c4cbe2085eb5c538971dda9a2b789b904120dd128def616b40179599bb90d663

General

Target

142a2d3dea2882c789d495d510e8aff9.exe
Size

385KB
MD5

142a2d3dea2882c789d495d510e8aff9
SHA1

5dbeeddcb8000690097115dc432696a0c6ddaba8
SHA256

c4cbe2085eb5c538971dda9a2b789b904120dd128def616b40179599bb90d663
SHA512

cbbbca91ca88eb96045ea2fa9387615de7544cdf32f0bd28f9af25d5453f012f6e9f1dfc98e176b7d2c5ebd28a968236547fbe3bde3c476bc966f90497b8b439
SSDEEP

6144:EbSJtTwaqtBY2ueUeli9W7EJWjrCIQmxWatnAJR4AHYlBNpOrXMtC+nB:EbSJmS2Cz93Wrz5xtWXHmBqgB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3068	142a2d3dea2882c789d495d510e8aff9.exe

Executes dropped EXE 1 IoCs

pid	Process
3068	142a2d3dea2882c789d495d510e8aff9.exe

Loads dropped DLL 1 IoCs

pid	Process
3028	142a2d3dea2882c789d495d510e8aff9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	142a2d3dea2882c789d495d510e8aff9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	142a2d3dea2882c789d495d510e8aff9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	142a2d3dea2882c789d495d510e8aff9.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3028	142a2d3dea2882c789d495d510e8aff9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3028	142a2d3dea2882c789d495d510e8aff9.exe
3068	142a2d3dea2882c789d495d510e8aff9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 3068	3028	142a2d3dea2882c789d495d510e8aff9.exe	16
PID 3028 wrote to memory of 3068	3028	142a2d3dea2882c789d495d510e8aff9.exe	16
PID 3028 wrote to memory of 3068	3028	142a2d3dea2882c789d495d510e8aff9.exe	16
PID 3028 wrote to memory of 3068	3028	142a2d3dea2882c789d495d510e8aff9.exe	16

C:\Users\Admin\AppData\Local\Temp\142a2d3dea2882c789d495d510e8aff9.exe
"C:\Users\Admin\AppData\Local\Temp\142a2d3dea2882c789d495d510e8aff9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\142a2d3dea2882c789d495d510e8aff9.exe
  C:\Users\Admin\AppData\Local\Temp\142a2d3dea2882c789d495d510e8aff9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab148C.tmp

Filesize
31KB

MD5
8ccdf20c482e9ca646ac3e16e592cf7a

SHA1
0c89e1600962a79f05667ca661ed77f20bef5854

SHA256
f0fb403904cd36346c326a0889121c3a0ee02854582566c67c6906338c637eca

SHA512
7ec6aaabaae158eb068c0548bc1e50aed25dc4f0b0d2bbb0937d49e4825156acf0a475289dc124b81aa82b17d4ccd17c03540c37654f11d79b56f3deb3de015c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar149F.tmp

Filesize
12KB

MD5
4f61616febcf222f628e04ed19b23463

SHA1
38d2851efcb79c1d52ebcb3fbc0e2ac2aa4cadb6

SHA256
1120666b3d8a178a6896b7162e3b7e532f081486d43f50690061b72b5428bae8

SHA512
cd3631432999e82f2d7c2f81e52af96d65c7eb0c3b385a2d0c913d355cd1535c149eab38ba1e52aeaa3d2d8406f3624da274b8e67ccfef0b12ea23bdb851d0b1

Download Submit
\Users\Admin\AppData\Local\Temp\142a2d3dea2882c789d495d510e8aff9.exe

Filesize
13KB

MD5
286cbdf635cb554ceb6053e6e17dd5f8

SHA1
fa8cc86a0a441381d7046dff6de784925c583d51

SHA256
9d7d770b43600dd6c42fe6b3d0221d4e173912efad19c137d08bdbb6a636d6e1

SHA512
5cf0e983174b02d8b3f9b62420c34f10278126bbaab02c370d0e8ec2e631dd4266e8bc7664cec0bd15e1792d98a88dd28233359b2a9d7eda67db47578fd0f6a3

Download Submit
memory/3028-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3028-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3028-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3028-15-0x00000000002D0000-0x0000000000336000-memory.dmp

Filesize
408KB

Download
memory/3028-2-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/3068-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3068-28-0x0000000000240000-0x000000000029F000-memory.dmp

Filesize
380KB

Download
memory/3068-18-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3068-20-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/3068-83-0x0000000005550000-0x000000000558C000-memory.dmp

Filesize
240KB

Download
memory/3068-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3068-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing