de6d5e81b045dc9594c9c55f00d58a519f6ad994def322ff60c986e4ce818570

General

Target

0667751a4f57e8f0631885fd19922fd0.exe
Size

907KB
MD5

0667751a4f57e8f0631885fd19922fd0
SHA1

c73d958eda8ade7830f5468dfcf5b783a6814b47
SHA256

de6d5e81b045dc9594c9c55f00d58a519f6ad994def322ff60c986e4ce818570
SHA512

2502384aeb9e93704b9ff3f69456266c0dff14737a476f9808dbe90e0a0893ce4971f2ee0a7341027c4fa2ad2c4b4c44b9e4d061014e4bc1a5f243619397047c
SSDEEP

12288:FA2HVOHgzNvmhhLYOtJ4CmCAgEqAzVFekFwiI+ZjkeRjVDa/ZS1:d1SgJvmT7mfgEqAqkGaa/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2688	0667751a4f57e8f0631885fd19922fd0.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	0667751a4f57e8f0631885fd19922fd0.exe

Loads dropped DLL 1 IoCs

pid	Process
2356	0667751a4f57e8f0631885fd19922fd0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	0667751a4f57e8f0631885fd19922fd0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	0667751a4f57e8f0631885fd19922fd0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	0667751a4f57e8f0631885fd19922fd0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2356	0667751a4f57e8f0631885fd19922fd0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2356	0667751a4f57e8f0631885fd19922fd0.exe
2688	0667751a4f57e8f0631885fd19922fd0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2688	2356	0667751a4f57e8f0631885fd19922fd0.exe	25
PID 2356 wrote to memory of 2688	2356	0667751a4f57e8f0631885fd19922fd0.exe	25
PID 2356 wrote to memory of 2688	2356	0667751a4f57e8f0631885fd19922fd0.exe	25
PID 2356 wrote to memory of 2688	2356	0667751a4f57e8f0631885fd19922fd0.exe	25

C:\Users\Admin\AppData\Local\Temp\0667751a4f57e8f0631885fd19922fd0.exe
"C:\Users\Admin\AppData\Local\Temp\0667751a4f57e8f0631885fd19922fd0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\0667751a4f57e8f0631885fd19922fd0.exe
  C:\Users\Admin\AppData\Local\Temp\0667751a4f57e8f0631885fd19922fd0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0667751a4f57e8f0631885fd19922fd0.exe

Filesize
82KB

MD5
7bf89d8f9dc3883f336db79160553669

SHA1
64656825d30894d0c44fe547356e58482e023ba1

SHA256
26a9d45a217bc165aec14219a0149f7cf579f36994838901b0ac5678a47cf139

SHA512
39c5e22b08000b198358941c696185cc75e72eeafe5c44a70a7250acd46ecded68c4fbba3eaa919ee4a8f6a53a7f7130375c7e827fe53e378a8c2b832f325168

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE7C2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE7F4.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\0667751a4f57e8f0631885fd19922fd0.exe

Filesize
162KB

MD5
ccbc6faa6c068058c3288361d9427732

SHA1
43d723b998e72eba33aef06cda40dd85e97b3a9b

SHA256
3b8bc8fcc7b30d99c73bb688fc2792d1f3705de314cfcd0d3c6e410271474662

SHA512
7c273a162f110f9f9c9a3724a2c2e34677ae2fc624583e4eb7aa2975565fd05be3a0b16ecc08768d3d9172473c3788fb8258e97e4859d2339482b417fb8264a0

Download Submit
memory/2356-14-0x00000000031A0000-0x0000000003288000-memory.dmp

Filesize
928KB

Download
memory/2356-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2356-13-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2356-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2356-2-0x00000000014F0000-0x00000000015D8000-memory.dmp

Filesize
928KB

Download
memory/2688-16-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2688-18-0x00000000002D0000-0x00000000003B8000-memory.dmp

Filesize
928KB

Download
memory/2688-25-0x0000000002F40000-0x0000000002FFB000-memory.dmp

Filesize
748KB

Download
memory/2688-23-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2688-77-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2688-82-0x000000000ED40000-0x000000000EDD8000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing