8a55255e0fd2f61afa133cb81a455d80994b2eed

SHA256
21780153366f591a053fa3ed4f1feca73514f9a05e76e0c9e3d407301492807e

SHA512
375a45c1fc01e8351ecb6477a37230b576a1a78537308c0125c1750eda89f13cb077c3fdb40415918a34392a562bd3d58fe3fb7875c94d50706893f46e107707

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDE71F3719EB4A778769773F7A0CBB80\CDE71F3719EB4A778769773F7A0CBB80_LogFile.txt

Filesize
2KB

MD5
4fb8fecdcf1f242178f9465dd096d180

SHA1
ac7db53f187ff3f97a6b3e7f67aaf53d42bdd5d3

SHA256
51471a1eef779296c27ba23160efe7b059918a8a43fc8021181be8547c999565

SHA512
5b077c43023c9618409319a1db38877633b18a1fda43c904b1cc955f86a2c0361056aeb34f961bf4a6f115247c95488d3eb64fb79ccfea35a1bb9699e66dedf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDE71F3719EB4A778769773F7A0CBB80\CDE71F~1.TXT

Filesize
101KB

MD5
c85dcebc7407c0b0f74840b86520ec58

SHA1
c0a5da318ed1544f801047aec53d809a352bc9f3

SHA256
046942fb23be7927bc319ba7c8e78d3da8250a857abb751fb48176534d03b439

SHA512
09d407812ca0dc31aba0a0afd668a09dd3ffccded153beb663f859598fc22b41cbf7b124ed4dcd56de514ddda635e5c060f0089da8f8c91bd0b24604b3647a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF03.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2372-63-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing