2b081e543491e3dacd3ee3b823ab485a6ee7d0b5ea1f272a1755ca7b104ec4ad

General

Target

65cf4d9b8942262c739ac51a15afd5e2.exe
Size

907KB
MD5

65cf4d9b8942262c739ac51a15afd5e2
SHA1

f6a42e9c42f66de210cd1c05d29da76d7d88ce5f
SHA256

2b081e543491e3dacd3ee3b823ab485a6ee7d0b5ea1f272a1755ca7b104ec4ad
SHA512

c0b7f47c9140a99189e7b94ac221fb4ed996cf9aa62b4a13c2323905a12288c65b1e5448de3e8405ccbe4ad445bad6168d55e5723230e8f4b7da97553e63710a
SSDEEP

12288:QPs8l6E8n913mJMpeQrpz9eGNaK7W4xsOjpNIr3Q1xyIkjVDa/ZS1:QE8kKMp3p5eWWjOjbQQoa/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2864	65cf4d9b8942262c739ac51a15afd5e2.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	65cf4d9b8942262c739ac51a15afd5e2.exe

Loads dropped DLL 1 IoCs

pid	Process
2076	65cf4d9b8942262c739ac51a15afd5e2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	65cf4d9b8942262c739ac51a15afd5e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	65cf4d9b8942262c739ac51a15afd5e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	65cf4d9b8942262c739ac51a15afd5e2.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2076	65cf4d9b8942262c739ac51a15afd5e2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2076	65cf4d9b8942262c739ac51a15afd5e2.exe
2864	65cf4d9b8942262c739ac51a15afd5e2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2864	2076	65cf4d9b8942262c739ac51a15afd5e2.exe	17
PID 2076 wrote to memory of 2864	2076	65cf4d9b8942262c739ac51a15afd5e2.exe	17
PID 2076 wrote to memory of 2864	2076	65cf4d9b8942262c739ac51a15afd5e2.exe	17
PID 2076 wrote to memory of 2864	2076	65cf4d9b8942262c739ac51a15afd5e2.exe	17

C:\Users\Admin\AppData\Local\Temp\65cf4d9b8942262c739ac51a15afd5e2.exe
C:\Users\Admin\AppData\Local\Temp\65cf4d9b8942262c739ac51a15afd5e2.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2864

C:\Users\Admin\AppData\Local\Temp\65cf4d9b8942262c739ac51a15afd5e2.exe
"C:\Users\Admin\AppData\Local\Temp\65cf4d9b8942262c739ac51a15afd5e2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\65cf4d9b8942262c739ac51a15afd5e2.exe

Filesize
382KB

MD5
d01bf38f38fd41e6ea023366bb6e7d44

SHA1
f8a2255567e842a025b59eb8744d3af12ad6c352

SHA256
f3802cb535ce70e369fa2da7a700c511702181d7e33a8678bdddaeb752090b9b

SHA512
66cae3fda532989bce1d7aa294fe2b319ad2802a2545f521980123384f9d086051cce0e6b984207134f5aec16d207ce54efe3db85a5b0e6f6cacb83c1a975534

Download Submit
\Users\Admin\AppData\Local\Temp\65cf4d9b8942262c739ac51a15afd5e2.exe

Filesize
893KB

MD5
28a02af10d3324a7a40e2cf837b8e70c

SHA1
9ccc7bc3bd5b84630dd1c6f33bb31db16d701a92

SHA256
c1f3a7763f5da0f3901eec2ede7d5d8be03b0433ee2b80e00bb8caeeed5fedbf

SHA512
65f0ed8837e50b66d1ff0cab58c7558a5d1ee309995e518f6915884d73c90b0ace78b7748084bb99dbaa4cf66b2573c7dbb4e76148227cf5adcbe40a11be352d

Download Submit
memory/2076-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2076-3-0x0000000000270000-0x0000000000358000-memory.dmp

Filesize
928KB

Download
memory/2076-15-0x0000000003280000-0x0000000003368000-memory.dmp

Filesize
928KB

Download
memory/2076-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2076-13-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2864-20-0x0000000000290000-0x0000000000378000-memory.dmp

Filesize
928KB

Download
memory/2864-24-0x0000000002F40000-0x0000000002FFB000-memory.dmp

Filesize
748KB

Download
memory/2864-23-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2864-17-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2864-77-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-79-0x000000000D8F0000-0x000000000D988000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing