87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201

General

Target

87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe
Size

140KB
MD5

88f4c4e1817dff85942d26934aee4a81
SHA1

1c3c511f468c4bd011d5f5bf4496fd2a67882f3e
SHA256

87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201
SHA512

179b76e152690d01c8a38a4712fe6cd342e1408673fb7630f0bcfe0de3d972d2782764e5481f486e500524e94c0d811ae2e5e12c99dee230644253b0c939f4a0
SSDEEP

768:OMr2id6gIzTSOVDkinKEbB+bBKF/8ncpROz3SeN/OVTg:OMvApkinDHWncSzSsU

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

PhuongNam Signature Alt Setup.exePhuongNam Signature Alt Setup.tmp

pid process

2712 PhuongNam Signature Alt Setup.exe
1856 PhuongNam Signature Alt Setup.tmp

pid	process
2712	PhuongNam Signature Alt Setup.exe
1856	PhuongNam Signature Alt Setup.tmp

Loads dropped DLL 3 IoCs

Processes:

87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exePhuongNam Signature Alt Setup.exePhuongNam Signature Alt Setup.tmp

pid	process
2284	87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe
2712	PhuongNam Signature Alt Setup.exe
1856	PhuongNam Signature Alt Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe

description pid process

Token: SeDebugPrivilege 2284 87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe

description	pid	process
Token: SeDebugPrivilege	2284	87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exePhuongNam Signature Alt Setup.exe

description	pid	process	target process
PID 2284 wrote to memory of 2712	2284	87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe	PhuongNam Signature Alt Setup.exe
PID 2284 wrote to memory of 2712	2284	87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe	PhuongNam Signature Alt Setup.exe
PID 2284 wrote to memory of 2712	2284	87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe	PhuongNam Signature Alt Setup.exe
PID 2284 wrote to memory of 2712	2284	87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe	PhuongNam Signature Alt Setup.exe
PID 2284 wrote to memory of 2712	2284	87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe	PhuongNam Signature Alt Setup.exe
PID 2284 wrote to memory of 2712	2284	87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe	PhuongNam Signature Alt Setup.exe
PID 2284 wrote to memory of 2712	2284	87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe	PhuongNam Signature Alt Setup.exe
PID 2712 wrote to memory of 1856	2712	PhuongNam Signature Alt Setup.exe	PhuongNam Signature Alt Setup.tmp
PID 2712 wrote to memory of 1856	2712	PhuongNam Signature Alt Setup.exe	PhuongNam Signature Alt Setup.tmp
PID 2712 wrote to memory of 1856	2712	PhuongNam Signature Alt Setup.exe	PhuongNam Signature Alt Setup.tmp
PID 2712 wrote to memory of 1856	2712	PhuongNam Signature Alt Setup.exe	PhuongNam Signature Alt Setup.tmp
PID 2712 wrote to memory of 1856	2712	PhuongNam Signature Alt Setup.exe	PhuongNam Signature Alt Setup.tmp
PID 2712 wrote to memory of 1856	2712	PhuongNam Signature Alt Setup.exe	PhuongNam Signature Alt Setup.tmp
PID 2712 wrote to memory of 1856	2712	PhuongNam Signature Alt Setup.exe	PhuongNam Signature Alt Setup.tmp

C:\Users\Admin\AppData\Local\Temp\87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe
"C:\Users\Admin\AppData\Local\Temp\87db2ad6763ef942b85eaa18dd46da52aac5a0439f03481309e33b628bb3d201.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\Documents\PhuongNam Signature Alt Setup.exe
"C:\Users\Admin\Documents\PhuongNam Signature Alt Setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\is-BL94I.tmp\PhuongNam Signature Alt Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BL94I.tmp\PhuongNam Signature Alt Setup.tmp" /SL5="$70122,35217895,733696,C:\Users\Admin\Documents\PhuongNam Signature Alt Setup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-BL94I.tmp\PhuongNam Signature Alt Setup.tmp

Filesize
2.4MB

MD5
c69513647454b5bd64610346ac499ee8

SHA1
a116a946d9e602d4058ed6395f51d41fc2ee1ebe

SHA256
9f2b0f81445d98bf1fe3d45d63e81c790ea691739455a8e07a94916350ae6ab9

SHA512
08c68d4a5e3fb41a73838911c475bf748ba6028af1bbad4221f4a5c5385ef7bc62c6f6ec823b8b72e6716269fac3d969647b8d87ebaf1934369799ddbed1de98

Download Submit
\Users\Admin\AppData\Local\Temp\is-6LM25.tmp\_isetup\_isdecmp.dll

Filesize
23KB

MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
\Users\Admin\Documents\PhuongNam Signature Alt Setup.exe

Filesize
34.3MB

MD5
402a32b3e2340b506031c923b2effdc0

SHA1
7e29f503499df56d1baed21913c773de1d97f632

SHA256
93cab55655a4e33b028154410ce3444f4b8b9c853207bcc2433ed9fbd9f6e49e

SHA512
ed03a4c071844fe38ef058a429c4095c19a9a97ee4ee2acd762f18a9d1f9a1bdd530435dfcbebbadc2f8df0f5f5c28e2beb7322c7b3820ea16343f985a3a7720

Download Submit
memory/1856-27-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1856-21-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/2284-3-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2284-14-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-4-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2284-2-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-1-0x0000000001130000-0x000000000115A000-memory.dmp

Filesize
168KB

Download
memory/2712-15-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2712-11-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2712-26-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads