Overview

overview

8

Static

static

1

RDM_Root_C...ws.exe

windows7-x64

8

RDM_Root_C...ws.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22/07/2024, 15:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    RDM_Root_Cert_Update_Windows.exe

  • Size

    3.7MB

  • MD5

    d4b2995d38da119e5b0db2cb90778224

  • SHA1

    2570198aafaf5d6f394ffd6e7e741c2316510ee0

  • SHA256

    05a6215fbf82c755b73dcfa297f229bf5b88c879b4a7a2edf680ebd97a4580ad

  • SHA512

    a611e1fbd0b9997e395f1b829e4b08f833cf5d70e9e846c7eb81d8faeef9fee4af11fc43f4f47776692595ed880eda6b7fd68210cc381984fb70ccf75d680366

  • SSDEEP

    98304:uSiKiNyE3pWHFowVGfO1xW8zjoix6b8/CEqvV0CAe:/KyE5WHFowQsxVwzE/cH

Score
8/10
spywarestealer

Malware Config

Signatures

  • Manipulates Digital Signatures 1 TTPs 33 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 3 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RDM_Root_Cert_Update_Windows.exe
    "C:\Users\Admin\AppData\Local\Temp\RDM_Root_Cert_Update_Windows.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Users\Admin\AppData\Local\Temp\is-0QP9J.tmp\RDM_Root_Cert_Update_Windows.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-0QP9J.tmp\RDM_Root_Cert_Update_Windows.tmp" /SL5="$4010C,2990719,887296,C:\Users\Admin\AppData\Local\Temp\RDM_Root_Cert_Update_Windows.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Users\Admin\AppData\Local\Temp\is-CCVB3.tmp\RDM_ROOTCERTIFICATE.exe
        "C:\Users\Admin\AppData\Local\Temp\is-CCVB3.tmp\RDM_ROOTCERTIFICATE.exe" /VERYSILENT
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Users\Admin\AppData\Local\Temp\is-14SL4.tmp\RDM_ROOTCERTIFICATE.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-14SL4.tmp\RDM_ROOTCERTIFICATE.tmp" /SL5="$501DC,1902883,887296,C:\Users\Admin\AppData\Local\Temp\is-CCVB3.tmp\RDM_ROOTCERTIFICATE.exe" /VERYSILENT
          4⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2036
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-U5SI7.tmp/RdmCert/certremoval.bat""
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:676
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo 1 "
              6⤵
                PID:1292
              • C:\Users\Admin\AppData\Local\Temp\is-U5SI7.tmp\RdmCert\certmgr.exe
                CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root
                6⤵
                • Manipulates Digital Signatures
                • Executes dropped EXE
                PID:2852
              • C:\Users\Admin\AppData\Local\Temp\is-U5SI7.tmp\RdmCert\certmgr.exe
                CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root
                6⤵
                • Manipulates Digital Signatures
                • Executes dropped EXE
                PID:1080
            • C:\Users\Admin\AppData\Local\Temp\is-U5SI7.tmp\RdmCert\CertMgr.exe
              "C:\Users\Admin\AppData\Local\Temp\is-U5SI7.tmp/RdmCert/CertMgr.exe" -add -c RDM_RootCA.pem -s -r localmachine Root
              5⤵
              • Manipulates Digital Signatures
              • Executes dropped EXE
              • Modifies system certificate store
              PID:2944
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-U5SI7.tmp/RdmCert/AddCert.bat" "C:\Users\Admin\AppData\Local\Temp\is-U5SI7.tmp\RdmCert\RDM_RootCA.pem""
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3064
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c dir /B "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*"
                6⤵
                  PID:2964
                • C:\Windows\SysWOW64\certutil.exe
                  certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\." -i "C:\Users\Admin\AppData\Local\Temp\is-U5SI7.tmp\RdmCert\RDM_RootCA.pem"
                  6⤵
                    PID:2848
                • C:\Windows\SysWOW64\certutil.exe
                  "C:\Windows\system32/certutil.exe" –f –p rdm736 –importpfx "C:\Users\Admin\AppData\Local\Temp\is-U5SI7.tmp\RdmCert\rdm.pfx"
                  5⤵
                    PID:2448
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\system32\net.exe" stop "RDMAppweb"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1092
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "RDMAppweb"
                  4⤵
                    PID:1588
                • C:\Windows\SysWOW64\net.exe
                  "C:\Windows\system32\net.exe" stop "Embedthis Rdmappweb"
                  3⤵
                    PID:1556
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "Embedthis Rdmappweb"
                      4⤵
                        PID:1340
                    • C:\Windows\SysWOW64\net.exe
                      "C:\Windows\system32\net.exe" start "RDMAppweb"
                      3⤵
                        PID:2976
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 start "RDMAppweb"
                          4⤵
                            PID:1560
                        • C:\Windows\SysWOW64\net.exe
                          "C:\Windows\system32\net.exe" start "Embedthis Rdmappweb"
                          3⤵
                            PID:572
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 start "Embedthis Rdmappweb"
                              4⤵
                                PID:2496

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-windows-truststore.js
                          Filesize

                          103B

                          MD5

                          9556062a739f56d168c1581a11192a17

                          SHA1

                          81ee37e3990a004b9f50cbe99d512a5a5247aa90

                          SHA256

                          d151a50870503a2d394e3ffd65e2c0daed043ae1e54c974e80af811c7a60c78e

                          SHA512

                          57ab815c4f4f4f7c96d05a714f6cfebd3df47ec5c5e8363e07c3180e05bbecb03a472690ede29bb8690b2e2c0570b5512338b13710e031de8622d68667031d92

                          Download Submit

                        • C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js
                          Filesize

                          90B

                          MD5

                          30573acfc9586271a3f800a10c284479

                          SHA1

                          9cc1a1329258379698a04c33dc5d62e9ce8e06fd

                          SHA256

                          30b9cf8f9760bcd38617a3878d43fc19e981c6dd13d6400c2a19d2ecab746cb5

                          SHA512

                          4a6df4e50d8c04ad9e65a9d183d4c8b723fcb50e1e786018010a33cee2b4f73296045864fffb526d887579bec8ec5c4ca5353127fb07e632b18c5b4684719015

                          Download Submit

                        • C:\Program Files\Mozilla Firefox\umbrella.cfg
                          Filesize

                          56B

                          MD5

                          e40a3d559e4b85251943e071cd036d90

                          SHA1

                          10fc58df075108c912589f7954244a807776a0fb

                          SHA256

                          e179ca82c741d7d4842e42bc339c0e2c9befa1a5effe33d69d6821b3121fecca

                          SHA512

                          07cc337d7eb364fc78b0b36acbe9f89b85d932b3d616b8edfb5f12214ecd17853ecac4725cae929cce8a803d868fc3f5a5ad4d394554bb4783b0ccafea981959

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\is-U5SI7.tmp\RdmCert\AddCert.bat
                          Filesize

                          236B

                          MD5

                          0a7f6c64eef31ddb78a7ea184a1e526c

                          SHA1

                          222bb7f9444ae8124eae1f243dcea4436a32d3ad

                          SHA256

                          fdcdd7e21e9ccedacb8bfc166fd945f2cb08979682bd15e70a88bbaac48714ea

                          SHA512

                          a9c38de565354eaf5adbb714a409056daf73e7b2f1ccfe4d26d91c687351ce29a8dea34da73fc829f0852a5a5e0839a7e4d4aa68802607aa55974f538a5ea5e4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\is-U5SI7.tmp\RdmCert\RDM_RootCA.pem
                          Filesize

                          1KB

                          MD5

                          5236fc957397fb2700dc025c29543cb5

                          SHA1

                          18b222ed28c757645d6986e92e2317839a7a6c6d

                          SHA256

                          60db73e7d89e86f33e26e735cd9d37bfc6a097790200e9a32a4afe7b80cf3f4a

                          SHA512

                          f3a6da5ba7130984edcaf323a42bf3d5b99a6bfed01f4893f215918210f4573b287e2e3f26fa384d013bc2ee7c993592541b99614a0f733dc3fcef3d1f5c10e7

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\is-U5SI7.tmp\RdmCert\certmgr.exe
                          Filesize

                          58KB

                          MD5

                          5d077a0cdd077c014eedb768feb249ba

                          SHA1

                          ea2c62d69a1f6b9d643fe16319ec7632c9533b3f

                          SHA256

                          8a830c48c4d78159dd80f4dad81c0bebbf9314710026b1a2ef0ffdddcb24b83d

                          SHA512

                          71bf48dcb6916a810f63710968894b431357aa694aa169067f567cc82b8e4ee732f581afb85b256e5c5a9d15a8b7b5746fa6a8b4127b273feb5b0e03e91b607a

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\is-U5SI7.tmp\RdmCert\certremoval.bat
                          Filesize

                          143B

                          MD5

                          e8c0e44371c4edcc8908173bb91ca75c

                          SHA1

                          5479f75580e366cbb2bb03b15c1518cebdfc5cb0

                          SHA256

                          30aa7a6e165232dca4b1b3adf8c74bea54a29686f8802c6de92075ef53b5c1aa

                          SHA512

                          3ad2442ea854b2c7b1620a6e679ed36110a0f30023cf12552de28c70e3e883f859c114d5a14cec4280564ad280204fa549f7f5680cefafff8a2857e16ac36b7d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\is-U5SI7.tmp\RdmCert\rdm.pfx
                          Filesize

                          2KB

                          MD5

                          cb24f524ab36239cda47ebeb8cbd6edb

                          SHA1

                          4cdc6226288f2d5868c48457f124569ecb91608f

                          SHA256

                          7ee7f861af655e38b08fc3112e0b19c518673251478b2dd44c2580659fe402f0

                          SHA512

                          c1ba2485c5900bbe5b0a7aeea8856ee77de8d1544f2f71effca80f3e8dd49b01c309ad3163740263f027ab66ecbdb679b8609ac601d33f98670e406c4c6604b0

                          Download Submit

                        • \Users\Admin\AppData\Local\Temp\is-0QP9J.tmp\RDM_Root_Cert_Update_Windows.tmp
                          Filesize

                          3.1MB

                          MD5

                          a5388235bbd3513d95a2a5c172a55680

                          SHA1

                          e9beb5ae74748344085efc937d8b5acfcf194e7b

                          SHA256

                          109dfa3633727aee046973a9d59dfd493c4f4edfa50bcbcc37999c4bf020550f

                          SHA512

                          68e6111ffeb231668914c66d2a09bc21f5fc616767284af699919ae98b09082c0f89d567cf6cb33b087c5f0c59b4ce813836cd12eec62e54aa10a584ec4fd970

                          Download Submit

                        • \Users\Admin\AppData\Local\Temp\is-14SL4.tmp\RDM_ROOTCERTIFICATE.tmp
                          Filesize

                          3.1MB

                          MD5

                          05cb53c8116fa798ab00b737f7b94015

                          SHA1

                          bc5f54566ca4a156030372cefead56540fb3d9ff

                          SHA256

                          41355b9de8550c19de59ba6555bac91bcca1529f0eabff8c239a7b151f4012eb

                          SHA512

                          66e96aca190fd2069c6e24b37ede8f38d1b0e3d11696e93ad09e0ebdf3e8809d49d0c9b0e5c68f479e88f6440302e07a1d5327be489d1095dad0746657acdeae

                          Download Submit

                        • \Users\Admin\AppData\Local\Temp\is-CCVB3.tmp\RDM_ROOTCERTIFICATE.exe
                          Filesize

                          2.6MB

                          MD5

                          5daec5d62a1b06418e5eae25b7857748

                          SHA1

                          8a56f34f6a62b6ee1489ab2dfff643bc5dc22276

                          SHA256

                          9f395107a54b5393d98b7aa5d4a039d32be780e691cacf75ef7d4ce58d074d83

                          SHA512

                          10b3af9c90b875294ef606eb471e1e30a7a8db56fab2874f6ef32d33d088c97e4802a4980b196aa419bd0dddc568f13c5453e822a190e5165c96c4e7e2cf0cb1

                          Download Submit

                        • memory/1364-136-0x0000000000400000-0x00000000004E6000-memory.dmp

                          Filesize

                          920KB

                          Download

                        • memory/1364-34-0x0000000000400000-0x00000000004E6000-memory.dmp

                          Filesize

                          920KB

                          Download

                        • memory/2036-134-0x0000000000400000-0x0000000000720000-memory.dmp

                          Filesize

                          3.1MB

                          Download

                        • memory/2156-11-0x0000000000400000-0x0000000000720000-memory.dmp

                          Filesize

                          3.1MB

                          Download

                        • memory/2156-9-0x0000000000400000-0x0000000000720000-memory.dmp

                          Filesize

                          3.1MB

                          Download

                        • memory/2156-138-0x0000000000400000-0x0000000000720000-memory.dmp

                          Filesize

                          3.1MB

                          Download

                        • memory/2536-0-0x0000000000400000-0x00000000004E6000-memory.dmp

                          Filesize

                          920KB

                          Download

                        • memory/2536-10-0x0000000000400000-0x00000000004E6000-memory.dmp

                          Filesize

                          920KB

                          Download

                        • memory/2536-2-0x0000000000401000-0x00000000004B7000-memory.dmp

                          Filesize

                          728KB

                          Download

                        • memory/2536-140-0x0000000000400000-0x00000000004E6000-memory.dmp

                          Filesize

                          920KB

                          Download