3f530c057aebc5ee4550e2d6299030fdf07feb42406dd4c37acf9ee9fa19221a

General

Target

23a8618ca596037ed7814f9381d58c19.exe
Size

385KB
MD5

23a8618ca596037ed7814f9381d58c19
SHA1

ac70f68a58ef20ef1793d85cdd0ef3db9ba8010d
SHA256

3f530c057aebc5ee4550e2d6299030fdf07feb42406dd4c37acf9ee9fa19221a
SHA512

02236b86969ac087ed7b4156aef04e18dcdcea99134de742c3a2c44989171f9f575fc72092ce73a32e6ea73eadd3ab07cd632d071b33ac97089bcfbc0583f405
SSDEEP

6144:670xTF/tnnSuodgzxQQVz7mF0l27vzoS5XvUOVEBPNtZkDXrzB:9xJ1nnRo0GF0Cvn5XMXT2XrzB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2436	23a8618ca596037ed7814f9381d58c19.exe

Executes dropped EXE 1 IoCs

pid	Process
2436	23a8618ca596037ed7814f9381d58c19.exe

Loads dropped DLL 1 IoCs

pid	Process
2848	23a8618ca596037ed7814f9381d58c19.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	23a8618ca596037ed7814f9381d58c19.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	23a8618ca596037ed7814f9381d58c19.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	23a8618ca596037ed7814f9381d58c19.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2848	23a8618ca596037ed7814f9381d58c19.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2848	23a8618ca596037ed7814f9381d58c19.exe
2436	23a8618ca596037ed7814f9381d58c19.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2436	2848	23a8618ca596037ed7814f9381d58c19.exe	14
PID 2848 wrote to memory of 2436	2848	23a8618ca596037ed7814f9381d58c19.exe	14
PID 2848 wrote to memory of 2436	2848	23a8618ca596037ed7814f9381d58c19.exe	14
PID 2848 wrote to memory of 2436	2848	23a8618ca596037ed7814f9381d58c19.exe	14

C:\Users\Admin\AppData\Local\Temp\23a8618ca596037ed7814f9381d58c19.exe
C:\Users\Admin\AppData\Local\Temp\23a8618ca596037ed7814f9381d58c19.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2436

C:\Users\Admin\AppData\Local\Temp\23a8618ca596037ed7814f9381d58c19.exe
"C:\Users\Admin\AppData\Local\Temp\23a8618ca596037ed7814f9381d58c19.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\23a8618ca596037ed7814f9381d58c19.exe

Filesize
382KB

MD5
0d91041036cedc7d347325912b7aa272

SHA1
f630892dfd851a48705f1df8f6157180ec619903

SHA256
d627b7ae4936a9adccada9ab0a499fdd707df454362f72fc1b95489b712e518a

SHA512
235c554a111cb661b50e5e91f9c0c9d3e7b2b4217267c25f381a2445fab25c196009bc907dd046bca39db35cc541203920718cfda9a367ec70549ecfbda16ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar634A.tmp

Filesize
96KB

MD5
325a9f52a337369bbb3667d454dc0a16

SHA1
a3c1a8a5717c8a4405f3445ff6cb5dfbb142b60f

SHA256
f37973712d0aaec9621964d877e7ccafdce6eb9c725d02fae5c43d40eb5a9c8b

SHA512
8eec509108c221ed9fda02ca0548e8a66b2f0f0dd35361cf17903930be52c6abeb1f9d86811f5817c2aa3abca1474e6e3212b51405a2cb4d6ee68e3539dfe8af

Download Submit
\Users\Admin\AppData\Local\Temp\23a8618ca596037ed7814f9381d58c19.exe

Filesize
385KB

MD5
e703e274dcf7fd410a89b6b46ce9bdf9

SHA1
2042dd756d0875c31bf892b1d51649c8290f3b8e

SHA256
48a5709d91b0788b0911c9d5982e6415668f945d39fa714ee6c8cc4f44da15e3

SHA512
6acdf059e11762ceae8a51fddae45a3987d9259b88f275c1a6e2704bee1dc5fd42f968c61fea0cc17b17aac182f17a7a0f9f37b89df6cfb274edf678409a9a62

Download Submit
memory/2436-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2436-20-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/2436-29-0x0000000002D00000-0x0000000002D5F000-memory.dmp

Filesize
380KB

Download
memory/2436-18-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2436-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2436-87-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2436-88-0x0000000007730000-0x000000000776C000-memory.dmp

Filesize
240KB

Download
memory/2436-89-0x0000000007730000-0x000000000776C000-memory.dmp

Filesize
240KB

Download
memory/2848-16-0x0000000001550000-0x00000000015B6000-memory.dmp

Filesize
408KB

Download
memory/2848-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2848-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2848-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2848-2-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing