4823039a00b1758ea6f41984f7fffbc94922a8cf223fe6bd0ead1c3f596ad12f

General

Target

471fe1e9c83a0053e31a28c96326475f.exe
Size

385KB
MD5

471fe1e9c83a0053e31a28c96326475f
SHA1

70d9626c6a31810e756bb1685c6b28ea129cab61
SHA256

4823039a00b1758ea6f41984f7fffbc94922a8cf223fe6bd0ead1c3f596ad12f
SHA512

fa530ecc303f43578b00bfb1b7978d210c04c94c38d869a8244be603d7f1daee7198e2d5869c870c9d149bb5f72ce8708b151724df509e087bdcec83a2555ff3
SSDEEP

6144:oVqPm3b3BjnYmR8vOf3R6GlPbs2XhBZuEzfUGIYdDmQgsoszN8dvmOlMPsz83v5B:oVqPWb9nxR8s4szf/bgsosSdvmREIf5B

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1004	471fe1e9c83a0053e31a28c96326475f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	471fe1e9c83a0053e31a28c96326475f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 5c0000000100000004000000000800000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	471fe1e9c83a0053e31a28c96326475f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1196	471fe1e9c83a0053e31a28c96326475f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1196	471fe1e9c83a0053e31a28c96326475f.exe
1004	471fe1e9c83a0053e31a28c96326475f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1004	1196	471fe1e9c83a0053e31a28c96326475f.exe	15
PID 1196 wrote to memory of 1004	1196	471fe1e9c83a0053e31a28c96326475f.exe	15
PID 1196 wrote to memory of 1004	1196	471fe1e9c83a0053e31a28c96326475f.exe	15

C:\Users\Admin\AppData\Local\Temp\471fe1e9c83a0053e31a28c96326475f.exe
"C:\Users\Admin\AppData\Local\Temp\471fe1e9c83a0053e31a28c96326475f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\471fe1e9c83a0053e31a28c96326475f.exe
  C:\Users\Admin\AppData\Local\Temp\471fe1e9c83a0053e31a28c96326475f.exe
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\471fe1e9c83a0053e31a28c96326475f.exe

Filesize
385KB

MD5
94288613c28e439f9df3d50addfdbef7

SHA1
c916fd155767e65a23d061474215537f496c2ca7

SHA256
9f2bc499520cd989192840fb9f05ddaeae5085e4db9b0f1bd258bd77426d9086

SHA512
ebfb3b9534ddf2edee7cb0e0c283cb82ea2ec2542ffcf4fbd150b1eaa0aafbc95fa7e7e546b9a3ee95304bdefa2507262806510eb3fe5fe33875169646dfe075

Download Submit
memory/1004-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/1004-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1004-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1004-20-0x0000000004EC0000-0x0000000004F1F000-memory.dmp

Filesize
380KB

Download
memory/1004-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1004-37-0x000000000C740000-0x000000000C77C000-memory.dmp

Filesize
240KB

Download
memory/1004-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1196-1-0x00000000015B0000-0x0000000001616000-memory.dmp

Filesize
408KB

Download
memory/1196-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1196-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1196-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing