35b0265fecf31df721909d32dab4993cfb217f2d1b8f6fc367188931c02f47f1

General

Target

35b0265fecf31df721909d32dab4993cfb217f2d1b8f6fc367188931c02f47f1.exe
Size

322KB
MD5

3c6601046dc8fbf0d7a0a9a49f9e85bb
SHA1

e3335162f84246987c092e8c0850ca8b05589cc7
SHA256

35b0265fecf31df721909d32dab4993cfb217f2d1b8f6fc367188931c02f47f1
SHA512

242d8b0b34692d6cb717e5d39bf8e99a3d0f8d9874752dd1e907d592c50e33e04ef5877c4d60fa2be60b8460313f03eff83fc55ae1eb671ac6e8736c496f95a3
SSDEEP

6144:+TouKrWBEu3/Z2lpGDHU3ykJyT+tjs/Lsw:+ToPWBv/cpGrU3yDT+tjILsw

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2364	2500	35b0265fecf31df721909d32dab4993cfb217f2d1b8f6fc367188931c02f47f1.exe	30
PID 2500 wrote to memory of 2364	2500	35b0265fecf31df721909d32dab4993cfb217f2d1b8f6fc367188931c02f47f1.exe	30
PID 2500 wrote to memory of 2364	2500	35b0265fecf31df721909d32dab4993cfb217f2d1b8f6fc367188931c02f47f1.exe	30
PID 2500 wrote to memory of 2364	2500	35b0265fecf31df721909d32dab4993cfb217f2d1b8f6fc367188931c02f47f1.exe	30
PID 2500 wrote to memory of 2364	2500	35b0265fecf31df721909d32dab4993cfb217f2d1b8f6fc367188931c02f47f1.exe	30
PID 2500 wrote to memory of 2364	2500	35b0265fecf31df721909d32dab4993cfb217f2d1b8f6fc367188931c02f47f1.exe	30
PID 2500 wrote to memory of 2364	2500	35b0265fecf31df721909d32dab4993cfb217f2d1b8f6fc367188931c02f47f1.exe	30
PID 2364 wrote to memory of 2524	2364	cmd.exe	32
PID 2364 wrote to memory of 2524	2364	cmd.exe	32
PID 2364 wrote to memory of 2524	2364	cmd.exe	32
PID 2364 wrote to memory of 2524	2364	cmd.exe	32
PID 2364 wrote to memory of 2268	2364	cmd.exe	34
PID 2364 wrote to memory of 2268	2364	cmd.exe	34
PID 2364 wrote to memory of 2268	2364	cmd.exe	34
PID 2364 wrote to memory of 2268	2364	cmd.exe	34
PID 2364 wrote to memory of 2712	2364	cmd.exe	35
PID 2364 wrote to memory of 2712	2364	cmd.exe	35
PID 2364 wrote to memory of 2712	2364	cmd.exe	35
PID 2364 wrote to memory of 2712	2364	cmd.exe	35
PID 2364 wrote to memory of 2720	2364	cmd.exe	36
PID 2364 wrote to memory of 2720	2364	cmd.exe	36
PID 2364 wrote to memory of 2720	2364	cmd.exe	36
PID 2364 wrote to memory of 2720	2364	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\35b0265fecf31df721909d32dab4993cfb217f2d1b8f6fc367188931c02f47f1.exe
"C:\Users\Admin\AppData\Local\Temp\35b0265fecf31df721909d32dab4993cfb217f2d1b8f6fc367188931c02f47f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_Root_Certificate_2040_Local_Computer.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\certutil.exe
    certutil -addstore "Root" "guc_2022.cer"
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\certutil.exe
    certutil -addstore "CA" "ucfk_2022.cer"
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\certutil.exe
    certutil -addstore "CA" "ucfk_2023.cer"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\certutil.exe
    certutil -addstore "CA" "ucfk_2024.cer"
    3⤵
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_Root_Certificate_2040_Local_Computer.bat

Filesize
2KB

MD5
552b7fd85412b4b42d0c4dc18c6f539a

SHA1
8d380ad47881013b6f79f61fb10c95f6e6174afe

SHA256
ecb1a9f2b08abb89a17a868175cac13e11ec2f6bb27d12e39d9f7173900f673c

SHA512
e3c7ac6b698d528270d9a8f4470a9d1146344cf4333b6d18868126355be1e5ab469a09c15e37927ee33efb6dca24fa3e866173e304129b826cad646bb69d9cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\guc_2022.cer

Filesize
1KB

MD5
12cfa78f515907965e546048727e3bd6

SHA1
2f0cb09be3550ef17ec4f29c90abd18bfcaad63a

SHA256
4bb37cc7c0ff4bf2aa893e95076ebb3565c69237ee1b61635beee4c1966495c7

SHA512
c3e03824939825eb727ecd9dac372f2502e1a465a2c9e27cbb94263cc65075e3caadddf12059c0dacc3c790a9a7843f52378d2535973a5f7fe79c7af49b2e87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ucfk_2022.cer

Filesize
1KB

MD5
5a7e8a4257a19f414353c1aca5ae96ed

SHA1
0b48b8d07d142a5b45e9b0e8c52186687d75e58e

SHA256
ec99b134785192138819e11792e7c3041bdad78172d53e932f411a9dccea37b4

SHA512
68329be8f8386f1c28e00af3f6cea57219df23eda0db3e7cccf10f5122ece934c195597834ab21192be38edea16c005ba7693b4d82b848bdce56c6cfc6b456aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ucfk_2023.cer

Filesize
1KB

MD5
43e340e4fe6772bbcb29217dc06744d0

SHA1
ef774890bdb325aa649032f7a16305dbaac5943f

SHA256
b18c91ad97daf3bceb52730fdd18299431f9295ffbe7baa486a00d8940a233c0

SHA512
7e224c7d0cea70d108174d5e269594b4e09f615d9393756315819df708766f9e47ce33fbed70ab2ff5abd5503e011526e97053f836a09bcd327e70dcf04a37c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ucfk_2024.cer

Filesize
1KB

MD5
669f2968a2e5e66ff8f07b8804b485a8

SHA1
12bc42082d3f6027a29b7a87fe09b0329631c076

SHA256
77307a86c121e8466ddf1c1c868e19232ad549de27b014c9c1d1ee6cc555cd9c

SHA512
42b02fe0611d07026a9ba007d57fffc2dccc5b03582ab7dd7ea9f1637fc0093e28c861a450d8cf4951409fa3512e9d00cbcbd1d1ddf1d3a72e734013c84912a5

Download Submit

Analysis

Sharing