ef1cadcbc61bbce6e0a7b839e0e4935307f4b7a67088ae300720b3a27b2b95c4

General

Target

a3a1eb9266fe726d012f151f8f215beb.exe
Size

2.5MB
MD5

a3a1eb9266fe726d012f151f8f215beb
SHA1

d21b86ffb7ccd3badb9430aff77708e81899f180
SHA256

ef1cadcbc61bbce6e0a7b839e0e4935307f4b7a67088ae300720b3a27b2b95c4
SHA512

691b57f1609857adc124dd7ec2d7158249274607d806522b0091282c4eef71d65b964abe27176b101e68c41734671f63ea70dcdacc3187b115c27bff107feee6
SSDEEP

49152:BTTULEnhXcKk9vENby4xXjySlDkqcoi3kHCicjhUMsxTWN0Imie:uLEnhXc9ibygXj9Yhj3kiiybsxTm0ImX

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2688	Install Lucky Coupon.exe

Loads dropped DLL 4 IoCs

pid	Process
2180	a3a1eb9266fe726d012f151f8f215beb.exe
2180	a3a1eb9266fe726d012f151f8f215beb.exe
2180	a3a1eb9266fe726d012f151f8f215beb.exe
2180	a3a1eb9266fe726d012f151f8f215beb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Install Lucky Coupon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Install Lucky Coupon.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2688	2180	a3a1eb9266fe726d012f151f8f215beb.exe	28
PID 2180 wrote to memory of 2688	2180	a3a1eb9266fe726d012f151f8f215beb.exe	28
PID 2180 wrote to memory of 2688	2180	a3a1eb9266fe726d012f151f8f215beb.exe	28
PID 2180 wrote to memory of 2688	2180	a3a1eb9266fe726d012f151f8f215beb.exe	28
PID 2180 wrote to memory of 2688	2180	a3a1eb9266fe726d012f151f8f215beb.exe	28
PID 2180 wrote to memory of 2688	2180	a3a1eb9266fe726d012f151f8f215beb.exe	28
PID 2180 wrote to memory of 2688	2180	a3a1eb9266fe726d012f151f8f215beb.exe	28

C:\Users\Admin\AppData\Local\Temp\a3a1eb9266fe726d012f151f8f215beb.exe
"C:\Users\Admin\AppData\Local\Temp\a3a1eb9266fe726d012f151f8f215beb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\AIR2D76.tmp\Install Lucky Coupon.exe
  "C:\Users\Admin\AppData\Local\Temp\AIR2D76.tmp\Install Lucky Coupon.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AIR2D76.tmp\.launch

Filesize
24B

MD5
a8de8f53f70337245e61bf0ff5faa216

SHA1
805258de64a9a659ba522b4ff62cd389cb6ca5e3

SHA256
51c74b38779c03f1f5c429159553263bfdaeb65b93730ec15c0556507ce9bec8

SHA512
5e3d197177aa3be39972a56f15d2111ddcbc1735ecf0e9e321a36be99d1c58691438d1a9ff7bf6fe3855ea07acc76271b26482e54204069762b6fd486c902dd7

Download Submit
\Users\Admin\AppData\Local\Temp\AIR2D76.tmp\Install Lucky Coupon.exe

Filesize
130KB

MD5
a7ffdf55079873b0f041da8a56e83f29

SHA1
05f2ac17287372c0d953794df2e5b62f1ed8e717

SHA256
7e22c807669c4eedc83d2a273fc15d947d376e029c79973b8cba2b6ca49dde75

SHA512
2cb01b55799a603f35c694e328b0e653b8dbe1d7cfa4f52e6668093123f978b95accbaa446baeb104ed9a8b0418882119b199474faf1815faa64d7e7a269b372

Download Submit

Analysis

Sharing