accb3a4a93d260cb167ebea88920f4a57c1164808e744b9e156a5b35f835b096

General

Target

100f5e90a9eb220b32e50b778c57c2dd.exe
Size

771KB
MD5

100f5e90a9eb220b32e50b778c57c2dd
SHA1

b9d9c78e2b747f6fc869af1cfe41c0cddd74265e
SHA256

accb3a4a93d260cb167ebea88920f4a57c1164808e744b9e156a5b35f835b096
SHA512

d1af51a5e7ec2b200ba43a5d764f5658da4fbe9a7046c6d01e41e0ae40ed03245babaa8f4833af5c03aaecba218fc2385aa77c616bdedd9bc3f3899b8cc92ba9
SSDEEP

12288:w18myemDer514dJ0+Fpg5F9FK9vWb10VHmDXTuFaa2AtyGTKOF25ZoJJyhRge8B/:mNyDSr514H65aOb10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1376	100f5e90a9eb220b32e50b778c57c2dd.exe

Executes dropped EXE 1 IoCs

pid	Process
1376	100f5e90a9eb220b32e50b778c57c2dd.exe

Loads dropped DLL 1 IoCs

pid	Process
2888	100f5e90a9eb220b32e50b778c57c2dd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	100f5e90a9eb220b32e50b778c57c2dd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	100f5e90a9eb220b32e50b778c57c2dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	100f5e90a9eb220b32e50b778c57c2dd.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2888	100f5e90a9eb220b32e50b778c57c2dd.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2888	100f5e90a9eb220b32e50b778c57c2dd.exe
1376	100f5e90a9eb220b32e50b778c57c2dd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1376	2888	100f5e90a9eb220b32e50b778c57c2dd.exe	16
PID 2888 wrote to memory of 1376	2888	100f5e90a9eb220b32e50b778c57c2dd.exe	16
PID 2888 wrote to memory of 1376	2888	100f5e90a9eb220b32e50b778c57c2dd.exe	16
PID 2888 wrote to memory of 1376	2888	100f5e90a9eb220b32e50b778c57c2dd.exe	16

C:\Users\Admin\AppData\Local\Temp\100f5e90a9eb220b32e50b778c57c2dd.exe
"C:\Users\Admin\AppData\Local\Temp\100f5e90a9eb220b32e50b778c57c2dd.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\100f5e90a9eb220b32e50b778c57c2dd.exe
  C:\Users\Admin\AppData\Local\Temp\100f5e90a9eb220b32e50b778c57c2dd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\100f5e90a9eb220b32e50b778c57c2dd.exe

Filesize
35KB

MD5
8f043905e0d5263ecd8aeb96cdb0c76c

SHA1
f04649d51141adbb3de993464455e05bc5b2406a

SHA256
debf4115367c92d873f45dd00cdf04857d2282f4fb665cf134ff66bc2602fe42

SHA512
581c6ef4b6d1fad60136c3af0b930fbdd52236b0e06026b349cae0db4311aba0ab83b239a3a39775e822b9ae474438a20a0df3f963a9f223f1f38f8ab32effda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar126D.tmp

Filesize
85KB

MD5
b4336c27a81019626050e233f1835df4

SHA1
cf7ecdc18c67841389711f678febca40f48d64a0

SHA256
74c2bc3b14e0d0c9d712c1a90630523eaddceb4c401848b8a2b0ef725c232998

SHA512
9f7c6952de25e40df3f9cda4fd7fcbd333e5a8066dc0c1b106b15c7ff5731a9129619ecd32fb44be4b620ce9eea4c7a8294c3402b7dbc405e190d1d57c01c79b

Download Submit
\Users\Admin\AppData\Local\Temp\100f5e90a9eb220b32e50b778c57c2dd.exe

Filesize
64KB

MD5
f6ac13bb9f6bfe8dbadb262c78d4270a

SHA1
9757cc630158c6f4fb27ffcb8ed978b44d69cdba

SHA256
903b4b60f2ad8e7d841e89a6ed3dcffea6f33a7863904dd7e77c62c79e25afde

SHA512
b237ec54feaf9f9358971050e6c3ad26d7fe98e55c5fe1b00201a610dc9c0549303ada09407e8e8ca5d0fed7f67fa0ab4376877c42c301d3105e255c3cb73961

Download Submit
memory/1376-29-0x0000000000320000-0x000000000037F000-memory.dmp

Filesize
380KB

Download
memory/1376-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1376-20-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/1376-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1376-87-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1376-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1376-88-0x000000000A6C0000-0x000000000A6FC000-memory.dmp

Filesize
240KB

Download
memory/2888-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2888-2-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2888-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2888-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2888-15-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing