c029a8fdc745bd6a9e487f884eaeed4a42ab5349f38dda165669fd3391e3f7d7

General

Target

09540b757c8b98b6a163adea15ba2bf3.exe
Size

771KB
MD5

09540b757c8b98b6a163adea15ba2bf3
SHA1

5e18479092e18f3e1f725a8d6be48bdc4588b36a
SHA256

c029a8fdc745bd6a9e487f884eaeed4a42ab5349f38dda165669fd3391e3f7d7
SHA512

cb54080b370637ac9b36da910b7cbd04142d3a95621c7d9603e5674e94ff35983c12bfa9330e05c8ef6a4a56b68c3affea5e71fa6409fe1fed394632b5f98d71
SSDEEP

24576:+SsIkFs1VUSlNGB3VBk0b10hJaothZ2/T6FBBB:7USCB3bZ/ofT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	09540b757c8b98b6a163adea15ba2bf3.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	09540b757c8b98b6a163adea15ba2bf3.exe

Loads dropped DLL 1 IoCs

pid	Process
2688	09540b757c8b98b6a163adea15ba2bf3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	09540b757c8b98b6a163adea15ba2bf3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	09540b757c8b98b6a163adea15ba2bf3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	09540b757c8b98b6a163adea15ba2bf3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2688	09540b757c8b98b6a163adea15ba2bf3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2688	09540b757c8b98b6a163adea15ba2bf3.exe
2708	09540b757c8b98b6a163adea15ba2bf3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2708	2688	09540b757c8b98b6a163adea15ba2bf3.exe	30
PID 2688 wrote to memory of 2708	2688	09540b757c8b98b6a163adea15ba2bf3.exe	30
PID 2688 wrote to memory of 2708	2688	09540b757c8b98b6a163adea15ba2bf3.exe	30
PID 2688 wrote to memory of 2708	2688	09540b757c8b98b6a163adea15ba2bf3.exe	30

C:\Users\Admin\AppData\Local\Temp\09540b757c8b98b6a163adea15ba2bf3.exe
"C:\Users\Admin\AppData\Local\Temp\09540b757c8b98b6a163adea15ba2bf3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\09540b757c8b98b6a163adea15ba2bf3.exe
  C:\Users\Admin\AppData\Local\Temp\09540b757c8b98b6a163adea15ba2bf3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\09540b757c8b98b6a163adea15ba2bf3.exe

Filesize
474KB

MD5
05f7871609918ca3630a3e6e22a9e784

SHA1
50f56dbcbc574bac27916cac03552143100364f3

SHA256
bbad72565d271d003b9d418d50defbe23aafcc7de846472d6bb32636c93da728

SHA512
6ada38ad0b20a57a154c8340b6bb68ced26df09f782a46afa856583fed9aa1933c96158a22db97a85ad188cf48800c949de8f8418ebd8fa7cd45d0b90f7cf97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE330.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE381.tmp

Filesize
133KB

MD5
dc7ff19a5694b256357f2e3ec8ea5018

SHA1
3c7b05f4609935821fe8e37e3ca0b6f3a27a907d

SHA256
1c72ed98c219dd6ca5ee1e147a7eb181a31a29b82f0fab96db52683ac53afc1d

SHA512
be8a1dd81174640af2737d7ffee2e069bad0cd78274ae42cd34e117cfab0cdf08dc67bc6825dced82d14683437fdde5762eaba274f96fd529cb401af9d95bf91

Download Submit
\Users\Admin\AppData\Local\Temp\09540b757c8b98b6a163adea15ba2bf3.exe

Filesize
1KB

MD5
ed306f503874ea47d4f90292bb940baa

SHA1
6803cb4463f017e8bf9193c32ba8814b4879b6a5

SHA256
c8a5c8567983acdfbbfaab234980cae5a64973d9617014706c5ed8a1da3592a6

SHA512
3e1feb9071f78760ac7df7f946344da316cef7433f735618e88976c5d65b00d5f5b485291f23e66d9b8a9eebc0bbc9e05f9180cd610bc0aca674ee519f4a9336

Download Submit
memory/2688-12-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/2688-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2688-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2688-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2688-2-0x0000000000310000-0x0000000000376000-memory.dmp

Filesize
408KB

Download
memory/2708-17-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2708-23-0x00000000003A0000-0x00000000003FF000-memory.dmp

Filesize
380KB

Download
memory/2708-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2708-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2708-81-0x000000000EA30000-0x000000000EA6C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing