597b771b7d9ed87fb8ea06d98f326f3a5419f0a5375431c82e965bb343eaae37

General

Target

087244a066d1e0a9f731d4a30869fb9b.exe
Size

385KB
MD5

087244a066d1e0a9f731d4a30869fb9b
SHA1

2cab5efae9c09aea0d43a9a0a15e4ae445b31d0a
SHA256

597b771b7d9ed87fb8ea06d98f326f3a5419f0a5375431c82e965bb343eaae37
SHA512

0aba8e52e444eb5fc72af7b5a04df2afee21c1b9737eaffa99886d3799252be4cc13589d5bb183f8a31587752f0fb72ed3aaa433add8c3afc9036e8304c6850f
SSDEEP

6144:2qfYDEnS/Bkg5TXvzlyZ6bAAWvLdLPDkqAR1mUDSlc7LqiPyIJsocnb+B:2qGEnS6gtfzwSavxYcUDr7LqlIMb+B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2132	087244a066d1e0a9f731d4a30869fb9b.exe

Executes dropped EXE 1 IoCs

pid	Process
2132	087244a066d1e0a9f731d4a30869fb9b.exe

Loads dropped DLL 1 IoCs

pid	Process
2848	087244a066d1e0a9f731d4a30869fb9b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	087244a066d1e0a9f731d4a30869fb9b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	087244a066d1e0a9f731d4a30869fb9b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	087244a066d1e0a9f731d4a30869fb9b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2848	087244a066d1e0a9f731d4a30869fb9b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2848	087244a066d1e0a9f731d4a30869fb9b.exe
2132	087244a066d1e0a9f731d4a30869fb9b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2132	2848	087244a066d1e0a9f731d4a30869fb9b.exe	16
PID 2848 wrote to memory of 2132	2848	087244a066d1e0a9f731d4a30869fb9b.exe	16
PID 2848 wrote to memory of 2132	2848	087244a066d1e0a9f731d4a30869fb9b.exe	16
PID 2848 wrote to memory of 2132	2848	087244a066d1e0a9f731d4a30869fb9b.exe	16

C:\Users\Admin\AppData\Local\Temp\087244a066d1e0a9f731d4a30869fb9b.exe
"C:\Users\Admin\AppData\Local\Temp\087244a066d1e0a9f731d4a30869fb9b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\087244a066d1e0a9f731d4a30869fb9b.exe
  C:\Users\Admin\AppData\Local\Temp\087244a066d1e0a9f731d4a30869fb9b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\087244a066d1e0a9f731d4a30869fb9b.exe

Filesize
36KB

MD5
8b9b9e3589656be837250d62e5878052

SHA1
85006ed54a993c3cbc0fc29d38d3a48a384d55b4

SHA256
2498659788f46f58d4bb2da60465eea034d1cbe404a16a2111a410b983392560

SHA512
b4666a758ad0a9f07a3cf6e598ab41246cb5693628ac9840b7cccf71903d8bc862238b71c5f827e8775ec09e56f9cc27886e91151890dc27903910ae57bfcce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6847.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6888.tmp

Filesize
39KB

MD5
b9f510d830db434e51fe2532016d2a12

SHA1
a1d20426e62420f864ea35980a86e76130e6b32f

SHA256
b47d8163c806a992e5a90dbe9f03d920a6ea78522f90fb6ee0dd1f7d793c59e7

SHA512
3e38431d0ca511ff765bc27ee3b535f856d75185f8439498fb2bea3e745c6888caae36e9ac97d922a5ff0ca2ce2841447de2fd397a395247837f23f398a99659

Download Submit
\Users\Admin\AppData\Local\Temp\087244a066d1e0a9f731d4a30869fb9b.exe

Filesize
31KB

MD5
f4947e80740f7931903c06e82d0817e5

SHA1
df68d1da0c21cf99dbb928ee162c2f83e83423e3

SHA256
6d645aeafda0f4cb426ac855ed83f7b9eb57e96dd27a278a39f82fe190421453

SHA512
d783cec98f077fbac541739968c35b455fb3fab91ad6dc748caaf4ba0b5585660420c70f4f2f9fd538a567aa165051f1ad853c6339f40b7d89d464495e2f1211

Download Submit
memory/2132-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2132-18-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2132-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2132-28-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/2132-78-0x0000000007550000-0x000000000758C000-memory.dmp

Filesize
240KB

Download
memory/2132-83-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2132-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2848-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2848-12-0x0000000002E20000-0x0000000002E86000-memory.dmp

Filesize
408KB

Download
memory/2848-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2848-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2848-6-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing