33aa4b9294adbbbd971a9d2678434ce30ae79c6f97e265498c8cb1b2b54e80bc

General

Target

0f45d6446cca82de5e06f1110ec543ff.exe
Size

907KB
MD5

0f45d6446cca82de5e06f1110ec543ff
SHA1

7a91f4de791ecd6722d534e96b8f487e1fdbbde2
SHA256

33aa4b9294adbbbd971a9d2678434ce30ae79c6f97e265498c8cb1b2b54e80bc
SHA512

3462d28462bea0888729e86f71455e707c3cfa59f54f005c14c136faffd993080532f4cc642e804e487376a3a9c0fb3ada385dc41168f443b6e432078549e7d3
SSDEEP

24576:8k6bMFKSnxEF8Z/3V4RDzbqNXRRYa/ZS1:8kLRxB3V41zaRYgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3060	0f45d6446cca82de5e06f1110ec543ff.exe

Executes dropped EXE 1 IoCs

pid	Process
3060	0f45d6446cca82de5e06f1110ec543ff.exe

Loads dropped DLL 1 IoCs

pid	Process
2872	0f45d6446cca82de5e06f1110ec543ff.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	0f45d6446cca82de5e06f1110ec543ff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	0f45d6446cca82de5e06f1110ec543ff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	0f45d6446cca82de5e06f1110ec543ff.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2872	0f45d6446cca82de5e06f1110ec543ff.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2872	0f45d6446cca82de5e06f1110ec543ff.exe
3060	0f45d6446cca82de5e06f1110ec543ff.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 3060	2872	0f45d6446cca82de5e06f1110ec543ff.exe	29
PID 2872 wrote to memory of 3060	2872	0f45d6446cca82de5e06f1110ec543ff.exe	29
PID 2872 wrote to memory of 3060	2872	0f45d6446cca82de5e06f1110ec543ff.exe	29
PID 2872 wrote to memory of 3060	2872	0f45d6446cca82de5e06f1110ec543ff.exe	29

C:\Users\Admin\AppData\Local\Temp\0f45d6446cca82de5e06f1110ec543ff.exe
"C:\Users\Admin\AppData\Local\Temp\0f45d6446cca82de5e06f1110ec543ff.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\0f45d6446cca82de5e06f1110ec543ff.exe
  C:\Users\Admin\AppData\Local\Temp\0f45d6446cca82de5e06f1110ec543ff.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\0f45d6446cca82de5e06f1110ec543ff.exe

Filesize
3KB

MD5
54c24eee98ab8bd1536e489187fcb29e

SHA1
92c8adbb002d3afe3e447e59a93fc00390fba178

SHA256
9eb21702537c4274b8bae4ddcf8e6afe4585b2e48e07d234a57396061c9c9ca4

SHA512
a7e78da0439f751d211cd3f0d96a867c27dceb598cd79fd8af11f70fb83beca6b65a603bda1441a4cc48d6add54036c6b68b049294fd0702388a20db19dd3a47

Download Submit
memory/2872-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2872-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2872-4-0x00000000014F0000-0x00000000015D8000-memory.dmp

Filesize
928KB

Download
memory/2872-14-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2872-12-0x0000000003210000-0x00000000032F8000-memory.dmp

Filesize
928KB

Download
memory/3060-17-0x00000000014F0000-0x00000000015D8000-memory.dmp

Filesize
928KB

Download
memory/3060-28-0x0000000002F70000-0x000000000302B000-memory.dmp

Filesize
748KB

Download
memory/3060-22-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3060-87-0x000000000DE30000-0x000000000DEC8000-memory.dmp

Filesize
608KB

Download
memory/3060-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing