ae17e7be27cc15e2769a0b327a8ae3592168563cc480ae1a681a1b41c1a9dd01

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae17e7be27cc15e2769a0b327a8ae3592168563cc480ae1a681a1b41c1a9dd01.exe
Size

5.9MB
MD5

77f2dec62d1981962aed70ec77f926dc
SHA1

36b6a104ba93f39d04a515d05251787e75dfbc58
SHA256

ae17e7be27cc15e2769a0b327a8ae3592168563cc480ae1a681a1b41c1a9dd01
SHA512

a9000decebb04cf958a643602958d0f17a19a7ab14ff1c364ff53540418dcec21bbbc6571da16c39bfa4c91c2abba2f63debcf47cae9c8b200e4cbda5ecf25ed
SSDEEP

98304:t6VuCmfJ6qmebsD/RDK+mpY7B66Fp5qocNmLxZLS1Yi5yBGN0r7y1b+upy:QUB6hZzRDK+QY782pzLxzYyBGy++up

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1316	Metrino.FirmwareUpdate.Runner.exe
4624	DetectPlatform.exe

Loads dropped DLL 32 IoCs

pid	Process
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
4624	DetectPlatform.exe
4624	DetectPlatform.exe
4624	DetectPlatform.exe
4624	DetectPlatform.exe
4624	DetectPlatform.exe
4624	DetectPlatform.exe
4624	DetectPlatform.exe
4624	DetectPlatform.exe
4624	DetectPlatform.exe
4624	DetectPlatform.exe
4624	DetectPlatform.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe
1316	Metrino.FirmwareUpdate.Runner.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ae17e7be27cc15e2769a0b327a8ae3592168563cc480ae1a681a1b41c1a9dd01.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	DetectPlatform.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	DetectPlatform.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	Metrino.FirmwareUpdate.Runner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Metrino.FirmwareUpdate.Runner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Metrino.FirmwareUpdate.Runner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Metrino.FirmwareUpdate.Runner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Metrino.FirmwareUpdate.Runner.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 1316	4180	ae17e7be27cc15e2769a0b327a8ae3592168563cc480ae1a681a1b41c1a9dd01.exe	85
PID 4180 wrote to memory of 1316	4180	ae17e7be27cc15e2769a0b327a8ae3592168563cc480ae1a681a1b41c1a9dd01.exe	85
PID 4180 wrote to memory of 1316	4180	ae17e7be27cc15e2769a0b327a8ae3592168563cc480ae1a681a1b41c1a9dd01.exe	85
PID 1316 wrote to memory of 4624	1316	Metrino.FirmwareUpdate.Runner.exe	88
PID 1316 wrote to memory of 4624	1316	Metrino.FirmwareUpdate.Runner.exe	88
PID 1316 wrote to memory of 4624	1316	Metrino.FirmwareUpdate.Runner.exe	88

C:\Users\Admin\AppData\Local\Temp\ae17e7be27cc15e2769a0b327a8ae3592168563cc480ae1a681a1b41c1a9dd01.exe
"C:\Users\Admin\AppData\Local\Temp\ae17e7be27cc15e2769a0b327a8ae3592168563cc480ae1a681a1b41c1a9dd01.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Metrino.FirmwareUpdate.Runner.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Metrino.FirmwareUpdate.Runner.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DetectPlatform.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DetectPlatform.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DetectPlatform.exe

Filesize
397KB

MD5
ea00706bf1f9b079cb30d1318f363db8

SHA1
534478ae7cdbb354228dab43499a3c6c74687e7a

SHA256
f6984512c73d42abd285796d457472872453f8a8098ac5dfe3f3c320143ab736

SHA512
b9573ab3b17f4375684888e5f8aa11d56fe9462509067e3962cf7e66f2da81bbbd28d5f5cf55c9f6da78f15ed8d69dcbfe5cbf05f6be33f862acfcc682c95853

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Metrino.FirmwareUpdate.Angola.dll

Filesize
5.5MB

MD5
627bb6466b1a1867f7e776990c987ae7

SHA1
61515339f991bc7fe1e30d4eabd45798e3583431

SHA256
b4d9aaee85eaf068b1f4c59b342bdf9a14b3b38a836e27d29bce33c89be70568

SHA512
627c1833ca29db1d51fa81a1cd03d0ac3f8c9a62f74660de09d5c07d83cf0a7f5b44841f20ebb10c1b9e5f171de3a45db022228a5a773422d960392b11928a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Metrino.FirmwareUpdate.Information.dll

Filesize
6KB

MD5
1880020d1e1f7660110eb4f50dabbf53

SHA1
df0a2f385edd0e0e7d577ecf72ff110116ab38b6

SHA256
4fead9813021c57515f8e943cd459bbf7e5868f94e6349687424946a845ddc5c

SHA512
699d838f9461a1d428f09512fb46a3ebb984b84d43edf2662996cd4cf780428d120eb07ed0db7e764bea4bcac44eb0057de3bd51d843babd7a9ccaa849ee2600

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Metrino.FirmwareUpdate.Models.dll

Filesize
659KB

MD5
4dfdef78673dcb560caf1fce857592de

SHA1
8937f1eedb9f2321b625fed74e5bfb440a0a1aec

SHA256
b644cf7c40983e363ba60750f578b0931bd4bec3be4c07091a8963fe438dcde6

SHA512
5f106fc58be2d4f4ed6a39db50da79a90c7225986eff40737ee2f526c0be42e44524eb94d4b62ce188531b238c503029bf7556b5df135bc2161ef1dda5129097

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Metrino.FirmwareUpdate.Runner.exe

Filesize
66KB

MD5
2b376532eb5596db46e27c6e099d3463

SHA1
47a72b67a0ea346467ad583338c1995af91b37ec

SHA256
3fc201acb13cbab909da75b4933bc6d3baba8253cee0cc6e410fca49149866f4

SHA512
cf8482df6c40ab334ad2d3e63a037d1f2d042b6ed9e7d578afb3224d66a2cc33dcc47a5f8e274d59bfae8810fa241d77ba0eefbc7e4272481f074ec56dd85271

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Metrino.FirmwareUpdate.Runner.exe.config

Filesize
2KB

MD5
17b7a9d18a414076d206d9af8511b48f

SHA1
2f6308f876a4f6e06e145bd009146c876fa7701c

SHA256
33d954a6979711389bdfa60f03343f445ac30ed4cdf4b655764aa94ef7a83efe

SHA512
f840792a78d5136123b3e19a0b431f89620b588e5c50bef4114d99e2fde987014fb8e25ccfe8bdf0a6f0639579fed77dc4d919818be44edd6ef46b051f3742ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Metrino.FirmwareUpdate.Utilities.dll

Filesize
551KB

MD5
7b23352d514ae486659147b9650767a7

SHA1
7d27f5917172dadbb4678593af57048c45e6d235

SHA256
7ebfa3b4c50e3c0233afe654e195258d713c6768ce6f7aaeef2c23f0f11aadd4

SHA512
329743ac659fe31e6a543b17285871e51e8c47b4658d8d0d8d720151d37000c0483fd34be6051f2a9d1410617961ec691be7e702e98303ef5b06d358016ef445

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Metrino.Platform.Bridge.Hal.dll

Filesize
62KB

MD5
34eefd701244d6d5afa276991c2d3a81

SHA1
127357fb59f9b40410c3e12e4e03a971ad08e2ea

SHA256
e4eab64b3be1eecbb6393b7c2af21879c03361432fb5febe8e2e0caf7aef6cc9

SHA512
5cfbae5363bd2c638a4b5eafb713b546d4d36385732993df3f5394f7294f4385a31bbd8a8d88f481aca06e07fe5d0223ce5cde5dad301c695c87b19c2f2343ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Metrino.Platform.Hal.Angola.dll

Filesize
152KB

MD5
ff2811a2e09f0217d61b07d03972897d

SHA1
65c0f071de7ec93ab266c0ec8eaf26f961784704

SHA256
4674329b6cb6f1e5c21641c63fd825fa3f89cbb6f7c9793487c4622e4c8fd7f1

SHA512
11f134b1af368969d6d17c078e32741c483ad85c525f5ea66a403747535bea6baaf789da006eb83573e8870d7ed8d743ae568748b4e3961bd4d28026e18f090c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Metrino.Platform.Hal.Canada.dll

Filesize
133KB

MD5
a9f1a52165cca905e920bb17e55dd191

SHA1
0d05ebbed5a72589175de8775d1a38d1a06a20be

SHA256
58612860e7c614b7e0642d6d1b2d31fe2ec259471ca70ac751af79c172dd912f

SHA512
7abd5ea0d256c79ddc21e2cec7e58fc7862a1f3d11aedae3d73d158fb3e3a2a49534cf1a08753d3e32d2c087abfa97fe7a428f69247980ddfa5b0cb67675f5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Metrino.Platform.Hal.Definitions.dll

Filesize
26KB

MD5
71a102a0e08b55fe9d4448582ddc2cd6

SHA1
1d8697f898b8f832c35d0d2b5719de397d5091ce

SHA256
9e6307a3f1148f9d89c6f54d74a357ef277c968a652d01f10f1965640c8bce41

SHA512
4fddf62e9dc110c49eb45edffb2bf32103f8c26376d1edaa8b860303035bf474e2f1e2120d3a58e486da007b80b5910a126970a46290306b334dda386efa26e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Metrino.Platform.Hal.Ftb1v2.dll

Filesize
125KB

MD5
249dd8ca26fcc07b0a41e721c3c037c0

SHA1
ef57fc94c835746322ca1e6e680b327ad00b6f56

SHA256
8c7209b320de5dd7a1ff332c91b46048694fbf9885ceccc458a55d421ff2f86a

SHA512
3b71d713c4ae8122371a0740618030664debfd0162d3ab86b598751802e065dbc147a7e59a2fcc6afed2a089f3f7fa4406f57a0c26edc55a2c1f3a4a6222afc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegistryAccess.dll

Filesize
9KB

MD5
3bd3f9da954d63f004b4374397faab12

SHA1
d2fd001a1b9eb5c34fb3af832e5043526bf78b11

SHA256
36ba6d8257fbede7ccc6ce6c6744fc5abdc8481e0509da3063e66a6269a97cc2

SHA512
0a232f89439b924148b81de60fe7428bdeb004f6402eb726bf02668d7df82be1c85b3674625b8fed1de52d41480afac4754bf39d3249af32c778b664d45c3d02

Download Submit
memory/1316-59-0x0000000008740000-0x0000000008CBE000-memory.dmp

Filesize
5.5MB

Download
memory/1316-53-0x0000000005A20000-0x0000000005A2A000-memory.dmp

Filesize
40KB

Download
memory/1316-63-0x00000000083E0000-0x00000000083E8000-memory.dmp

Filesize
32KB

Download
memory/1316-33-0x0000000000880000-0x0000000000894000-memory.dmp

Filesize
80KB

Download
memory/1316-37-0x0000000005340000-0x00000000053EC000-memory.dmp

Filesize
688KB

Download
memory/1316-67-0x0000000008420000-0x000000000844A000-memory.dmp

Filesize
168KB

Download
memory/1316-55-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/1316-71-0x0000000008400000-0x000000000840A000-memory.dmp

Filesize
40KB

Download
memory/1316-32-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/1316-95-0x0000000007280000-0x00000000072E6000-memory.dmp

Filesize
408KB

Download
memory/1316-111-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/1316-39-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/1316-109-0x00000000085F0000-0x00000000085F8000-memory.dmp

Filesize
32KB

Download
memory/1316-38-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/1316-54-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/1316-43-0x0000000005840000-0x00000000058D0000-memory.dmp

Filesize
576KB

Download
memory/1316-100-0x0000000008550000-0x0000000008564000-memory.dmp

Filesize
80KB

Download
memory/4624-81-0x00000000700A0000-0x00000000700B4000-memory.dmp

Filesize
80KB

Download
memory/4624-93-0x0000000004D10000-0x0000000004D34000-memory.dmp

Filesize
144KB

Download
memory/4624-89-0x0000000004CE0000-0x0000000004D02000-memory.dmp

Filesize
136KB

Download
memory/4624-80-0x0000000004C20000-0x0000000004C34000-memory.dmp

Filesize
80KB

Download
memory/4624-77-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads