3543ba253dc970f26d89deed5f2175a0646ee365335d32d7fda97f728cee3af9

General

Target

80d575bd5d519ba60f184e49f98d6d01.exe
Size

46KB
MD5

80d575bd5d519ba60f184e49f98d6d01
SHA1

a267147aee4b4b5fc9f6a62a0a85313608294dd2
SHA256

3543ba253dc970f26d89deed5f2175a0646ee365335d32d7fda97f728cee3af9
SHA512

5441d55b0fe61e9acc4e9e4a1f7d2092c805ff834d7481c99a61fdba5b118b411a6339eb8c55c4115c33d55df534fdd46ed1b024efd1197842a0d96989204249
SSDEEP

768:dD2oV2AJblQRNLzFrSNTVebqxjxMQhMk6Cda2gJx:dCoVXGRTuhBxj/hY3Jx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2052	supdater.exe

Loads dropped DLL 1 IoCs

pid	Process
2756	80d575bd5d519ba60f184e49f98d6d01.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	supdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	supdater.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2052	2756	80d575bd5d519ba60f184e49f98d6d01.exe	28
PID 2756 wrote to memory of 2052	2756	80d575bd5d519ba60f184e49f98d6d01.exe	28
PID 2756 wrote to memory of 2052	2756	80d575bd5d519ba60f184e49f98d6d01.exe	28
PID 2756 wrote to memory of 2052	2756	80d575bd5d519ba60f184e49f98d6d01.exe	28
PID 2756 wrote to memory of 2052	2756	80d575bd5d519ba60f184e49f98d6d01.exe	28
PID 2756 wrote to memory of 2052	2756	80d575bd5d519ba60f184e49f98d6d01.exe	28
PID 2756 wrote to memory of 2052	2756	80d575bd5d519ba60f184e49f98d6d01.exe	28

C:\Users\Admin\AppData\Local\Temp\80d575bd5d519ba60f184e49f98d6d01.exe
"C:\Users\Admin\AppData\Local\Temp\80d575bd5d519ba60f184e49f98d6d01.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\supdater.exe
  "C:\Users\Admin\AppData\Local\Temp\supdater.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\supdater.exe

Filesize
47KB

MD5
b227e9cd678bc8c00ec4eb0deae77928

SHA1
b8650f5e02c241c63a02e06843ff678f85cce0ca

SHA256
454fb371508b40660027d9d5721d670a84923d5995b60dcedc220fd6cd8a7419

SHA512
bb237f133f2aa14530d3fc32d34951db62c26561409ec6afdb161a9d1219a6e54f9ee8868be3496ea13fd6326f24c0f53eee86d598358e97947839635d2f1b1d

Download Submit
memory/2052-7-0x0000000000500000-0x0000000000507000-memory.dmp

Filesize
28KB

Download
memory/2756-1-0x0000000000500000-0x0000000000507000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing