74cc9df6f04476e7bfeca39780390dadb6b1122b2f5bc581d502dda7f62f058b

General

Target

015ff421a7e5fb7484db6b2e48251f7a.exe
Size

385KB
MD5

015ff421a7e5fb7484db6b2e48251f7a
SHA1

b157e1e2ef98ff9d9f7303b283c7e3ed58f94c9f
SHA256

74cc9df6f04476e7bfeca39780390dadb6b1122b2f5bc581d502dda7f62f058b
SHA512

a6453606f6ed664f7fc5d914f4d2175042e1e3e235b2e8c25ea83078174ca0ad3a63127f1f0703b9ffebe9f9bbb16ea9d0f3334d611dc1994ce102fe5e374812
SSDEEP

6144:Kw8fmuI/gUOv/1HswvILwFrqjx8K3SAYNc0mF+qXH0sxuvCT8GX+B:efm5gUSdHTILwFrkmK3QcFXvx8c+B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2788	015ff421a7e5fb7484db6b2e48251f7a.exe

Executes dropped EXE 1 IoCs

pid	Process
2788	015ff421a7e5fb7484db6b2e48251f7a.exe

Loads dropped DLL 1 IoCs

pid	Process
2996	015ff421a7e5fb7484db6b2e48251f7a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	015ff421a7e5fb7484db6b2e48251f7a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	015ff421a7e5fb7484db6b2e48251f7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	015ff421a7e5fb7484db6b2e48251f7a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2996	015ff421a7e5fb7484db6b2e48251f7a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2996	015ff421a7e5fb7484db6b2e48251f7a.exe
2788	015ff421a7e5fb7484db6b2e48251f7a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2788	2996	015ff421a7e5fb7484db6b2e48251f7a.exe	28
PID 2996 wrote to memory of 2788	2996	015ff421a7e5fb7484db6b2e48251f7a.exe	28
PID 2996 wrote to memory of 2788	2996	015ff421a7e5fb7484db6b2e48251f7a.exe	28
PID 2996 wrote to memory of 2788	2996	015ff421a7e5fb7484db6b2e48251f7a.exe	28

C:\Users\Admin\AppData\Local\Temp\015ff421a7e5fb7484db6b2e48251f7a.exe
"C:\Users\Admin\AppData\Local\Temp\015ff421a7e5fb7484db6b2e48251f7a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\015ff421a7e5fb7484db6b2e48251f7a.exe
  C:\Users\Admin\AppData\Local\Temp\015ff421a7e5fb7484db6b2e48251f7a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\015ff421a7e5fb7484db6b2e48251f7a.exe

Filesize
385KB

MD5
e2449a8d62cb19d243827ecc19890704

SHA1
b43b91b736533fc7e5767f98395ccf8b8a799a79

SHA256
e7b6c7c2d3214cbcd69c411928234f68e5946857b644760423832ad84527d6b9

SHA512
8ba8839cd26020133830806388cfa52cd3873cddda10e0fe16ee0a9100469e4dbdbc20fc5e382fd6282c58b609b5fa2031fb7565cd987fe4e94b848cffdb1ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2DA7.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2DBA.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\015ff421a7e5fb7484db6b2e48251f7a.exe

Filesize
313KB

MD5
050e533993124e9c66ae5656ceb92b6f

SHA1
71ef41765f5af6214ccfc5b04da9d8691c5adada

SHA256
4e370d182bd7ed03e2354938513027fd693c042159a97f1a563baaf70b78037a

SHA512
7948bb0f6fcb0d1f63c51f9ac348cb5ac2a63a999a04d1cb46d2aa19751c8072a4c02e0da256fbcee5b162227dae53fc4c4a3594b5409290e9bac2eb3c47e028

Download Submit
memory/2788-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2788-17-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2788-28-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/2788-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2788-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2788-81-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2788-82-0x0000000007640000-0x000000000767C000-memory.dmp

Filesize
240KB

Download
memory/2996-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2996-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2996-3-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2996-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing