c84e51e9d3db6b70bca2aa4f2a3610a4bc8de611d7fd58036b9a488006441b69

General

Target

2081732c92621aaf77c3fded7c393cca.exe
Size

385KB
MD5

2081732c92621aaf77c3fded7c393cca
SHA1

f4251f8d54b05a0195cb31e50ef4d112c30802fc
SHA256

c84e51e9d3db6b70bca2aa4f2a3610a4bc8de611d7fd58036b9a488006441b69
SHA512

32c5725884d61b54ca2632a8dc289f7cf4f2dba141c95752379f0419018be25abc0fd3487ddd22fc50f43168d07fbaaf6309c1815f131d909c23eea8d1bd60aa
SSDEEP

6144:PdT1fxSEVhz3ig83FMrh4VM66p5zGMrg831qbMbSNNed3aUDrSfujrB:1RfxSmiDM14VEpkMh314MbB3aFujrB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3024	2081732c92621aaf77c3fded7c393cca.exe

Executes dropped EXE 1 IoCs

pid	Process
3024	2081732c92621aaf77c3fded7c393cca.exe

Loads dropped DLL 1 IoCs

pid	Process
2800	2081732c92621aaf77c3fded7c393cca.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	2081732c92621aaf77c3fded7c393cca.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2081732c92621aaf77c3fded7c393cca.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2081732c92621aaf77c3fded7c393cca.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2800	2081732c92621aaf77c3fded7c393cca.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2800	2081732c92621aaf77c3fded7c393cca.exe
3024	2081732c92621aaf77c3fded7c393cca.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 3024	2800	2081732c92621aaf77c3fded7c393cca.exe	14
PID 2800 wrote to memory of 3024	2800	2081732c92621aaf77c3fded7c393cca.exe	14
PID 2800 wrote to memory of 3024	2800	2081732c92621aaf77c3fded7c393cca.exe	14
PID 2800 wrote to memory of 3024	2800	2081732c92621aaf77c3fded7c393cca.exe	14

C:\Users\Admin\AppData\Local\Temp\2081732c92621aaf77c3fded7c393cca.exe
C:\Users\Admin\AppData\Local\Temp\2081732c92621aaf77c3fded7c393cca.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:3024

C:\Users\Admin\AppData\Local\Temp\2081732c92621aaf77c3fded7c393cca.exe
"C:\Users\Admin\AppData\Local\Temp\2081732c92621aaf77c3fded7c393cca.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2081732c92621aaf77c3fded7c393cca.exe

Filesize
381KB

MD5
244c90c8cc5c050fd51b390b1d184570

SHA1
56a108eb0d9f92696b9e28592fc234ce997fe051

SHA256
4ebe8c0a6d9e73d2fb66a93959ed976d8f3aadaf80fdec29ee2f6a0b3cfcce76

SHA512
7e1bc03025576b1db703866c8d2e15f83456abd914c41ed5aae80de2a25dfce2ec633bbc7c803f66cd692893750d11e36a6db9acaf1c86e9b18f576f968aaa91

Download Submit
\Users\Admin\AppData\Local\Temp\2081732c92621aaf77c3fded7c393cca.exe

Filesize
385KB

MD5
9ec651d57c51902f3ef73fc8842f737d

SHA1
ca9670a2911f65e7aefc07c308087b14c9383ba1

SHA256
bb0769c985045a60bb523a8f282c3c797a15d0299b8a689c1ec5fa3b2f5d7955

SHA512
2fb13f0af8b591dc2d0880716bb8854e67ba468a84378e7270eed1b5284d315abaee466b8425a565d3ba6c233505a258ad9f50b02b2c45c5dcdf3c77db41f1e5

Download Submit
memory/2800-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2800-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2800-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2800-2-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/2800-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3024-17-0x0000000000320000-0x0000000000386000-memory.dmp

Filesize
408KB

Download
memory/3024-29-0x0000000002CF0000-0x0000000002D4F000-memory.dmp

Filesize
380KB

Download
memory/3024-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-20-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3024-83-0x000000000ED00000-0x000000000ED3C000-memory.dmp

Filesize
240KB

Download
memory/3024-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3024-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing