80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352

General

Target

ExeFile (339).exe
Size

861KB
MD5

c20ef4961ce6eb9dd5654242ec1b418c
SHA1

076cb25979115c1a5baa95807f993c90f629c524
SHA256

80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352
SHA512

e518cd58bcab49e1359d6e60fe71a12c40d6c3f3e8dcfbf974848edb901231b8bd70271fc64f55c0cd8777e975ffee08b17607e4c4bd9744a4193b2a5739a9a2
SSDEEP

24576:ZQqPByJzhAfD7MjzlR7m8Sdu3ar3kxggWq:ZQqZ0z0MjHy8mxrgl

Score

8^/10

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe

Executes dropped EXE 2 IoCs

Processes:

msdtc.commsdtc.com

pid process

780 msdtc.com
100 msdtc.com

pid	process
780	msdtc.com
100	msdtc.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ExeFile (339).exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ExeFile (339).exe

Deobfuscate/Decode Files or Information 1 TTPs 2 IoCs
Payload decoded via CertUtil.
defense_evasion

Deobfuscate/Decode Files or Information
T1140

Processes:

cmd.execertutil.exe

pid process

464 cmd.exe
4112 certutil.exe

pid	process
464	cmd.exe
4112	certutil.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

PING.EXEExeFile (339).execmd.execertutil.exemsdtc.commsdtc.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExeFile (339).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdtc.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdtc.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

4664 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4664 PING.EXE
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

msdtc.commsdtc.com

pid process

780 msdtc.com
780 msdtc.com
780 msdtc.com
100 msdtc.com
100 msdtc.com
100 msdtc.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

msdtc.commsdtc.com

pid process

780 msdtc.com
780 msdtc.com
780 msdtc.com
100 msdtc.com
100 msdtc.com
100 msdtc.com

pid	process
4664	PING.EXE

pid	process
4664	PING.EXE

pid	process
780	msdtc.com
780	msdtc.com
780	msdtc.com
100	msdtc.com
100	msdtc.com
100	msdtc.com

pid	process
780	msdtc.com
780	msdtc.com
780	msdtc.com
100	msdtc.com
100	msdtc.com
100	msdtc.com

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ExeFile (339).execmd.exemsdtc.com

description	pid	process	target process
PID 1404 wrote to memory of 464	1404	ExeFile (339).exe	cmd.exe
PID 1404 wrote to memory of 464	1404	ExeFile (339).exe	cmd.exe
PID 1404 wrote to memory of 464	1404	ExeFile (339).exe	cmd.exe
PID 464 wrote to memory of 4112	464	cmd.exe	certutil.exe
PID 464 wrote to memory of 4112	464	cmd.exe	certutil.exe
PID 464 wrote to memory of 4112	464	cmd.exe	certutil.exe
PID 464 wrote to memory of 780	464	cmd.exe	msdtc.com
PID 464 wrote to memory of 780	464	cmd.exe	msdtc.com
PID 464 wrote to memory of 780	464	cmd.exe	msdtc.com
PID 780 wrote to memory of 100	780	msdtc.com	msdtc.com
PID 780 wrote to memory of 100	780	msdtc.com	msdtc.com
PID 780 wrote to memory of 100	780	msdtc.com	msdtc.com
PID 464 wrote to memory of 4664	464	cmd.exe	PING.EXE
PID 464 wrote to memory of 4664	464	cmd.exe	PING.EXE
PID 464 wrote to memory of 4664	464	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ExeFile (339).exe
"C:\Users\Admin\AppData\Local\Temp\ExeFile (339).exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c <nul set /p ="M" > msdtc.com & type KsTpnq.com >> msdtc.com & del KsTpnq.com & certutil -decode yTxIv.com U & msdtc.com U & ping 127.0.0.1 -n 3
  2⤵
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SysWOW64\certutil.exe
    certutil -decode yTxIv.com U
    3⤵
    - Manipulates Digital Signatures
    - Deobfuscate/Decode Files or Information
    - System Location Discovery: System Language Discovery
    PID:4112
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.com
    msdtc.com U
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.com
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.com U
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:100
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Deobfuscate/Decode Files or Information

Modify Registry

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KsTpnq.com

Filesize
872KB

MD5
d86ab2aeeac2553c7857ece4492eda5d

SHA1
0828db56b556f3f0486a9de9d2c728216035e8e6

SHA256
8861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436

SHA512
8c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\U

Filesize
241KB

MD5
c8c4a872e297f7e536786c49d66650c5

SHA1
d65329038099ba179db5331f8eaec618fb679119

SHA256
f8b193619fa0fbf5e8a7fa84017dab39b15acaeb3b7888b532e3d26d017d22ee

SHA512
37d26d18f19e7660b28c3b5cd58ae2a35ab40c2ffc947193c945a764a84edc61198141dab620d03f41c1585ca44c8ba940881db337a6e92ca2e454d50acb0c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bWPQ.com

Filesize
200KB

MD5
5ea7b5afb1bf7b27844bfb150307adb1

SHA1
47fcfe229e937dc5d2700203c1f9d42767082903

SHA256
ff8814e26980703a8d1d917a8a6991e80849037fe6fb531b05b7d984fa0db4e2

SHA512
1ca5022ee0e978711fd05b9c1655d554b16672962338f86c003aaebd86def8b07170b798c570823db6fb7b63eb17684a4beed302f5029ae01f66e1f828bd3388

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yTxIv.com

Filesize
332KB

MD5
0793e3a615b4e02d45e1f857fcb9b2fe

SHA1
c54946443428a2e90cbe07afd9a96b6dd176f563

SHA256
789eaa8e03690dd53708b429b7cb51f619f80c3f56d4616ca8971d512a63024b

SHA512
f889c6bf2c6878a980d1432c2353290bbf907292b777e73e0f540414f7de3e2945d05dad58b695214fc04163e729f6830cf6a1cfc6f4e9b5394c1fcc004e0b89

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads