c00280f16aa9c12f6a8a7f29c493f17c237e570ae1fe481d368ea0ab4eafedf5

General

Target

Mia_Khalifia(18+).exe
Size

4.2MB
MD5

9c6352ad45c6ce5ab18f75f4fcf3c85d
SHA1

3908a22b5a4dceedc813b0deded861fdbc9ae6fb
SHA256

c00280f16aa9c12f6a8a7f29c493f17c237e570ae1fe481d368ea0ab4eafedf5
SHA512

ba2d87ea0c656b6b3de4075e465b8b5c991c89a32446c460ede9052e7b9ea7b64e52858971a5b620ad78393074b84cc7bcde70cf989e1de76514f3076e07f925
SSDEEP

98304:mnyNQa/26tLM4OXoQCn9+juAoHsvP0mDFn169ryxbTkNW:0yNQa+OLM4eoQIiIsXnu9exHko

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2756	attrib.exe
2872	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
1768	Mia_Khalifia(18+).tmp

Loads dropped DLL 4 IoCs

pid	Process
948	Mia_Khalifia(18+).exe
1768	Mia_Khalifia(18+).tmp
1768	Mia_Khalifia(18+).tmp
1768	Mia_Khalifia(18+).tmp

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Mia_Khalifia(18+).tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Mia_Khalifia(18+).tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Mia_Khalifia(18+).tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Mia_Khalifia(18+).tmp

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1768	Mia_Khalifia(18+).tmp

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 1768	948	Mia_Khalifia(18+).exe	28
PID 948 wrote to memory of 1768	948	Mia_Khalifia(18+).exe	28
PID 948 wrote to memory of 1768	948	Mia_Khalifia(18+).exe	28
PID 948 wrote to memory of 1768	948	Mia_Khalifia(18+).exe	28
PID 948 wrote to memory of 1768	948	Mia_Khalifia(18+).exe	28
PID 948 wrote to memory of 1768	948	Mia_Khalifia(18+).exe	28
PID 948 wrote to memory of 1768	948	Mia_Khalifia(18+).exe	28
PID 1768 wrote to memory of 2908	1768	Mia_Khalifia(18+).tmp	34
PID 1768 wrote to memory of 2908	1768	Mia_Khalifia(18+).tmp	34
PID 1768 wrote to memory of 2908	1768	Mia_Khalifia(18+).tmp	34
PID 1768 wrote to memory of 2908	1768	Mia_Khalifia(18+).tmp	34
PID 2908 wrote to memory of 2756	2908	cmd.exe	36
PID 2908 wrote to memory of 2756	2908	cmd.exe	36
PID 2908 wrote to memory of 2756	2908	cmd.exe	36
PID 2908 wrote to memory of 2756	2908	cmd.exe	36
PID 2908 wrote to memory of 2732	2908	cmd.exe	37
PID 2908 wrote to memory of 2732	2908	cmd.exe	37
PID 2908 wrote to memory of 2732	2908	cmd.exe	37
PID 2908 wrote to memory of 2732	2908	cmd.exe	37
PID 2908 wrote to memory of 2872	2908	cmd.exe	38
PID 2908 wrote to memory of 2872	2908	cmd.exe	38
PID 2908 wrote to memory of 2872	2908	cmd.exe	38
PID 2908 wrote to memory of 2872	2908	cmd.exe	38

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2756	attrib.exe
2872	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Mia_Khalifia(18+).exe
"C:\Users\Admin\AppData\Local\Temp\Mia_Khalifia(18+).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\is-OP72B.tmp\Mia_Khalifia(18+).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OP72B.tmp\Mia_Khalifia(18+).tmp" /SL5="$3012A,4088111,75776,C:\Users\Admin\AppData\Local\Temp\Mia_Khalifia(18+).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" cmd /c 4554.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h /D "C:\Users\Admin\AppData\Local\Temp\av\*.*"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c tar xf 85.zip
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h /D "C:\Users\Admin\AppData\Local\Temp\av\*.*"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab453C.tmp

Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar467B.tmp

Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\av\4554.cmd

Filesize
210B

MD5
f8254e719c5f499fcd279d9a7f3eae3d

SHA1
ba6158e60b2da3d9eab7e2c3a76630194d099e25

SHA256
b302609a09311ad913431e2be94447c9fe248ff573510d6d3b7d80a0cd49d031

SHA512
d02be62040c62b0916b750c2ed776a273b57a9754eab8a2858a713dafd915ccb3257cb6944565490dfcea6608e38b31a7189b8c19bfd01b7d2e487b5bfeb547b

Download Submit
\Users\Admin\AppData\Local\Temp\is-4FV5A.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-4FV5A.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\Users\Admin\AppData\Local\Temp\is-OP72B.tmp\Mia_Khalifia(18+).tmp

Filesize
915KB

MD5
9659ca7527a63b56d0bc5750be04a2d5

SHA1
e09fde1f286802c9374ea9a5a813e321c28d1de2

SHA256
7b8b708f6062f4a3a1d7dca4e71d04035e5f3df0aae41f1f9d83692787a78706

SHA512
80a4b22d49384b61fa50814ea5d475879bacf47a52c6e211935b127e234cefca20fa6fe67b582d2ea503db85246a1650384fa0dbd7d7c0d6abb20ea5d0f028dd

Download Submit
memory/948-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/948-62-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/948-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/948-91-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1768-15-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/1768-63-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/1768-68-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/1768-89-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads