7a8a084e841b0e5f376cdf9e7c7143ea1c08fd51d5327bcaa676e050ff647de8

General

Target

001733a447ec623cc5892292cd6ee5c6.exe
Size

385KB
MD5

001733a447ec623cc5892292cd6ee5c6
SHA1

d133445019863083a7faf57d395ea2d0e0af9589
SHA256

7a8a084e841b0e5f376cdf9e7c7143ea1c08fd51d5327bcaa676e050ff647de8
SHA512

9fe843f60663b0ff6bee82bd948e700b7c0bf9f5de9067304694b996356625d72aabf16dd0fe2ffb916e21a6e64f0840af32c15483da6113254d790211be90bd
SSDEEP

6144:7TkGwNfyc3CSNxWuWKISDq8iNs71o+v8WtU+qD1ifHjyJk9eQftw7veV0B:7TSlyGr8u/FD36sDv8V+PvxQQ0xB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1620	001733a447ec623cc5892292cd6ee5c6.exe

Executes dropped EXE 1 IoCs

pid	Process
1620	001733a447ec623cc5892292cd6ee5c6.exe

Loads dropped DLL 1 IoCs

pid	Process
1704	001733a447ec623cc5892292cd6ee5c6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	001733a447ec623cc5892292cd6ee5c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	001733a447ec623cc5892292cd6ee5c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	001733a447ec623cc5892292cd6ee5c6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1704	001733a447ec623cc5892292cd6ee5c6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1704	001733a447ec623cc5892292cd6ee5c6.exe
1620	001733a447ec623cc5892292cd6ee5c6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1620	1704	001733a447ec623cc5892292cd6ee5c6.exe	28
PID 1704 wrote to memory of 1620	1704	001733a447ec623cc5892292cd6ee5c6.exe	28
PID 1704 wrote to memory of 1620	1704	001733a447ec623cc5892292cd6ee5c6.exe	28
PID 1704 wrote to memory of 1620	1704	001733a447ec623cc5892292cd6ee5c6.exe	28

C:\Users\Admin\AppData\Local\Temp\001733a447ec623cc5892292cd6ee5c6.exe
"C:\Users\Admin\AppData\Local\Temp\001733a447ec623cc5892292cd6ee5c6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\001733a447ec623cc5892292cd6ee5c6.exe
  C:\Users\Admin\AppData\Local\Temp\001733a447ec623cc5892292cd6ee5c6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\001733a447ec623cc5892292cd6ee5c6.exe

Filesize
57KB

MD5
2b1ef5a08c7926e46b95c545660260b7

SHA1
dd8d4b1b8bfa53f4f592bcea25e74f303157a2d0

SHA256
d6a3c34a4ed5badc9da72b1e2b7201d6573f530015598b2e107373fb3b63c8d2

SHA512
87ab3427f7af9b3985100ddbe94c49c08c32e5e00bc9c1e9a1a03f564a5551b65d1908af97ffe01470b555456b534a9b7d97237838d9425fccb14f32ad624196

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9FBB.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9FFC.tmp

Filesize
91KB

MD5
62fb6771959d6b061ef7a4bee3459b89

SHA1
d918ff7bb088f92f5e93377fbd82de86afefbe95

SHA256
fd9f3da55ef6c09f3f3c9eb272e1477489887e98bd7835e4a0196b131f05a334

SHA512
6ae8d4b85c5bb6d7e368ee806000ce7570e6b80cf1433856d92f001263da8700b279f5f5da8c4aefc41cfe75c332935bae313b9e00edeb703629d2015a42b32d

Download Submit
\Users\Admin\AppData\Local\Temp\001733a447ec623cc5892292cd6ee5c6.exe

Filesize
92KB

MD5
999be5102b75784d5cd86af634b4aac1

SHA1
91ecef2b5aaba1d0124b544b87ac9927abbc2f96

SHA256
13c1c5d943c188d01fea85bb5d29a9568591b54b702c08d074f91c578c685a4d

SHA512
e72f4475edecbf57c2029ca8f4980243a3f2c5b37c3c58be009e6e1f35365ee50e7d8fd88e6299901a7539afcfaf6dd4f9a160e284fd925bb9285f7ab035bc02

Download Submit
memory/1620-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1620-19-0x0000000000220000-0x0000000000286000-memory.dmp

Filesize
408KB

Download
memory/1620-27-0x0000000002BD0000-0x0000000002C2F000-memory.dmp

Filesize
380KB

Download
memory/1620-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1620-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1620-81-0x00000000075E0000-0x000000000761C000-memory.dmp

Filesize
240KB

Download
memory/1704-14-0x0000000002E90000-0x0000000002EF6000-memory.dmp

Filesize
408KB

Download
memory/1704-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1704-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1704-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1704-2-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing