3d39afe60315f221075bf23b07b455bca3d1d4243d2aac53cb615281741ce44f

General

Target

b5b505d95c1a9770cdb2ebe1ef052249.exe
Size

27KB
MD5

b5b505d95c1a9770cdb2ebe1ef052249
SHA1

2266a1b09be50cedb96bb4698f97892bc9b09614
SHA256

3d39afe60315f221075bf23b07b455bca3d1d4243d2aac53cb615281741ce44f
SHA512

170132618660386994f1fa6814cd95442bec500b1a2d2954833f9cd1f7c8a272da9bd04f0f4a8af80bc015cfcb3891e8afa0b488a5d42a457ae40f9262d19653
SSDEEP

384:rtC5azxFqgqja4u5QWBaYG1SOfRSnvLllCw/Gyz0u+vlV4EuOdPlhLnlgM11jlDK:rtiazxujNSOfRSnvflGplzxOp6yH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2968	a469eeae-f1e1-4298-be92-953aa64c3059.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	b5b505d95c1a9770cdb2ebe1ef052249.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	b5b505d95c1a9770cdb2ebe1ef052249.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2744	b5b505d95c1a9770cdb2ebe1ef052249.exe
2744	b5b505d95c1a9770cdb2ebe1ef052249.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	b5b505d95c1a9770cdb2ebe1ef052249.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2968	2744	b5b505d95c1a9770cdb2ebe1ef052249.exe	28
PID 2744 wrote to memory of 2968	2744	b5b505d95c1a9770cdb2ebe1ef052249.exe	28
PID 2744 wrote to memory of 2968	2744	b5b505d95c1a9770cdb2ebe1ef052249.exe	28
PID 2744 wrote to memory of 2968	2744	b5b505d95c1a9770cdb2ebe1ef052249.exe	28

C:\Users\Admin\AppData\Local\Temp\b5b505d95c1a9770cdb2ebe1ef052249.exe
"C:\Users\Admin\AppData\Local\Temp\b5b505d95c1a9770cdb2ebe1ef052249.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\a469eeae-f1e1-4298-be92-953aa64c3059.exe
  "C:\Users\Admin\AppData\Local\Temp\a469eeae-f1e1-4298-be92-953aa64c3059.exe"
  2⤵
  - Executes dropped EXE
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a469eeae-f1e1-4298-be92-953aa64c3059.exe

Filesize
4KB

MD5
f80fa38d37eb2d1d1d3aec66003b5780

SHA1
fd5e87fe12df96def7ec3823744c063ecbcf653d

SHA256
eec418db69eab627d827a3d1b416ab5960af88ccde836a139f9c9c11d5556f55

SHA512
3c1b9cf19759e80427cd81c53558f031ec0f404fdedf984f7a6635fadb64451a7a59ae4de16a41e4f508541c15e2a7dffcd65eb09cbc3eec442783e5d5a955d9

Download Submit
memory/2744-0-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2744-2-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2744-10-0x000000001AE70000-0x000000001AEF0000-memory.dmp

Filesize
512KB

Download
memory/2744-11-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2744-12-0x000000001AE70000-0x000000001AEF0000-memory.dmp

Filesize
512KB

Download
memory/2968-8-0x0000000000070000-0x0000000000078000-memory.dmp

Filesize
32KB

Download
memory/2968-9-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing