240dbde0e84313751796b10fa6c9694cf570d39f407c0229c2ca605f646be5de

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b605c8ac2b33b256c9d13c296ea67e56.exe
Size

572KB
MD5

b605c8ac2b33b256c9d13c296ea67e56
SHA1

29e40d5621c3936c9438458edef5144653b8bfea
SHA256

240dbde0e84313751796b10fa6c9694cf570d39f407c0229c2ca605f646be5de
SHA512

9b345beb523818de7d6e2179ad859631b5f2583ca8a0b75a60db76e5a9c810bb618e78dd8cb72f839ce18594203c6a173cae89399a30a2abff76c67682c99815
SSDEEP

12288:MEBd/Bh12IV1KjloZ1OTOkHDJ+VpQr5Oze8:pKnTtgpQr5Oze8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2448	b605c8ac2b33b256c9d13c296ea67e56temp.exe

Loads dropped DLL 1 IoCs

pid	Process
2956	b605c8ac2b33b256c9d13c296ea67e56.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	b605c8ac2b33b256c9d13c296ea67e56.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	b605c8ac2b33b256c9d13c296ea67e56.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	b605c8ac2b33b256c9d13c296ea67e56.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	b605c8ac2b33b256c9d13c296ea67e56.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2448	2956	b605c8ac2b33b256c9d13c296ea67e56.exe	28
PID 2956 wrote to memory of 2448	2956	b605c8ac2b33b256c9d13c296ea67e56.exe	28
PID 2956 wrote to memory of 2448	2956	b605c8ac2b33b256c9d13c296ea67e56.exe	28
PID 2956 wrote to memory of 2448	2956	b605c8ac2b33b256c9d13c296ea67e56.exe	28
PID 2956 wrote to memory of 2448	2956	b605c8ac2b33b256c9d13c296ea67e56.exe	28
PID 2956 wrote to memory of 2448	2956	b605c8ac2b33b256c9d13c296ea67e56.exe	28
PID 2956 wrote to memory of 2448	2956	b605c8ac2b33b256c9d13c296ea67e56.exe	28

C:\Users\Admin\AppData\Local\Temp\b605c8ac2b33b256c9d13c296ea67e56.exe
"C:\Users\Admin\AppData\Local\Temp\b605c8ac2b33b256c9d13c296ea67e56.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\b605c8ac2b33b256c9d13c296ea67e56temp.exe
  "C:\Users\Admin\AppData\Local\Temp\b605c8ac2b33b256c9d13c296ea67e56temp.exe" /temp UU "C:\Users\Admin\AppData\Local\Temp\StormVadeUninstall.exe"
  2⤵
  - Executes dropped EXE
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F

Filesize
834B

MD5
9b1f6b70bda69a1103260c6951aa560f

SHA1
121da6f9d62998913f09dedbb4b23efdc2d509c2

SHA256
fb69fd0d9babc979c3b479a20301fb658b23ccab1b0377925423860439dda4d5

SHA512
3ab2380733ec7c1e1bdf2252cecaf4b5d50aff8b887184de127b0849016a19dd332dc9d392254f4dcca71c730f17bb9d1a57b1fe47e32adc78a1021d433448d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_D92494B773AB5C42A7CD37536B2BFF0A

Filesize
1KB

MD5
04687ad9161d66e8fdad19f521875636

SHA1
c00e694d8ac3986f8096d52946e896139aea6f37

SHA256
64bec21b48c355d6befb80e47e7e7dce56f24fd992496241a9512149086349c7

SHA512
b6008322a010cdb174cc0ecc6e4e645df4a8214a7970b450ee05499a71d823b14ad319d1bfee070275a48a2e86161993d8c0f29c549816e25d31bab4568f783b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

Filesize
404B

MD5
cccfa9dff1250dc15b3dbae9a48ef24f

SHA1
126fedef25bd1d5b6637045b27befa29ce94c2e4

SHA256
c4d905c245731f7caf7e34722e46e7f3196e742969ac0579b19e07dffd8aae21

SHA512
d1791dde69a75fe17b37d95bbbb3ee388c6d0d75a02e0365d251ed624167acca035641fc966921fb9fbb64ab9411279cc0bac3ffafc142d805392b3a0f4787a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F

Filesize
188B

MD5
6fb18f792a594af57a04f87fe16b3939

SHA1
f04db8de84325344749ead6ea7587182cdd1fb7c

SHA256
2756e1483547b539c671fad5e4763b608b252d83f79266426cfc4c78d4a13b70

SHA512
f46a5f7ff7de1cb566997841ac931d7abcf3436031bea1299b25889d5b40f8b22d868a3be6767afdfbc5f31b49f6f6ccf499f538e48f88b974baf59403b0ef4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35b28e2c2d0109d0dd06144c6cefd988

SHA1
5819e70567707cf429f8e4ade61cfe46eb7fa854

SHA256
dcfe9dd62d3870954a638215dede1c86cacdb033040a943589599532683a9f87

SHA512
4dde8f7ef310f36473f2775a5a713f52acdb3320521da788149ea89000db5a5b0fae04fcd8ab74038066a5d49d21a57ebe42510ff883c814b5e9b5220f062438

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_D92494B773AB5C42A7CD37536B2BFF0A

Filesize
398B

MD5
8f217862720e65beafd045110df14514

SHA1
b3619c51a4ce4deb44fe14fde00f99fa666d9e28

SHA256
1ac29ff0641e9590f67a8a5c8f16f06582c5e67245eafd57e14b7650ae1c1800

SHA512
b09ad1b11860e16d034f42d40294cc866de375e4169eb6ad3231a4222b1076bb17a858ebfcd961cd961b95fd988d298665bc3b73a3dd4c4e708425ce997b3d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar48F9.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
\Users\Admin\AppData\Local\Temp\b605c8ac2b33b256c9d13c296ea67e56temp.exe

Filesize
572KB

MD5
b605c8ac2b33b256c9d13c296ea67e56

SHA1
29e40d5621c3936c9438458edef5144653b8bfea

SHA256
240dbde0e84313751796b10fa6c9694cf570d39f407c0229c2ca605f646be5de

SHA512
9b345beb523818de7d6e2179ad859631b5f2583ca8a0b75a60db76e5a9c810bb618e78dd8cb72f839ce18594203c6a173cae89399a30a2abff76c67682c99815

Download Submit
memory/2448-87-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/2448-69-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/2448-71-0x0000000000A40000-0x0000000000A80000-memory.dmp

Filesize
256KB

Download
memory/2448-88-0x0000000000A40000-0x0000000000A80000-memory.dmp

Filesize
256KB

Download
memory/2448-89-0x0000000000A40000-0x0000000000A80000-memory.dmp

Filesize
256KB

Download
memory/2448-90-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/2448-91-0x0000000000A40000-0x0000000000A80000-memory.dmp

Filesize
256KB

Download
memory/2956-0-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/2956-70-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/2956-2-0x0000000000C20000-0x0000000000C60000-memory.dmp

Filesize
256KB

Download
memory/2956-1-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download