5050a8512c5e1751256b1630f12ddcca312d39c12f946ddb8d2ef1aedfd93366

General

Target

0b6676091b74c9af31d4449ed02c9c63.exe
Size

385KB
MD5

0b6676091b74c9af31d4449ed02c9c63
SHA1

a1ad07902fcad2fd40a5138ce0c34ba9dc1621b3
SHA256

5050a8512c5e1751256b1630f12ddcca312d39c12f946ddb8d2ef1aedfd93366
SHA512

6e519681b2f037cf24b0c4ef13b5fa393c97217558df317ee34b15dca1f7dd3e3fefef1e09d75d8a841e9a1443c05a1a140dd3692d03acc701e6d992ff82764d
SSDEEP

6144:Rv7rQB28fQjOOwXDcGJTe78sLwkawiycycHuQ3QN8Ky6dbBekUW8Bx2d8TcuKxB:Rv7rQBiMTsrLwtycTK/yoUs+TcuGB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2256	0b6676091b74c9af31d4449ed02c9c63.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	0b6676091b74c9af31d4449ed02c9c63.exe

Loads dropped DLL 1 IoCs

pid	Process
2184	0b6676091b74c9af31d4449ed02c9c63.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	0b6676091b74c9af31d4449ed02c9c63.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	0b6676091b74c9af31d4449ed02c9c63.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	0b6676091b74c9af31d4449ed02c9c63.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2184	0b6676091b74c9af31d4449ed02c9c63.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2184	0b6676091b74c9af31d4449ed02c9c63.exe
2256	0b6676091b74c9af31d4449ed02c9c63.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2256	2184	0b6676091b74c9af31d4449ed02c9c63.exe	28
PID 2184 wrote to memory of 2256	2184	0b6676091b74c9af31d4449ed02c9c63.exe	28
PID 2184 wrote to memory of 2256	2184	0b6676091b74c9af31d4449ed02c9c63.exe	28
PID 2184 wrote to memory of 2256	2184	0b6676091b74c9af31d4449ed02c9c63.exe	28

C:\Users\Admin\AppData\Local\Temp\0b6676091b74c9af31d4449ed02c9c63.exe
"C:\Users\Admin\AppData\Local\Temp\0b6676091b74c9af31d4449ed02c9c63.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\0b6676091b74c9af31d4449ed02c9c63.exe
  C:\Users\Admin\AppData\Local\Temp\0b6676091b74c9af31d4449ed02c9c63.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0b6676091b74c9af31d4449ed02c9c63.exe

Filesize
73KB

MD5
76c336a41ee0a18543be752dce31d701

SHA1
701f3999ba7b79013f490f19cc01687bfcb9a28e

SHA256
d9eea80ff3074f571d5927cdc46ac2c895eb09a40aad0fb60adc39bce9166b91

SHA512
3758b2c9521b80d420c117a8330353442c702a8855254ac676215fd881b10fa5fa3d9b0ada77463b30b9f0f394f9d50cf956f7d2027bfe023726c82f4db4d9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6FB6.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6FF7.tmp

Filesize
122KB

MD5
5e8034328e3318a9619c1542c0d6550c

SHA1
b26c51da42a1483f62f50237b8262eb6abbb0b8e

SHA256
fc0bc7530e18b6df2c2176beb36215341f0549f6c689889fcbfe5a553d19b3b3

SHA512
01627f1612628b1b77032f4d54619b3405778a3e480fd2e5002c32d1dff01c11b8622be52d03474173130904d59c6401de0ade1751a12591507ced53c872db86

Download Submit
\Users\Admin\AppData\Local\Temp\0b6676091b74c9af31d4449ed02c9c63.exe

Filesize
136KB

MD5
d6328abb2a8d708ca87ccc8b54e41677

SHA1
841ac7c0d7d9d7c3241a6292fe4ffca7fd836a23

SHA256
f665eff992749b84c2ee58c43e1727f17534e74aad6cbc63a9f6bb6b8098dd98

SHA512
4b1cb1b8e4df6ec0e8a3980897c21fd3ade3ff46b1cf66267815a7b6b632186464b4f17a548da7f5b3b61d368e48f6f23cebe4fd5aab85ab37a2bb5a708b272a

Download Submit
memory/2184-14-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/2184-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2184-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2184-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2184-2-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2256-19-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/2256-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2256-25-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/2256-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2256-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2256-81-0x000000000EA40000-0x000000000EA7C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing