fbf1d9279145b7d528b4f2d70aabd520fb136a077fab8c5c72caf54a9466a38b

General

Target

05c621daca9f0ce01f272f0aa3e1c1a0.exe
Size

771KB
MD5

05c621daca9f0ce01f272f0aa3e1c1a0
SHA1

16f5bacd5179d96f2dc0e6679a9771153c12f8a1
SHA256

fbf1d9279145b7d528b4f2d70aabd520fb136a077fab8c5c72caf54a9466a38b
SHA512

d914208347f81f0d38b321c893a2c48678b5a765e9e303e7e1cde1a4975051078abb95232b0400721acabc40de47cdcb3be2385e5d9cb62d7482c29549bb358b
SSDEEP

12288:y78qmLyFiH6iaRjFnGb10VHmDXTuFaa2AtyGTKOF25ZoJJyhRge8BpH9PVB:y8ocralob10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1724	05c621daca9f0ce01f272f0aa3e1c1a0.exe

Executes dropped EXE 1 IoCs

pid	Process
1724	05c621daca9f0ce01f272f0aa3e1c1a0.exe

Loads dropped DLL 1 IoCs

pid	Process
1960	05c621daca9f0ce01f272f0aa3e1c1a0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	05c621daca9f0ce01f272f0aa3e1c1a0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	05c621daca9f0ce01f272f0aa3e1c1a0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	05c621daca9f0ce01f272f0aa3e1c1a0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1960	05c621daca9f0ce01f272f0aa3e1c1a0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1960	05c621daca9f0ce01f272f0aa3e1c1a0.exe
1724	05c621daca9f0ce01f272f0aa3e1c1a0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1724	1960	05c621daca9f0ce01f272f0aa3e1c1a0.exe	14
PID 1960 wrote to memory of 1724	1960	05c621daca9f0ce01f272f0aa3e1c1a0.exe	14
PID 1960 wrote to memory of 1724	1960	05c621daca9f0ce01f272f0aa3e1c1a0.exe	14
PID 1960 wrote to memory of 1724	1960	05c621daca9f0ce01f272f0aa3e1c1a0.exe	14

C:\Users\Admin\AppData\Local\Temp\05c621daca9f0ce01f272f0aa3e1c1a0.exe
C:\Users\Admin\AppData\Local\Temp\05c621daca9f0ce01f272f0aa3e1c1a0.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:1724

C:\Users\Admin\AppData\Local\Temp\05c621daca9f0ce01f272f0aa3e1c1a0.exe
"C:\Users\Admin\AppData\Local\Temp\05c621daca9f0ce01f272f0aa3e1c1a0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05c621daca9f0ce01f272f0aa3e1c1a0.exe

Filesize
771KB

MD5
66a68a5fe2c50a5082b41492a403c36f

SHA1
2153b23e25a1bfaa060187bc4f3734a2f512aced

SHA256
2c26bbf77ed86c4de4bc6a4f7fd624a94d2e4254a89ceb7afe93dc7e643d4ee1

SHA512
79658a53f31b545abb214d1d2a80f0568aeaf28f36da3cff2c3f944360421f10b8aec24f3257851040728c893d558ed6a560e3ff42d6021c36161a4e880feac5

Download Submit
memory/1724-83-0x000000000D600000-0x000000000D63C000-memory.dmp

Filesize
240KB

Download
memory/1724-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1724-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1724-20-0x0000000000350000-0x00000000003B6000-memory.dmp

Filesize
408KB

Download
memory/1724-29-0x0000000002C90000-0x0000000002CEF000-memory.dmp

Filesize
380KB

Download
memory/1724-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1724-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1960-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1960-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1960-12-0x0000000003010000-0x0000000003076000-memory.dmp

Filesize
408KB

Download
memory/1960-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1960-2-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing