63ba3123a8da68e9c44bf3211879bb6bbdd3e88eb0f0c8d7979f6d97d31e5d2a

General

Target

15a0ab6b7123c4ebed34fac4d63d4ac3.exe
Size

385KB
MD5

15a0ab6b7123c4ebed34fac4d63d4ac3
SHA1

31d2dd67bd7e9386abc9d1f06c76733d7a8b1368
SHA256

63ba3123a8da68e9c44bf3211879bb6bbdd3e88eb0f0c8d7979f6d97d31e5d2a
SHA512

ef6c4d90d024dc226ccfb8e2dd88da9302bb241173a0e345efd7f7a354eed8ff15d9cbda669050dee3c297b0493cb79e44459b9aa966d757c1d318990417c19d
SSDEEP

12288:xAGcuCUuuSrqT7B2mypWgS7pXW9L5Pib/B:+GcuCCYJpWgS7BWh5Pib/B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2988	15a0ab6b7123c4ebed34fac4d63d4ac3.exe

Executes dropped EXE 1 IoCs

pid	Process
2988	15a0ab6b7123c4ebed34fac4d63d4ac3.exe

Loads dropped DLL 1 IoCs

pid	Process
1476	15a0ab6b7123c4ebed34fac4d63d4ac3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	15a0ab6b7123c4ebed34fac4d63d4ac3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	15a0ab6b7123c4ebed34fac4d63d4ac3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	15a0ab6b7123c4ebed34fac4d63d4ac3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1476	15a0ab6b7123c4ebed34fac4d63d4ac3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1476	15a0ab6b7123c4ebed34fac4d63d4ac3.exe
2988	15a0ab6b7123c4ebed34fac4d63d4ac3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2988	1476	15a0ab6b7123c4ebed34fac4d63d4ac3.exe	14
PID 1476 wrote to memory of 2988	1476	15a0ab6b7123c4ebed34fac4d63d4ac3.exe	14
PID 1476 wrote to memory of 2988	1476	15a0ab6b7123c4ebed34fac4d63d4ac3.exe	14
PID 1476 wrote to memory of 2988	1476	15a0ab6b7123c4ebed34fac4d63d4ac3.exe	14

C:\Users\Admin\AppData\Local\Temp\15a0ab6b7123c4ebed34fac4d63d4ac3.exe
C:\Users\Admin\AppData\Local\Temp\15a0ab6b7123c4ebed34fac4d63d4ac3.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2988

C:\Users\Admin\AppData\Local\Temp\15a0ab6b7123c4ebed34fac4d63d4ac3.exe
"C:\Users\Admin\AppData\Local\Temp\15a0ab6b7123c4ebed34fac4d63d4ac3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\15a0ab6b7123c4ebed34fac4d63d4ac3.exe

Filesize
99KB

MD5
1fa5b32d69a200bb08065725b84166bb

SHA1
3c148cc2168b40a2d0a46723f74039e6b8356bbe

SHA256
5ce1c8cfca1430fbaba3e8b0993cec11380011ebd370146d3fa27e4725027e12

SHA512
2660acb08ed91644d3b876e389ea8ce706896995808a99d3b5526920652cfbb6561937609f524b958385e972411bfc314bfa86b453b7f32fcbec00e9ef66ead1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar11D1.tmp

Filesize
99KB

MD5
fa178920e56586a7d673ef62ab4575c0

SHA1
cfd02c6a6b26f3407a1f9a91411f6f4467b1ee54

SHA256
777c3d087168f5f42bbd550047ecf607a3a375eb621d7e30a38e9c8803a861b9

SHA512
12b20ccc55780883d3b4c36366e335a8d07d9581a2684de3e1c05055b6fff4dd3e0124cc210e93f5f4306c37a163a92584047d5eb0ff5d71f04ee30c593a836f

Download Submit
memory/1476-2-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/1476-14-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/1476-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1476-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1476-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2988-17-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2988-20-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2988-27-0x00000000015C0000-0x000000000161F000-memory.dmp

Filesize
380KB

Download
memory/2988-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2988-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2988-88-0x000000000DD10000-0x000000000DD4C000-memory.dmp

Filesize
240KB

Download
memory/2988-87-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing