eb3c8d9cf2fbc41e039e1878117a34e440c6e709fa17b31420e7c188f5dbfdcb

General

Target

teleopti_te_eg.pfx
Size

5KB
MD5

88c01f786c26a0333a71f66cd7179d64
SHA1

871fbc4cc967104e7a2fa5522d27ee9e575623b8
SHA256

eb3c8d9cf2fbc41e039e1878117a34e440c6e709fa17b31420e7c188f5dbfdcb
SHA512

32c536a780cf71d8f112106016eb3864f28b691a7e8dedfbef425a4c242fd5d8b3a6410b3a41c71d743e3f694bb77240aa8c7d5d5da2ccb486c3e547dc2c1442
SSDEEP

96:i4KdZeATOuB5mvcyqSAYV1ginSN8Y2BJjvo0lysr0gxzzdSnOwzjh9+nZ7JY3i7x:i4KdB+vcg6p2TA04bgHEOgFEnjx

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\SystemCertificates\CA\Certificates\784378291E672186D904E87E61E5CFD3321BDF43	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\SystemCertificates\CA\Certificates\784378291E672186D904E87E61E5CFD3321BDF43\Blob = 030000000100000014000000784378291e672186d904e87e61e5cfd3321bdf432000000001000000a8050000308205a43082048ca00302010202133a000000035d5843edef5b172f000000000003300d06092a864886f70d01010b050030133111300f060355040313085445526f6f744341301e170d3137303130393131333132365a170d3337303130393039313831355a306031143012060a0992268993f22c6401191604636f7270311c301a060a0992268993f22c640119160c54656c65636f6d456779707431153013060a0992268993f22c6401191605436169726f311330110603550403130a544553756243412d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100983b1d95cc2913639490405ca5c27602800136511fa19cac2defb9876ddc9d38c329f46ce0d28c7a4b650491d06488400a8bd7805877aedc834aedfd15bef3860c6cfddee5c169ee366456323cc36d7f6103484fa43e15d43349dfaf6cea4ca6cfc9d6b0ba25d87b88b12c5ccc0728d7ee8e18e640063a4e3012f83bb6f08faaad58a4cabb84d514c9bd79a5b81d7f414c573c68bd17b82d0cb3a7cfc9301c6e755d197418fe0a02de3b6efdacb7d4ef73178d35254192fa5b61ea4aff2d6f112258417c08ad03edad797d451c2dbdb690ab2cc4473ba3157eff93f4c9b280afe4773c097da9c8da07036d8a0e90d3efe4059405c082650406e994f7170d33f70203010001a38202a23082029e301206092b060104018237150104050203010001302306092b060104018237150204160414e85feec84b468fb2454f692141d5755bf633ee3d301d0603551d0e04160414d3b28a03a7a6d193d05749ac9e0ffe7e41b0d385301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d2304183016801479079a0fe5f20d82dbe9140475010733e0ba21973081ef0603551d1f0481e73081e43081e1a081dea081db8681aa6c6461703a2f2f2f434e3d5445526f6f7443412c434e3d737662372d726f6f7463612d30312c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c44433d556e617661696c61626c65436f6e666967444e3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74862c687474703a2f2f737662372d73756263612d30312f43657274456e726f6c6c2f5445526f6f7443412e63726c3081f706082b060105050701010481ea3081e730819b06082b0601050507300286818e6c6461703a2f2f2f434e3d5445526f6f7443412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c44433d556e617661696c61626c65436f6e666967444e3f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479304706082b06010505073002863b687474703a2f2f737662372d73756263612d30312f43657274456e726f6c6c2f737662372d726f6f7463612d30315f5445526f6f7443412e637274300d06092a864886f70d01010b0500038201010001be85fa41c57798d08de74f8286f5c39ef3bc39a11e2124b0cf056521f36220ae1bfc87d0883fc4442312597bb8dd3574dea0f6cc2c6d076202bbf0972c9a9f3ed6cc8d6ade907cb47191cc6ae74fe9e0fb2950ab22efe54e524727da251d01e63ed62c10414d8c4715d842a29d12dd9b40c4676578d3d801564fe8ff9c3c550d17a6eff949d2ca2a7769267901f30826ee3f789cdc8e229c1702707ef52c0dccc4271fa0564b5528a0d92bf9afd75dd7c40aa1eb64519d063338255772749bd3add3914fcc14b5890c832cab6387ef3956bb71714e01b7a633092103e91651432a43eb9ee022b19807831e399ea65d1df4542e237261d5b1e77358fb5fb525	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2680	2304	cmd.exe	32
PID 2304 wrote to memory of 2680	2304	cmd.exe	32
PID 2304 wrote to memory of 2680	2304	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\teleopti_te_eg.pfx
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\AppData\Local\Temp\teleopti_te_eg.pfx
  2⤵
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2680