2aa3a733cfe0e829adefa4b2270acf1680e3df57165159d3f117b8d9b3649cd2

General

Target

12e0ab778664f515920563c203a0ab31.exe
Size

385KB
MD5

12e0ab778664f515920563c203a0ab31
SHA1

598f1800ef24e21642fb1fedececc26567a3408c
SHA256

2aa3a733cfe0e829adefa4b2270acf1680e3df57165159d3f117b8d9b3649cd2
SHA512

dcdeb840ccad3a9053f4a6842114f5142cc313a8c86c64183c6484b3f1935933d01d0b5c4e917d9a26c92b31de9daf1d3b081fe9299dc350e3f15f46feff5a8d
SSDEEP

12288:GrcqGCKREuU/egt12oh9x1Ct2e2yxOeIHZlSJpxkZZEdp5B:wcqqS/egt12ohRCt2NeIHfSJWShB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2200	12e0ab778664f515920563c203a0ab31.exe

Executes dropped EXE 1 IoCs

pid	Process
2200	12e0ab778664f515920563c203a0ab31.exe

Loads dropped DLL 1 IoCs

pid	Process
3016	12e0ab778664f515920563c203a0ab31.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	12e0ab778664f515920563c203a0ab31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	12e0ab778664f515920563c203a0ab31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	12e0ab778664f515920563c203a0ab31.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3016	12e0ab778664f515920563c203a0ab31.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3016	12e0ab778664f515920563c203a0ab31.exe
2200	12e0ab778664f515920563c203a0ab31.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2200	3016	12e0ab778664f515920563c203a0ab31.exe	28
PID 3016 wrote to memory of 2200	3016	12e0ab778664f515920563c203a0ab31.exe	28
PID 3016 wrote to memory of 2200	3016	12e0ab778664f515920563c203a0ab31.exe	28
PID 3016 wrote to memory of 2200	3016	12e0ab778664f515920563c203a0ab31.exe	28

C:\Users\Admin\AppData\Local\Temp\12e0ab778664f515920563c203a0ab31.exe
"C:\Users\Admin\AppData\Local\Temp\12e0ab778664f515920563c203a0ab31.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\12e0ab778664f515920563c203a0ab31.exe
  C:\Users\Admin\AppData\Local\Temp\12e0ab778664f515920563c203a0ab31.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12e0ab778664f515920563c203a0ab31.exe

Filesize
385KB

MD5
7763b399827305560eab82ca94dd857c

SHA1
a5d3e2fe0f9d218f33b74935537182dfe4fa1472

SHA256
1caec027b089414600c1a4293356ccb264624b293967e98cf2168a6e0710a136

SHA512
216f80df6b5ddb9df2a429b60b1d84ab34d5852ceb34c464891bb111b3b42ca1679e63be7fc13e4e3dcdbb4bb26349bf6a12836b6cf165a8b137ee7534c0e48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab94E2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar967A.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\12e0ab778664f515920563c203a0ab31.exe

Filesize
230KB

MD5
2a4ee68688fb284a8c6c518f6e7a0753

SHA1
7affeca0a12c93d567a5d0f13a37cfa1fb8cb12f

SHA256
c1bafc6d99ececff88fe08c246230679e9ef6bd72261ba1672db8bf758726535

SHA512
a5062bfc119003913fd0c0a62c31e4538ee34c66aab94a33a4f58dcc8c940b2ee1f38ad499efcdd642f84e74abc2211c2601d5eb9db1049480100ee13cd18e01

Download Submit
memory/2200-18-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/2200-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2200-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2200-25-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/2200-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2200-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2200-83-0x000000000D620000-0x000000000D65C000-memory.dmp

Filesize
240KB

Download
memory/2200-84-0x000000000D620000-0x000000000D65C000-memory.dmp

Filesize
240KB

Download
memory/3016-12-0x0000000001550000-0x00000000015B6000-memory.dmp

Filesize
408KB

Download
memory/3016-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3016-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3016-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3016-2-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing