b4a933b088f2b17533a0b0263ec57dce29b0f221517bbb2df740db387db5579a

General

Target

launcher.bat
Size

75B
MD5

eb55186a25a8401bce6951cce620f9ef
SHA1

de8527377c8dab90ca8d20e74e210b86d0609295
SHA256

34ee234989a8d61ef10b8dc249335b82660d014f7ed4bd199110e1bb57b9ec57
SHA512

83d56e9c99fe10e0c58b51b236c39b71d52cc1c959efd1ef096b066bdd56fbf01b91f3a0c6732e76ee09295f922e33c4b53a56d07f6583f2c23333f357772490

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 19 IoCs

flow	pid	Process
4	2188	rundll32.exe
7	2188	rundll32.exe
9	2188	rundll32.exe
11	2188	rundll32.exe
15	2188	rundll32.exe
20	2188	rundll32.exe
21	2188	rundll32.exe
22	2188	rundll32.exe
23	2188	rundll32.exe
24	2188	rundll32.exe
25	2188	rundll32.exe
26	2188	rundll32.exe
27	2188	rundll32.exe
28	2188	rundll32.exe
29	2188	rundll32.exe
30	2188	rundll32.exe
31	2188	rundll32.exe
32	2188	rundll32.exe
34	2188	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rundll32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2188	2856	cmd.exe	31
PID 2856 wrote to memory of 2188	2856	cmd.exe	31
PID 2856 wrote to memory of 2188	2856	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\system32\rundll32.exe
  rundll32.exe witwin_st_x64.dll,NxReleasePMap
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2188-0-0x000000026E7A0000-0x000000026E7EA000-memory.dmp

Filesize
296KB

Download
memory/2188-5-0x000000026E7A0000-0x000000026E7EA000-memory.dmp

Filesize
296KB

Download
memory/2188-6-0x0000000000170000-0x00000000001AE000-memory.dmp

Filesize
248KB

Download
memory/2188-2-0x0000000000170000-0x00000000001AE000-memory.dmp

Filesize
248KB

Download
memory/2188-1-0x00000000020F0000-0x0000000002136000-memory.dmp

Filesize
280KB

Download
memory/2188-7-0x0000000002140000-0x000000000218C000-memory.dmp

Filesize
304KB

Download
memory/2188-31-0x0000000002140000-0x000000000218C000-memory.dmp

Filesize
304KB

Download
memory/2188-32-0x000000026E7A0000-0x000000026E7EA000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing