3a103d82b5fd34a79ea3e8482f16b284613014bd4a0ead87e719d13f8b2efd70

General

Target

252cf0aedd153118ab234b0878407721.exe
Size

907KB
MD5

252cf0aedd153118ab234b0878407721
SHA1

d252273fe0621b58cbb9d6b055cfb5e1c85cc7d3
SHA256

3a103d82b5fd34a79ea3e8482f16b284613014bd4a0ead87e719d13f8b2efd70
SHA512

b73285c7248f731ff75c36c2d36776086c1fa333ca3fd8cd8bd6102bdada20ff3dc04eb967b4bd1ab9176d21bea063291ff2110e19ed7c03f2288e27516bebde
SSDEEP

12288:AZRA1BfCeN3bBCrtjk8LYOGGODca2wdwHykFmYmJmE54zFMhBkBhcjVDa/ZS1:HbfLBC1kBGOxejmYIm/zFbBhCa/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4532	252cf0aedd153118ab234b0878407721.exe

Executes dropped EXE 1 IoCs

pid	Process
4532	252cf0aedd153118ab234b0878407721.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	252cf0aedd153118ab234b0878407721.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 5c0000000100000004000000000800000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	252cf0aedd153118ab234b0878407721.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
696	252cf0aedd153118ab234b0878407721.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
696	252cf0aedd153118ab234b0878407721.exe
4532	252cf0aedd153118ab234b0878407721.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 4532	696	252cf0aedd153118ab234b0878407721.exe	90
PID 696 wrote to memory of 4532	696	252cf0aedd153118ab234b0878407721.exe	90
PID 696 wrote to memory of 4532	696	252cf0aedd153118ab234b0878407721.exe	90

C:\Users\Admin\AppData\Local\Temp\252cf0aedd153118ab234b0878407721.exe
"C:\Users\Admin\AppData\Local\Temp\252cf0aedd153118ab234b0878407721.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:696
- C:\Users\Admin\AppData\Local\Temp\252cf0aedd153118ab234b0878407721.exe
  C:\Users\Admin\AppData\Local\Temp\252cf0aedd153118ab234b0878407721.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\252cf0aedd153118ab234b0878407721.exe

Filesize
907KB

MD5
444f82317812e71fa19f406ae0d4f623

SHA1
ba5f550ec042507de4e6cab867e42d64e3bbe7d5

SHA256
20c3691982a0c8ecfc48550eb839757560be7bbadf68391727b425abc396c610

SHA512
bebedc8aca678f6bdc4441c48afe79389a40a3a3ea7e4026188c4c3dc2f42f1e2acc33742fcb162fa901bae40340cab09d0362ffc5689620505304f84e311493

Download Submit
memory/696-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/696-1-0x0000000001730000-0x0000000001818000-memory.dmp

Filesize
928KB

Download
memory/696-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/696-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4532-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4532-16-0x0000000001700000-0x00000000017E8000-memory.dmp

Filesize
928KB

Download
memory/4532-20-0x00000000050B0000-0x000000000516B000-memory.dmp

Filesize
748KB

Download
memory/4532-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4532-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4532-33-0x000000000B800000-0x000000000B898000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing