46ed11dfd625b3959884a28228fc30555cf18699dadb044bad264b7fb51f005e

General

Target

0feb48c8e044196b7de92e7e28204979.exe
Size

385KB
MD5

0feb48c8e044196b7de92e7e28204979
SHA1

f548d0e79ffda6ca8bd71c9872f8fe1336b7f246
SHA256

46ed11dfd625b3959884a28228fc30555cf18699dadb044bad264b7fb51f005e
SHA512

c57740d240acb873e4a9ad1e48637ab0556ae0ca7b6f0b59f3233815fdae0f90902bc78de9cf5ec9aeb17496179e0a71d26df1301d6837e031e1c093d7089a47
SSDEEP

6144:jRSjNg/Dd1oWk4tayYsib0VKJqlvo2S+ACUJkJXnILUhB:VMgYPzbszlwLfCKqnILUhB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2188	0feb48c8e044196b7de92e7e28204979.exe

Executes dropped EXE 1 IoCs

pid	Process
2188	0feb48c8e044196b7de92e7e28204979.exe

Loads dropped DLL 1 IoCs

pid	Process
3044	0feb48c8e044196b7de92e7e28204979.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	0feb48c8e044196b7de92e7e28204979.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	0feb48c8e044196b7de92e7e28204979.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	0feb48c8e044196b7de92e7e28204979.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3044	0feb48c8e044196b7de92e7e28204979.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3044	0feb48c8e044196b7de92e7e28204979.exe
2188	0feb48c8e044196b7de92e7e28204979.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2188	3044	0feb48c8e044196b7de92e7e28204979.exe	28
PID 3044 wrote to memory of 2188	3044	0feb48c8e044196b7de92e7e28204979.exe	28
PID 3044 wrote to memory of 2188	3044	0feb48c8e044196b7de92e7e28204979.exe	28
PID 3044 wrote to memory of 2188	3044	0feb48c8e044196b7de92e7e28204979.exe	28

C:\Users\Admin\AppData\Local\Temp\0feb48c8e044196b7de92e7e28204979.exe
"C:\Users\Admin\AppData\Local\Temp\0feb48c8e044196b7de92e7e28204979.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\0feb48c8e044196b7de92e7e28204979.exe
  C:\Users\Admin\AppData\Local\Temp\0feb48c8e044196b7de92e7e28204979.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0feb48c8e044196b7de92e7e28204979.exe

Filesize
39KB

MD5
6aff84687e2e5ccc6ec3bf45bdf16566

SHA1
627e520c54055ade5b486916ed27436594e5c6ca

SHA256
3de48f333f62f58bb4ff4ee3502e2379e59576a1c91d2e09b28a046eeffe38f3

SHA512
53705d3a12ec66eb7d676a2a569b04d63e2bcc124d1f6f8a50f663a66f88645ce4578576e3c899af600dfb9635336ca467b8acb82260c432c1847225cac43943

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBDE5.tmp

Filesize
59KB

MD5
6521945dc14fc9fbb5c7db369c249a7d

SHA1
4ceb2c99af2763d9bf341398284b7fc120a6116b

SHA256
c808ebb878d95ca0e151d821fa7486ac42e6836c8e1eec435beaa70f9ce48084

SHA512
55f78b04e8ccba387b78dca08b7e295659efd6f89bdd63a69f4b4dd813d3c8077de6910e658eef1f6f581ac0ad24ce62c8ba3307fe78aae27e64db055a73487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBE74.tmp

Filesize
49KB

MD5
4ddbcf0f62d4922b25079817e7f5d79b

SHA1
cf99c90423093ff5d0a740eced062be3016c3d79

SHA256
44d26af88b685b577563f1a3483437dbc6ab79926241ab801b282bcb7949d2bd

SHA512
07da2cc53effd62790a570f26a3181242e66049114db447d5a427bbfc2b7aa25a9541fa2f6770096fa24478726e8ac53fdf031997736bdf0866f14985491906d

Download Submit
memory/2188-17-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2188-22-0x0000000000260000-0x00000000002BF000-memory.dmp

Filesize
380KB

Download
memory/2188-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2188-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2188-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2188-78-0x00000000075B0000-0x00000000075EC000-memory.dmp

Filesize
240KB

Download
memory/3044-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3044-12-0x0000000000200000-0x0000000000266000-memory.dmp

Filesize
408KB

Download
memory/3044-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3044-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3044-2-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing