3a103d82b5fd34a79ea3e8482f16b284613014bd4a0ead87e719d13f8b2efd70

General

Target

252cf0aedd153118ab234b0878407721.exe
Size

907KB
MD5

252cf0aedd153118ab234b0878407721
SHA1

d252273fe0621b58cbb9d6b055cfb5e1c85cc7d3
SHA256

3a103d82b5fd34a79ea3e8482f16b284613014bd4a0ead87e719d13f8b2efd70
SHA512

b73285c7248f731ff75c36c2d36776086c1fa333ca3fd8cd8bd6102bdada20ff3dc04eb967b4bd1ab9176d21bea063291ff2110e19ed7c03f2288e27516bebde
SSDEEP

12288:AZRA1BfCeN3bBCrtjk8LYOGGODca2wdwHykFmYmJmE54zFMhBkBhcjVDa/ZS1:HbfLBC1kBGOxejmYIm/zFbBhCa/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2424	252cf0aedd153118ab234b0878407721.exe

Executes dropped EXE 1 IoCs

pid	Process
2424	252cf0aedd153118ab234b0878407721.exe

Loads dropped DLL 1 IoCs

pid	Process
760	252cf0aedd153118ab234b0878407721.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	252cf0aedd153118ab234b0878407721.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	252cf0aedd153118ab234b0878407721.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	252cf0aedd153118ab234b0878407721.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
760	252cf0aedd153118ab234b0878407721.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
760	252cf0aedd153118ab234b0878407721.exe
2424	252cf0aedd153118ab234b0878407721.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 2424	760	252cf0aedd153118ab234b0878407721.exe	29
PID 760 wrote to memory of 2424	760	252cf0aedd153118ab234b0878407721.exe	29
PID 760 wrote to memory of 2424	760	252cf0aedd153118ab234b0878407721.exe	29
PID 760 wrote to memory of 2424	760	252cf0aedd153118ab234b0878407721.exe	29

C:\Users\Admin\AppData\Local\Temp\252cf0aedd153118ab234b0878407721.exe
"C:\Users\Admin\AppData\Local\Temp\252cf0aedd153118ab234b0878407721.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:760
- C:\Users\Admin\AppData\Local\Temp\252cf0aedd153118ab234b0878407721.exe
  C:\Users\Admin\AppData\Local\Temp\252cf0aedd153118ab234b0878407721.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\252cf0aedd153118ab234b0878407721.exe

Filesize
92KB

MD5
021983852cd51339c026f4d453d4f14c

SHA1
04437a01b547918b9d2c8d43ba642f7c32e389b8

SHA256
0f99577d5185ae562663351ea07ead63301754228437fb2234fa4140837f05d7

SHA512
297bf7744c15019b503de876396c9e0a6b05cd941ad571659f006d89c8f82f664c5be30c3b6b83d5ff052dcbe122a43e00b59cf2f7dd8efe66790a55751a0ca4

Download Submit
memory/760-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/760-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/760-4-0x00000000002F0000-0x00000000003D8000-memory.dmp

Filesize
928KB

Download
memory/760-13-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2424-15-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2424-22-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2424-24-0x0000000002F50000-0x000000000300B000-memory.dmp

Filesize
748KB

Download
memory/2424-21-0x0000000000310000-0x00000000003F8000-memory.dmp

Filesize
928KB

Download
memory/2424-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2424-80-0x000000000EC40000-0x000000000ECD8000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing