3019d1bae063f131bd6923fb5b49816059ab42c79e9889a1c29d5d7400a7a9d3

General

Target

dscomprovante.exe
Size

54KB
MD5

19186a7f0b1ef0e9f3bae129c17826cc
SHA1

dcdc63d1c2aa295616d355b55ac4827513bcadae
SHA256

beac1d50834328f098a2b051240923ac4652f5a75596d8ad537fa3ff5d45c8e1
SHA512

00414d01810015af66f54cacb21fc4b4f1c86f8328c1233484f304a7bbacd0fd029ea58b474effe3c861ccaa2f4edbaa04f4bc88222905f015782a230ee135e7
SSDEEP

1536:Y1qTXQOp6eGSC9ygcKrqnsFBjjsY7MZn1Q1Bx:dzp6euZcKusDjjsAMZn1Qx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2072	crfrs.exe

Loads dropped DLL 2 IoCs

pid	Process
2672	CMD.exe
2672	CMD.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	crfrs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	crfrs.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2560	1528	dscomprovante.exe	30
PID 1528 wrote to memory of 2560	1528	dscomprovante.exe	30
PID 1528 wrote to memory of 2560	1528	dscomprovante.exe	30
PID 1528 wrote to memory of 2560	1528	dscomprovante.exe	30
PID 1528 wrote to memory of 2672	1528	dscomprovante.exe	32
PID 1528 wrote to memory of 2672	1528	dscomprovante.exe	32
PID 1528 wrote to memory of 2672	1528	dscomprovante.exe	32
PID 1528 wrote to memory of 2672	1528	dscomprovante.exe	32
PID 2672 wrote to memory of 2072	2672	CMD.exe	34
PID 2672 wrote to memory of 2072	2672	CMD.exe	34
PID 2672 wrote to memory of 2072	2672	CMD.exe	34
PID 2672 wrote to memory of 2072	2672	CMD.exe	34
PID 2072 wrote to memory of 2448	2072	crfrs.exe	36
PID 2072 wrote to memory of 2448	2072	crfrs.exe	36
PID 2072 wrote to memory of 2448	2072	crfrs.exe	36
PID 2072 wrote to memory of 2448	2072	crfrs.exe	36
PID 2072 wrote to memory of 2908	2072	crfrs.exe	38
PID 2072 wrote to memory of 2908	2072	crfrs.exe	38
PID 2072 wrote to memory of 2908	2072	crfrs.exe	38
PID 2072 wrote to memory of 2908	2072	crfrs.exe	38

C:\Users\Admin\AppData\Local\Temp\dscomprovante.exe
"C:\Users\Admin\AppData\Local\Temp\dscomprovante.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\CMD.exe
  CMD /C Copy C:\Users\Admin\AppData\Local\Temp\DSCOMP~1.EXE C:\Users\Admin\AppData\Local\Temp\crfrs.exe
  2⤵
  PID:2560
- C:\Windows\SysWOW64\CMD.exe
  CMD /C Start C:\Users\Admin\AppData\Local\Temp\crfrs.exe -start
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\crfrs.exe
    C:\Users\Admin\AppData\Local\Temp\crfrs.exe -start
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C Start C:\Users\Admin\AppData\Local\J2NXX2~1\router1.exe -start
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C Start C:\Users\Admin\AppData\Local\J2NXX2~1\nicha2.exe -start
      4⤵
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\crfrs.exe

Filesize
54KB

MD5
19186a7f0b1ef0e9f3bae129c17826cc

SHA1
dcdc63d1c2aa295616d355b55ac4827513bcadae

SHA256
beac1d50834328f098a2b051240923ac4652f5a75596d8ad537fa3ff5d45c8e1

SHA512
00414d01810015af66f54cacb21fc4b4f1c86f8328c1233484f304a7bbacd0fd029ea58b474effe3c861ccaa2f4edbaa04f4bc88222905f015782a230ee135e7

Download Submit
memory/1528-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2072-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing