03c82c5e3c9fc1a0fa7721cdd316ec20f479d85912fdd20583d1da8940ed1f65

General

Target

26448a57b7f7c95b6377012e72e7435e.exe
Size

907KB
MD5

26448a57b7f7c95b6377012e72e7435e
SHA1

eade749c2d735734f2a24a65093538190532cdb7
SHA256

03c82c5e3c9fc1a0fa7721cdd316ec20f479d85912fdd20583d1da8940ed1f65
SHA512

30d5390b3e31a61ce3cf6a0b3ec2eded4a0a1e2d6066c5cd1762adfbd49632dc45e835a8c54ecada868a9c6ceb01f6bf6910a4a62e344d9f9cfd820f9849be0d
SSDEEP

24576:yRJz9Rw1h24B/9o8Su7X8W7D7gJfDxa/ZS1:yRJzHOh24BVqXC7y7xgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2868	26448a57b7f7c95b6377012e72e7435e.exe

Executes dropped EXE 1 IoCs

pid	Process
2868	26448a57b7f7c95b6377012e72e7435e.exe

Loads dropped DLL 1 IoCs

pid	Process
2476	26448a57b7f7c95b6377012e72e7435e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	26448a57b7f7c95b6377012e72e7435e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	26448a57b7f7c95b6377012e72e7435e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	26448a57b7f7c95b6377012e72e7435e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2476	26448a57b7f7c95b6377012e72e7435e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2476	26448a57b7f7c95b6377012e72e7435e.exe
2868	26448a57b7f7c95b6377012e72e7435e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2868	2476	26448a57b7f7c95b6377012e72e7435e.exe	29
PID 2476 wrote to memory of 2868	2476	26448a57b7f7c95b6377012e72e7435e.exe	29
PID 2476 wrote to memory of 2868	2476	26448a57b7f7c95b6377012e72e7435e.exe	29
PID 2476 wrote to memory of 2868	2476	26448a57b7f7c95b6377012e72e7435e.exe	29

C:\Users\Admin\AppData\Local\Temp\26448a57b7f7c95b6377012e72e7435e.exe
"C:\Users\Admin\AppData\Local\Temp\26448a57b7f7c95b6377012e72e7435e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\26448a57b7f7c95b6377012e72e7435e.exe
  C:\Users\Admin\AppData\Local\Temp\26448a57b7f7c95b6377012e72e7435e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26448a57b7f7c95b6377012e72e7435e.exe

Filesize
57KB

MD5
ea5e5feb6a38998a3a8b6a76c9b0a17c

SHA1
c1c01576a08855e4a0422e1b2fa1147db4fecf0d

SHA256
8a22a14e94df3ecf793d4fb01936e0c4cfc8f57f4b2a6ed15d36bf9905246e13

SHA512
659488ef9e41f515155ae72ed0508e722fda27344579017210ce5f53cdbf32773f497e8fbdada69c33e88698045474c01c236dfc04928da644d672dd4afdec39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5C45.tmp

Filesize
30KB

MD5
9e63d4089ae36534ed9a316e91786ee1

SHA1
8d059c6cdc60c0b4d68e7c1242a9f035f0594f4c

SHA256
4a0727df7678462775cf5fb5a19a881aa9e9fea77683de8d3002c26daf4243c5

SHA512
5f8965c9827749323849539fc7795af96ade695eabe24303abb8abbdaec5b1665753022e301956e0b8015640f2d062f432752a44e9a8e1cb0129c3e090f2911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5C77.tmp

Filesize
25KB

MD5
347c3ec2ff96af7621a06e6fabfd8e15

SHA1
9e523678ca61f3b15916671f6631ea657b0bf2af

SHA256
a2bedbd45288cde32b8d1d0be276fe3627d736e4b42914a5201418dd73f96a09

SHA512
45903508856589761dc24e94538e4d03db8f289f4c721f728f126d28c754a461555ded14d9f150107fcc9bb690a4de4886fd7b198cfec768783ec494f8f1915c

Download Submit
\Users\Admin\AppData\Local\Temp\26448a57b7f7c95b6377012e72e7435e.exe

Filesize
188KB

MD5
50e5378abc7c3e0386894c29197ab18a

SHA1
7cd62b0ff07559d80d6f4e93b752e5146c65401f

SHA256
b21f46b7875695a03a9e1b87addbf11066f86e03bec8595063a07fbc9e33f95a

SHA512
880b86c190ec708dc7d18cad1b4009ae296359dda591139b8172da2aa4783e081493fd85e98ba2dbc5f8236a2a9e62206b90674ce87245dcd01be967d69bd4a3

Download Submit
memory/2476-14-0x0000000003360000-0x0000000003448000-memory.dmp

Filesize
928KB

Download
memory/2476-13-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2476-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2476-2-0x00000000015B0000-0x0000000001698000-memory.dmp

Filesize
928KB

Download
memory/2476-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2868-27-0x0000000002F30000-0x0000000002FEB000-memory.dmp

Filesize
748KB

Download
memory/2868-22-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2868-20-0x00000000002A0000-0x0000000000388000-memory.dmp

Filesize
928KB

Download
memory/2868-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-81-0x000000000EC00000-0x000000000EC98000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing