c1a124e9904ee00eb2fdb77da767838e55a27660ca804e9d84fcaee4e80f4aa4

General

Target

59f8e00e6252280b8d43b38d60705990N.exe
Size

57KB
MD5

59f8e00e6252280b8d43b38d60705990
SHA1

6f52f1d51a54aa0ff6fa1812117ff2a64c0de59c
SHA256

c1a124e9904ee00eb2fdb77da767838e55a27660ca804e9d84fcaee4e80f4aa4
SHA512

16d69a71872885789126788d8e3120cf2c38158a701878e98be861b1b4ef1fccced9863d6d15bfcd6254442330badd57be3ba7ed1a4c05819e85fa4464b4c228
SSDEEP

384:asjPGY2HXgrkEYYhQ98E8I1XAV/QcaYpATUgch1A9NB/erxlF8fmLv:aePG5H8XhKD8ISZQjkgs1lxlFemLv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3036	winupdate.exe

Loads dropped DLL 1 IoCs

pid	Process
2356	59f8e00e6252280b8d43b38d60705990N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	winupdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	winupdate.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3036	2356	59f8e00e6252280b8d43b38d60705990N.exe	30
PID 2356 wrote to memory of 3036	2356	59f8e00e6252280b8d43b38d60705990N.exe	30
PID 2356 wrote to memory of 3036	2356	59f8e00e6252280b8d43b38d60705990N.exe	30
PID 2356 wrote to memory of 3036	2356	59f8e00e6252280b8d43b38d60705990N.exe	30
PID 2356 wrote to memory of 3036	2356	59f8e00e6252280b8d43b38d60705990N.exe	30
PID 2356 wrote to memory of 3036	2356	59f8e00e6252280b8d43b38d60705990N.exe	30
PID 2356 wrote to memory of 3036	2356	59f8e00e6252280b8d43b38d60705990N.exe	30

C:\Users\Admin\AppData\Local\Temp\59f8e00e6252280b8d43b38d60705990N.exe
"C:\Users\Admin\AppData\Local\Temp\59f8e00e6252280b8d43b38d60705990N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\winupdate.exe
  "C:\Users\Admin\AppData\Local\Temp\winupdate.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\winupdate.exe

Filesize
57KB

MD5
6af8df5a0994ef89d35e046b121ef1d2

SHA1
8aeda12bedf2d909ff650c01cd3519abd1cc5793

SHA256
6f0d38f62305456dedd01a11a8ce9e6633d82451420c1e3f8af45b534cac3052

SHA512
ed35c20be4adf54ed8719ffb989d8806868e939b81e333e86f17885eb82726dc5a683fe8b7a0a34d05e9d3f1a9ba3440136360fbb429d0d017b0d34aa1778b70

Download Submit
memory/2356-0-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2356-2-0x0000000000501000-0x0000000000502000-memory.dmp

Filesize
4KB

Download
memory/2356-7-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/3036-9-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/3036-10-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing