288d14d9cde1b8db952d98bcc648b6effeee382d49aa81c45fdb72965972db2a

General

Target

092bd9c8b4c61a76518487e79c59d7f8.exe
Size

907KB
MD5

092bd9c8b4c61a76518487e79c59d7f8
SHA1

17594f2eb3bd35f36d0ec2db631e404e43a1c321
SHA256

288d14d9cde1b8db952d98bcc648b6effeee382d49aa81c45fdb72965972db2a
SHA512

76bc42f447fb596d2cf419a64826839697e6fe05a88105224636a2667eaf41821f14b469009126d433c0acda71ac95929cc6fbed0192bff87ac2179ddd5f1488
SSDEEP

24576:3XeWWRHLDjkfDLdGYdGeH0/8NeiW+UGJlQBbvERpaeirmZ2jnwS3e6TmoudkeakM:3XeWWRHLDjkfHdndGeH0/8NeiW+UGJls

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	092bd9c8b4c61a76518487e79c59d7f8.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	092bd9c8b4c61a76518487e79c59d7f8.exe

Loads dropped DLL 1 IoCs

pid	Process
3052	092bd9c8b4c61a76518487e79c59d7f8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	092bd9c8b4c61a76518487e79c59d7f8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	092bd9c8b4c61a76518487e79c59d7f8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	092bd9c8b4c61a76518487e79c59d7f8.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3052	092bd9c8b4c61a76518487e79c59d7f8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3052	092bd9c8b4c61a76518487e79c59d7f8.exe
2708	092bd9c8b4c61a76518487e79c59d7f8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2708	3052	092bd9c8b4c61a76518487e79c59d7f8.exe	17
PID 3052 wrote to memory of 2708	3052	092bd9c8b4c61a76518487e79c59d7f8.exe	17
PID 3052 wrote to memory of 2708	3052	092bd9c8b4c61a76518487e79c59d7f8.exe	17
PID 3052 wrote to memory of 2708	3052	092bd9c8b4c61a76518487e79c59d7f8.exe	17

C:\Users\Admin\AppData\Local\Temp\092bd9c8b4c61a76518487e79c59d7f8.exe
"C:\Users\Admin\AppData\Local\Temp\092bd9c8b4c61a76518487e79c59d7f8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\092bd9c8b4c61a76518487e79c59d7f8.exe
  C:\Users\Admin\AppData\Local\Temp\092bd9c8b4c61a76518487e79c59d7f8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2708-17-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2708-20-0x00000000002E0000-0x00000000003C8000-memory.dmp

Filesize
928KB

Download
memory/2708-26-0x0000000002EA0000-0x0000000002F5B000-memory.dmp

Filesize
748KB

Download
memory/2708-23-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2708-77-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-81-0x00000000086C0000-0x0000000008758000-memory.dmp

Filesize
608KB

Download
memory/3052-3-0x00000000002F0000-0x00000000003D8000-memory.dmp

Filesize
928KB

Download
memory/3052-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3052-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3052-15-0x00000000031E0000-0x00000000032C8000-memory.dmp

Filesize
928KB

Download
memory/3052-13-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing