3f06623c6bd14fe58a5960f012f032bf3169372be5070ad4354dc4f7ab887f60

General

Target

1930f3a0fda2a5d7010efac55c551d8c.exe
Size

907KB
MD5

1930f3a0fda2a5d7010efac55c551d8c
SHA1

232ae3f0aa7cd3063bfcf807528e9013dda7cc70
SHA256

3f06623c6bd14fe58a5960f012f032bf3169372be5070ad4354dc4f7ab887f60
SHA512

84c6200bfe20fca1c0fb1d3e6ee126ec7912f37c8ba2970c953a87e52583bcfd41e85b5498cc9604826e7fde49102727be78d46533b0760e1392ab0fe796adec
SSDEEP

12288:CL7Zog6XqiTdLyD6jmvRXXYakAyyqShS1iE9oJGRCcM1FjVDa/ZS1:20X/Aei5XYavyyFhS1iE6JeS17a/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2420	1930f3a0fda2a5d7010efac55c551d8c.exe

Executes dropped EXE 1 IoCs

pid	Process
2420	1930f3a0fda2a5d7010efac55c551d8c.exe

Loads dropped DLL 1 IoCs

pid	Process
1104	1930f3a0fda2a5d7010efac55c551d8c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	1930f3a0fda2a5d7010efac55c551d8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	1930f3a0fda2a5d7010efac55c551d8c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	1930f3a0fda2a5d7010efac55c551d8c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1104	1930f3a0fda2a5d7010efac55c551d8c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1104	1930f3a0fda2a5d7010efac55c551d8c.exe
2420	1930f3a0fda2a5d7010efac55c551d8c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2420	1104	1930f3a0fda2a5d7010efac55c551d8c.exe	29
PID 1104 wrote to memory of 2420	1104	1930f3a0fda2a5d7010efac55c551d8c.exe	29
PID 1104 wrote to memory of 2420	1104	1930f3a0fda2a5d7010efac55c551d8c.exe	29
PID 1104 wrote to memory of 2420	1104	1930f3a0fda2a5d7010efac55c551d8c.exe	29

C:\Users\Admin\AppData\Local\Temp\1930f3a0fda2a5d7010efac55c551d8c.exe
"C:\Users\Admin\AppData\Local\Temp\1930f3a0fda2a5d7010efac55c551d8c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\1930f3a0fda2a5d7010efac55c551d8c.exe
  C:\Users\Admin\AppData\Local\Temp\1930f3a0fda2a5d7010efac55c551d8c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1930f3a0fda2a5d7010efac55c551d8c.exe

Filesize
490KB

MD5
20647bb891174b42dbcec0b927874ed8

SHA1
87106dca6d4f8064337f0fb426b4f51cbcd05b62

SHA256
1655406b933d0e2befdba4e429609d9255860165f443dad83d0a05041df7e64b

SHA512
ebe2d3970e0d486c1760e2414d46e09ecd93a6b2598d3038eac09151d75541d96df3efb0531e7f1a80907dead5fdd9880253faa7d0f052b4343a23b5ea4029bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5FAF.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5FE1.tmp

Filesize
45KB

MD5
027ec9b3c4e3f3a58718bdbc510d770e

SHA1
05bbca63590985e917b256cd84e7d50169fc3070

SHA256
5de40a3b9e240025799eabe14fc382fdf50e75f5ca23c6e7d1917bb6e025dff6

SHA512
e5041e090c8522ec9d67e5ea5ff1a44bd743cee62e99e7f36a0afe47fa16f8c52cb1fd07bb829a59a5cac443fe88e9a56099fa8db82cf369cb92f2d25b9ac1fd

Download Submit
\Users\Admin\AppData\Local\Temp\1930f3a0fda2a5d7010efac55c551d8c.exe

Filesize
736KB

MD5
f3878a4813cfd74311c9e96d2da30def

SHA1
808bb02ad75ac97de3de710489baf1aca06d244a

SHA256
d70f828a7051cfc313a53d60dae277b2033b8f749c1b8c884e4ebd64f1f7bf00

SHA512
aabddce212bb266a714420be25048d910a53567aac8b217178ccc3609fb6b08fe4e9666e41054ffa9e66614ac6a3ca0355bd2851908d0c4fc221d058f31d15f1

Download Submit
memory/1104-14-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1104-12-0x0000000003220000-0x0000000003308000-memory.dmp

Filesize
928KB

Download
memory/1104-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1104-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1104-2-0x00000000014F0000-0x00000000015D8000-memory.dmp

Filesize
928KB

Download
memory/2420-17-0x00000000015B0000-0x0000000001698000-memory.dmp

Filesize
928KB

Download
memory/2420-22-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2420-24-0x0000000002EC0000-0x0000000002F7B000-memory.dmp

Filesize
748KB

Download
memory/2420-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2420-79-0x000000000D9D0000-0x000000000DA68000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing