50956c28d06ae321e79482964bce864bb07c552241017cb152a69c8078fea18c

General

Target

9e026042beea2469af4b31301fe94a72.exe
Size

2.0MB
MD5

9e026042beea2469af4b31301fe94a72
SHA1

7363a0224c9d4498952cbd8c122f7729837e2bbb
SHA256

50956c28d06ae321e79482964bce864bb07c552241017cb152a69c8078fea18c
SHA512

e28861396f6d0f274fbad21ca382dc0a7b039a3a5370f1cc12ef12b61d6b7f2561bd45535666c225f1b368542d0815ffe4abbfa9a6b5c732760234d4e948a690
SSDEEP

49152:2Syg4ubqAus098gygLHgpoQnB+UU6agyg:UgVMsk8oQnfU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2356	9e026042beea2469af4b31301fe94a72.exe

Executes dropped EXE 1 IoCs

pid	Process
2356	9e026042beea2469af4b31301fe94a72.exe

Loads dropped DLL 1 IoCs

pid	Process
888	9e026042beea2469af4b31301fe94a72.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	9e026042beea2469af4b31301fe94a72.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	9e026042beea2469af4b31301fe94a72.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	9e026042beea2469af4b31301fe94a72.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2356	9e026042beea2469af4b31301fe94a72.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
888	9e026042beea2469af4b31301fe94a72.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2356	9e026042beea2469af4b31301fe94a72.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 2356	888	9e026042beea2469af4b31301fe94a72.exe	29
PID 888 wrote to memory of 2356	888	9e026042beea2469af4b31301fe94a72.exe	29
PID 888 wrote to memory of 2356	888	9e026042beea2469af4b31301fe94a72.exe	29
PID 888 wrote to memory of 2356	888	9e026042beea2469af4b31301fe94a72.exe	29

C:\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exe
"C:\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exe
  C:\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
33KB

MD5
bc0f45cee150425394443d7926a3f291

SHA1
59345c01eaac60ef0e837ed5b9a91b192b50d7b5

SHA256
1480d3221568f78a2a097ee528862182efe52850d3c1c9856a6adf9a83fdb2fb

SHA512
086ac66bb338d8df910791d4c81597505ab803942d4ac3189bc5ae31dc8576032c5beffafb04bee3d3f1da80b68ae233bf0e439179492b433515fb0fe2d4ae97

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exe

Filesize
119KB

MD5
30335c27c394273a0bee8bd8eb0c9c1b

SHA1
3d22a288c226c2d7fd7a4c8682e09c8079880456

SHA256
d192b1b1932fe44d4025e048ca601707cebfe6d919bd97d486f0e58eef30d2d2

SHA512
318337eec23b5cc39d1d0331fcd843b02d71db7ac608f376992b4642bafffe3e2429d0cf7c5f51e70d8bba47f2b2bc441e2fb0acaa67e546b53570559ee9cf5b

Download Submit
\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exe

Filesize
74KB

MD5
cdd813f8fa8ac7964932e00da59fa124

SHA1
21c1a44b535f35ae1bf99e380e97a99f6649bc7b

SHA256
df2ccb2f1a49dac8a8e4887c5893e486e77095f1b513e3544e174a4470071759

SHA512
0e045955d8d2ddc31d06fc8a0fbafcb62a38fc5329f6837f2ec5495a11aca6c9273475fb1146b2ebca78294316e1750c9e323127d5a2a19fe5af18f6138c95ce

Download Submit
memory/888-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/888-8-0x0000000002F30000-0x000000000303D000-memory.dmp

Filesize
1.1MB

Download
memory/888-7-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2356-11-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2356-13-0x0000000002E20000-0x0000000002F2D000-memory.dmp

Filesize
1.1MB

Download
memory/2356-10-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2356-70-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2356-75-0x0000000007680000-0x0000000007723000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing