5b76d285199e653f74bbc88063867b2e3282502982718001585b0e5e79b7a095

General

Target

15dbf60036a5b616cdca06d335330b71.exe
Size

907KB
MD5

15dbf60036a5b616cdca06d335330b71
SHA1

9bcde2c44d9ac04355e96e7c156a61cf6de99a7e
SHA256

5b76d285199e653f74bbc88063867b2e3282502982718001585b0e5e79b7a095
SHA512

5ebe6fa194854625ee7fa8c2dc998098090dee9a362041709490e6669a192e435f24a31eff67a669da316d2d1fff665b73b1148afe6509fdc3fd82a19a056ee4
SSDEEP

24576:xoWSX8cJGXVuLV/lO8vd4598338H3vqa/ZS1:RSX8cJSU/Osd+83yigS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2784	15dbf60036a5b616cdca06d335330b71.exe

Executes dropped EXE 1 IoCs

pid	Process
2784	15dbf60036a5b616cdca06d335330b71.exe

Loads dropped DLL 1 IoCs

pid	Process
3016	15dbf60036a5b616cdca06d335330b71.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	15dbf60036a5b616cdca06d335330b71.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	15dbf60036a5b616cdca06d335330b71.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	15dbf60036a5b616cdca06d335330b71.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3016	15dbf60036a5b616cdca06d335330b71.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3016	15dbf60036a5b616cdca06d335330b71.exe
2784	15dbf60036a5b616cdca06d335330b71.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2784	3016	15dbf60036a5b616cdca06d335330b71.exe	29
PID 3016 wrote to memory of 2784	3016	15dbf60036a5b616cdca06d335330b71.exe	29
PID 3016 wrote to memory of 2784	3016	15dbf60036a5b616cdca06d335330b71.exe	29
PID 3016 wrote to memory of 2784	3016	15dbf60036a5b616cdca06d335330b71.exe	29

C:\Users\Admin\AppData\Local\Temp\15dbf60036a5b616cdca06d335330b71.exe
"C:\Users\Admin\AppData\Local\Temp\15dbf60036a5b616cdca06d335330b71.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\15dbf60036a5b616cdca06d335330b71.exe
  C:\Users\Admin\AppData\Local\Temp\15dbf60036a5b616cdca06d335330b71.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15dbf60036a5b616cdca06d335330b71.exe

Filesize
137KB

MD5
8020f768eccefd2a9884c2b85e74cf91

SHA1
ad4d8fa9d14692edd52fc62b1ff4862e85708872

SHA256
ede3b28e67fe29b26e0c12602c26bb079f84129530ccbfe33b05b6f37d96767f

SHA512
09ce598b41b457a2f62e93ec6bb68c9f643beb710561c1926736992a57007765d46a18f75009d7256aa4403ca4036c3a7411db5dde76eda00c280d203ce22e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab18FF.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1931.tmp

Filesize
92KB

MD5
71e4ce8b3a1b89f335a6936bbdafce4c

SHA1
6e0d450eb5f316a9924b3e58445b26bfb727001e

SHA256
a5edfae1527d0c8d9fe5e7a2c5c21b671e61f9981f3bcf9e8cc9f9bb9f3b44c5

SHA512
b80af88699330e1ff01e409daabdedeef350fe7d192724dfa8622afa71e132076144175f6e097f8136f1bba44c7cb30cfdd0414dbe4e0a4712b3bad7b70aeff7

Download Submit
\Users\Admin\AppData\Local\Temp\15dbf60036a5b616cdca06d335330b71.exe

Filesize
112KB

MD5
cd43139a151beedcd5edee54137806d1

SHA1
dec83b03a62672b1a16f0630f090f8339bb1d81a

SHA256
5155184aaa72e35b36ae7049bf53a2df295917385f8b7346286f26e93cc50d83

SHA512
48a6e2560bd0126a71eeb7037f970a784bc67368f0e1c27aa18793b5c406aea096572c60cd58c39d9b15c8e4f9f6084b27573527bcbd0b665ac27510ca1c527c

Download Submit
memory/2784-17-0x0000000000290000-0x0000000000378000-memory.dmp

Filesize
928KB

Download
memory/2784-23-0x00000000017E0000-0x000000000189B000-memory.dmp

Filesize
748KB

Download
memory/2784-22-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2784-15-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2784-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2784-82-0x00000000087C0000-0x0000000008858000-memory.dmp

Filesize
608KB

Download
memory/3016-13-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3016-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3016-5-0x0000000000310000-0x00000000003F8000-memory.dmp

Filesize
928KB

Download
memory/3016-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing