19820373a208151a532d5eb9a30ad357a4b62f8c64ba1176a9d1b2819f6fde14

General

Target

0f6255ea442da03df4b3156d5c8cf84e.exe
Size

385KB
MD5

0f6255ea442da03df4b3156d5c8cf84e
SHA1

dc899e862d1eacb57e118049c3e63050a0d168ec
SHA256

19820373a208151a532d5eb9a30ad357a4b62f8c64ba1176a9d1b2819f6fde14
SHA512

7597b23ac06aa3f5f5cb56c7148b87cf1a7e68e676aa9116984916924a96bb4a2b99e4e53920de42d2edfed5c0f8631d8f0c483af023e1a903c5deb4222c0f33
SSDEEP

6144:4TONjMnFGFUIlLz1gw5Y1ngQeO1w3yFdk3tllnIoxc3EIbQZYhB:4TtGtz195YF3pwiF+3ZnIoxcU7EB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2752	0f6255ea442da03df4b3156d5c8cf84e.exe

Executes dropped EXE 1 IoCs

pid	Process
2752	0f6255ea442da03df4b3156d5c8cf84e.exe

Loads dropped DLL 1 IoCs

pid	Process
2016	0f6255ea442da03df4b3156d5c8cf84e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	0f6255ea442da03df4b3156d5c8cf84e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	0f6255ea442da03df4b3156d5c8cf84e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	0f6255ea442da03df4b3156d5c8cf84e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2016	0f6255ea442da03df4b3156d5c8cf84e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2016	0f6255ea442da03df4b3156d5c8cf84e.exe
2752	0f6255ea442da03df4b3156d5c8cf84e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2752	2016	0f6255ea442da03df4b3156d5c8cf84e.exe	26
PID 2016 wrote to memory of 2752	2016	0f6255ea442da03df4b3156d5c8cf84e.exe	26
PID 2016 wrote to memory of 2752	2016	0f6255ea442da03df4b3156d5c8cf84e.exe	26
PID 2016 wrote to memory of 2752	2016	0f6255ea442da03df4b3156d5c8cf84e.exe	26

C:\Users\Admin\AppData\Local\Temp\0f6255ea442da03df4b3156d5c8cf84e.exe
"C:\Users\Admin\AppData\Local\Temp\0f6255ea442da03df4b3156d5c8cf84e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\0f6255ea442da03df4b3156d5c8cf84e.exe
  C:\Users\Admin\AppData\Local\Temp\0f6255ea442da03df4b3156d5c8cf84e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0f6255ea442da03df4b3156d5c8cf84e.exe

Filesize
87KB

MD5
01aa3827d58f2e85dda160331f88684c

SHA1
2341d80b9bad20c0953b1d9fc8ae781f2261b957

SHA256
dd2b2d0c089f70a35a18a0be89535badb3b4eed751e2e89defff386a0283a953

SHA512
4aebf82ba087776ea4a98a328f2000ec2157015094d05de9c4cf97cd3657ac6949356976aea3ee2a2691d2e89fdd5c4b1df74e9bbb36ad3a217d64e8b52b5119

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5FED.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar600F.tmp

Filesize
106KB

MD5
aa02a8f564e188eb7d5aa3c5fbdcd985

SHA1
e95d85dbb4b4c26ef7a70c1750a2c33f65ecacba

SHA256
b0e7474b16725956140df3c8db0e74d36246960e172842cba782d2767972a580

SHA512
17edccbb4f8b14848445bc0bda591547b9d75302f52392b80f1dfcbe892c7587446dda89de03a47feda19e1cbb75434cecdf68d4afdffb7ded40bfe588d9039b

Download Submit
\Users\Admin\AppData\Local\Temp\0f6255ea442da03df4b3156d5c8cf84e.exe

Filesize
140KB

MD5
c95db251f637af113bbc9401412a55ed

SHA1
25c8bf51c35141fda61b1d33c3ecd248fd2cb77d

SHA256
b0164bd8c5092adb2bc74b511c4705f8283222100528cf26682a397f61c1a9e3

SHA512
65ec1d59f7c5bbb89d01415a73ea0d8d67d8720536e5c5a895d0b24c90bbed64c83804894ae6bd3566664f69b778a54bbd3b19154ee0095698aa40bd17e55f56

Download Submit
memory/2016-12-0x0000000002DF0000-0x0000000002E56000-memory.dmp

Filesize
408KB

Download
memory/2016-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2016-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2016-2-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/2016-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2752-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2752-25-0x00000000003A0000-0x00000000003FF000-memory.dmp

Filesize
380KB

Download
memory/2752-17-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2752-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2752-82-0x000000000EAE0000-0x000000000EB1C000-memory.dmp

Filesize
240KB

Download
memory/2752-81-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing