adc94097e82b3c9bc6d8500fd763c601a1fb82425e482b3f9c778d188cf73ab6

General

Target

00f713c458a80152f1a3d0b36c9b59a1.exe
Size

771KB
MD5

00f713c458a80152f1a3d0b36c9b59a1
SHA1

07580363b5d09bf02b6580ba10e750385b76e6ba
SHA256

adc94097e82b3c9bc6d8500fd763c601a1fb82425e482b3f9c778d188cf73ab6
SHA512

4353ca03138e231c7db3a987ccfa83ce6abe12e85d0bff48c7491e5e2024bd20d9fca652687e7b7fb4b8c1a48b07224a1bb278180bc095b3b3e0af44fa9838d6
SSDEEP

24576:PkXncH8TXF52m0RbNMqDyb9JVRmiBIZTB:+cHkXf+GyyRJnTBC9

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1796	00f713c458a80152f1a3d0b36c9b59a1.exe

Executes dropped EXE 1 IoCs

pid	Process
1796	00f713c458a80152f1a3d0b36c9b59a1.exe

Loads dropped DLL 1 IoCs

pid	Process
2064	00f713c458a80152f1a3d0b36c9b59a1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	00f713c458a80152f1a3d0b36c9b59a1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	00f713c458a80152f1a3d0b36c9b59a1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	00f713c458a80152f1a3d0b36c9b59a1.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2064	00f713c458a80152f1a3d0b36c9b59a1.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2064	00f713c458a80152f1a3d0b36c9b59a1.exe
1796	00f713c458a80152f1a3d0b36c9b59a1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1796	2064	00f713c458a80152f1a3d0b36c9b59a1.exe	17
PID 2064 wrote to memory of 1796	2064	00f713c458a80152f1a3d0b36c9b59a1.exe	17
PID 2064 wrote to memory of 1796	2064	00f713c458a80152f1a3d0b36c9b59a1.exe	17
PID 2064 wrote to memory of 1796	2064	00f713c458a80152f1a3d0b36c9b59a1.exe	17

C:\Users\Admin\AppData\Local\Temp\00f713c458a80152f1a3d0b36c9b59a1.exe
"C:\Users\Admin\AppData\Local\Temp\00f713c458a80152f1a3d0b36c9b59a1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\00f713c458a80152f1a3d0b36c9b59a1.exe
  C:\Users\Admin\AppData\Local\Temp\00f713c458a80152f1a3d0b36c9b59a1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\00f713c458a80152f1a3d0b36c9b59a1.exe

Filesize
771KB

MD5
c0a340bc25aa166a5a655e7b74286986

SHA1
5c257803abe46a02807512b5394d95bf19a4d2a5

SHA256
ae72b95dcb6e90f030622464ef86ba553aec4c2e43a5bcb7f2b455a85066ccac

SHA512
c1f3e3ce14d670f7c4c46d0114ecb2b9d24c549ffcf091efc37c9fff1c88f4c10db6d8f0735db09a60647daf23658b4066d5ae7dfcace20dcf60f805c6e1a231

Download Submit
memory/1796-26-0x0000000002C90000-0x0000000002CEF000-memory.dmp

Filesize
380KB

Download
memory/1796-21-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/1796-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1796-19-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1796-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1796-83-0x000000000A5D0000-0x000000000A60C000-memory.dmp

Filesize
240KB

Download
memory/1796-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2064-16-0x00000000002B0000-0x0000000000316000-memory.dmp

Filesize
408KB

Download
memory/2064-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2064-3-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2064-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2064-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing