962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19

General

Target

962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe
Size

8.7MB
MD5

b3af772173e18e4f2db30ced2509046d
SHA1

269b3814195634e902dd7f1447b61dafec031d9c
SHA256

962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19
SHA512

675981c62ac1c542622f0eaff91954f775d53cdf5e78d1c7b4205e1d31ef1c17f9b17c9b495570ffda904bc07238f401737a1721af1817d9ab0e06db7563cd92
SSDEEP

196608:DtZougnAUVJH1WRclH/TKCrVZ4vUqWAptiODug+082w:DtZougn8RoH/TKCBCcqNtiau7r

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2920	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe
2920	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2920	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe
2920	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2920	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe
2920	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2920	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe
2920	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe
2920	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe
2920	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2920	2064	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe	28
PID 2064 wrote to memory of 2920	2064	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe	28
PID 2064 wrote to memory of 2920	2064	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe	28
PID 2064 wrote to memory of 2920	2064	962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe	28

C:\Users\Admin\AppData\Local\Temp\962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe
"C:\Users\Admin\AppData\Local\Temp\962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\~ACCAStore\962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19\962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe
  "C:\Users\Admin\AppData\Local\Temp\~ACCAStore\962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19\962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe" "C:\Users\Admin\AppData\Local\Temp\" {1ECC418F-F354-4A02-9808-70D08D7AF70F}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
471c45178223fc4cf433ea1e8a91be66

SHA1
18d8f695594985e51a5a0e4b7c68ce766e473cbb

SHA256
97714e4d66a04ccedcc5d38b01880f0509356442348c3f302a1f97981da957bd

SHA512
b62ab1e3a499a9265c6d4d93625807407c2776ba360fb5cced959095f343b124e9d38ef761529d7fef40f0ed932cb9e2b2a83c05541c62a7ae3e9d519922fa07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar30D7.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~ACCAStoreLog\PriMus.aclog

Filesize
978B

MD5
9ff93a8b92db24407f24434c89ea8ca6

SHA1
6d9e3bde134e04386ae9efb2afe52944b07ca269

SHA256
b4d4c9315e63c53f35157ca1e0df5d6613f5cdd3c34f4d52ecd38d363aca9623

SHA512
fb1cd7c8e86ca9a171a1b3d6cd2b0ddc7c46170309931e7be342c56ca6938b049df4449d540ab58160b76615c9f0da1ff2689e8d1a37a05e42cd0a60349feab2

Download Submit
\Users\Admin\AppData\Local\Temp\~ACCAStore\962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19\962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19.exe

Filesize
8.7MB

MD5
b3af772173e18e4f2db30ced2509046d

SHA1
269b3814195634e902dd7f1447b61dafec031d9c

SHA256
962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19

SHA512
675981c62ac1c542622f0eaff91954f775d53cdf5e78d1c7b4205e1d31ef1c17f9b17c9b495570ffda904bc07238f401737a1721af1817d9ab0e06db7563cd92

Download Submit
\Users\Admin\AppData\Local\Temp\~ACCAStore\962928200a5b740d9531a26c3cecfcd1ba3635b4f47771d32ecdcbfab5a90c19\FUppSetupLib.dll

Filesize
3.8MB

MD5
15d7aa4118a21a61db21a703f9df1681

SHA1
59bda5a4025249874035530256289a6554bb218f

SHA256
cb3f3da6021ce226fa61d126df75a5cc5aa2114c42d024a5fa0547340c3191f5

SHA512
2409a37a98abbcf77bd220feaa563c3ac1022fbe8334ddb78220cd3075fc468b956bdf565edb4bf2626a282061999db17032dbada25605ea4dade243ae9d8c14

Download Submit
memory/2064-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2064-15-0x0000000000400000-0x0000000000CC1000-memory.dmp

Filesize
8.8MB

Download
memory/2920-94-0x00000000057B0000-0x00000000057F0000-memory.dmp

Filesize
256KB

Download
memory/2920-92-0x0000000002E20000-0x0000000002E2A000-memory.dmp

Filesize
40KB

Download
memory/2920-89-0x0000000004D30000-0x000000000517F000-memory.dmp

Filesize
4.3MB

Download
memory/2920-18-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2920-218-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2920-219-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2920-221-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2920-220-0x0000000000400000-0x0000000000CC1000-memory.dmp

Filesize
8.8MB

Download

Analysis

Sharing