1b385c27d2c3257eabc05902fdda6a0ffe9f2f6f75fafe8e894289d425797780

General

Target

5941f7f0b6e0e58ca67abac90a21a389.exe
Size

385KB
MD5

5941f7f0b6e0e58ca67abac90a21a389
SHA1

e8535af2099d6516adee19aacb5b446c731299b4
SHA256

1b385c27d2c3257eabc05902fdda6a0ffe9f2f6f75fafe8e894289d425797780
SHA512

a1b590717b2f6b35e62572fa0cb15572483107ee649324506d3e27aaa194db5a69797e0fe612ab3d3b0300854c4ce09bb6a739f10e3cecedaa3a4c531acada56
SSDEEP

6144:VaLzBkFckeyzkd8/h80LShrGniVCIoF0gmETvM3UbG9/88EPBBkZZ6B:VaB0/86SMnMCQHErUGy88IBkZMB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2668	5941f7f0b6e0e58ca67abac90a21a389.exe

Executes dropped EXE 1 IoCs

pid	Process
2668	5941f7f0b6e0e58ca67abac90a21a389.exe

Loads dropped DLL 1 IoCs

pid	Process
1704	5941f7f0b6e0e58ca67abac90a21a389.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	5941f7f0b6e0e58ca67abac90a21a389.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	5941f7f0b6e0e58ca67abac90a21a389.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	5941f7f0b6e0e58ca67abac90a21a389.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1704	5941f7f0b6e0e58ca67abac90a21a389.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1704	5941f7f0b6e0e58ca67abac90a21a389.exe
2668	5941f7f0b6e0e58ca67abac90a21a389.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2668	1704	5941f7f0b6e0e58ca67abac90a21a389.exe	19
PID 1704 wrote to memory of 2668	1704	5941f7f0b6e0e58ca67abac90a21a389.exe	19
PID 1704 wrote to memory of 2668	1704	5941f7f0b6e0e58ca67abac90a21a389.exe	19
PID 1704 wrote to memory of 2668	1704	5941f7f0b6e0e58ca67abac90a21a389.exe	19

C:\Users\Admin\AppData\Local\Temp\5941f7f0b6e0e58ca67abac90a21a389.exe
"C:\Users\Admin\AppData\Local\Temp\5941f7f0b6e0e58ca67abac90a21a389.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\5941f7f0b6e0e58ca67abac90a21a389.exe
  C:\Users\Admin\AppData\Local\Temp\5941f7f0b6e0e58ca67abac90a21a389.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\5941f7f0b6e0e58ca67abac90a21a389.exe

Filesize
94KB

MD5
e7b371874ddc0a1bdfa25aa7cdaa19ad

SHA1
3ff0e12606c12103675d549bb6390b62238b7392

SHA256
e7f070f945540cc08d9aee832a454479d35e1604f2e711f8a324241828bc47e7

SHA512
e3ad178a8c9fbe0ad8d577433ec9b9825c8c311faff760d7be693f7dc805ce32cafca2a306f0545f7176c780c1666144fc9d87f38c65ca45b15edfedb1c5e025

Download Submit
memory/1704-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1704-2-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/1704-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1704-12-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/1704-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2668-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2668-25-0x0000000001550000-0x00000000015AF000-memory.dmp

Filesize
380KB

Download
memory/2668-18-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2668-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2668-82-0x000000000D6B0000-0x000000000D6EC000-memory.dmp

Filesize
240KB

Download
memory/2668-81-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing