9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8

General

Target

9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8.exe
Size

44KB
MD5

31dabfa8c23572ddc6eab605a31bd6ab
SHA1

a668e0a7cc5c0210c01eccb3d1e84da39a670680
SHA256

9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8
SHA512

3a9c728f56fc4880e912c7c4d5605baf12d4822f6d06997a382fff58626119b9297cc25af5a1807a0b814c176a33ca7e20e5bbc65a4d39add376d9460b3abdf3
SSDEEP

768:3/brzGi4zjT1mAUK12YF8rm12Cri5IoZSAzcwf3MveTdX9y2YFcRsUl/:3/r4zn1BUa2YFam12Cu5IoZSAzcwf3M4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
240	dahubus.exe

Deletes itself 1 IoCs

pid	Process
240	dahubus.exe

Loads dropped DLL 2 IoCs

pid	Process
1624	9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8.exe
1624	9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	checkip.dyndns.org

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	dahubus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	dahubus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	dahubus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	dahubus.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 240	1624	9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8.exe	28
PID 1624 wrote to memory of 240	1624	9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8.exe	28
PID 1624 wrote to memory of 240	1624	9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8.exe	28
PID 1624 wrote to memory of 240	1624	9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8.exe	28

C:\Users\Admin\AppData\Local\Temp\9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8.exe
"C:\Users\Admin\AppData\Local\Temp\9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\dahubus.exe
  C:\Users\Admin\AppData\Local\Temp\dahubus.exe
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Modifies system certificate store
  PID:240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dahubus.exe

Filesize
44KB

MD5
31dabfa8c23572ddc6eab605a31bd6ab

SHA1
a668e0a7cc5c0210c01eccb3d1e84da39a670680

SHA256
9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8

SHA512
3a9c728f56fc4880e912c7c4d5605baf12d4822f6d06997a382fff58626119b9297cc25af5a1807a0b814c176a33ca7e20e5bbc65a4d39add376d9460b3abdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dahubus.exe

Filesize
44KB

MD5
31dabfa8c23572ddc6eab605a31bd6ab

SHA1
a668e0a7cc5c0210c01eccb3d1e84da39a670680

SHA256
9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8

SHA512
3a9c728f56fc4880e912c7c4d5605baf12d4822f6d06997a382fff58626119b9297cc25af5a1807a0b814c176a33ca7e20e5bbc65a4d39add376d9460b3abdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp443B.log

Filesize
206B

MD5
aee80037832b768a3550b6318143a89d

SHA1
0864928048f5530eb5d9a909383f38989921450a

SHA256
7cd3052b6230f847be58faba98286f5e764fe2ced5d9b624643708840f6b49f0

SHA512
9ae417319f16aba196913ad555d52e35ad9e4f7191ddef2f3ad23f3860de41a04a9fd0fa73a453bd03236d7f41bb93035db92311c73062763f78f207469ca1f5

Download Submit
\Users\Admin\AppData\Local\Temp\dahubus.exe

Filesize
44KB

MD5
31dabfa8c23572ddc6eab605a31bd6ab

SHA1
a668e0a7cc5c0210c01eccb3d1e84da39a670680

SHA256
9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8

SHA512
3a9c728f56fc4880e912c7c4d5605baf12d4822f6d06997a382fff58626119b9297cc25af5a1807a0b814c176a33ca7e20e5bbc65a4d39add376d9460b3abdf3

Download Submit
\Users\Admin\AppData\Local\Temp\dahubus.exe

Filesize
44KB

MD5
31dabfa8c23572ddc6eab605a31bd6ab

SHA1
a668e0a7cc5c0210c01eccb3d1e84da39a670680

SHA256
9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8

SHA512
3a9c728f56fc4880e912c7c4d5605baf12d4822f6d06997a382fff58626119b9297cc25af5a1807a0b814c176a33ca7e20e5bbc65a4d39add376d9460b3abdf3

Download Submit
memory/240-62-0x0000000000320000-0x0000000000341000-memory.dmp

Filesize
132KB

Download
memory/240-63-0x0000000000320000-0x0000000000341000-memory.dmp

Filesize
132KB

Download
memory/1624-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing