225c20667fce98bd3ecc5e8b6e11588647e617dda6693cce33f6c20c0b17e199

General

Target

2611a1db2b3aaf52d666e383e31242ad.exe
Size

907KB
MD5

2611a1db2b3aaf52d666e383e31242ad
SHA1

cd94f8af6d789b5617b96f0d51a1425c145aa209
SHA256

225c20667fce98bd3ecc5e8b6e11588647e617dda6693cce33f6c20c0b17e199
SHA512

be663d8c33037098b110c103e4a986d6e4765edd078d8cf6498d8be07856dabb9252a62a1826a42f33bca2f14f5b17f14b60fe977efacdc344ceef83a495d706
SSDEEP

24576:mqpV0r7hm1copV7ywN1lzEAlRGhTW0WkvrGa/ZS1:mOwhm1h7FNPAAlRGhtWCrGgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1300	2611a1db2b3aaf52d666e383e31242ad.exe

Executes dropped EXE 1 IoCs

pid	Process
1300	2611a1db2b3aaf52d666e383e31242ad.exe

Loads dropped DLL 1 IoCs

pid	Process
1756	2611a1db2b3aaf52d666e383e31242ad.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2611a1db2b3aaf52d666e383e31242ad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2611a1db2b3aaf52d666e383e31242ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	2611a1db2b3aaf52d666e383e31242ad.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1756	2611a1db2b3aaf52d666e383e31242ad.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1756	2611a1db2b3aaf52d666e383e31242ad.exe
1300	2611a1db2b3aaf52d666e383e31242ad.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1300	1756	2611a1db2b3aaf52d666e383e31242ad.exe	20
PID 1756 wrote to memory of 1300	1756	2611a1db2b3aaf52d666e383e31242ad.exe	20
PID 1756 wrote to memory of 1300	1756	2611a1db2b3aaf52d666e383e31242ad.exe	20
PID 1756 wrote to memory of 1300	1756	2611a1db2b3aaf52d666e383e31242ad.exe	20

C:\Users\Admin\AppData\Local\Temp\2611a1db2b3aaf52d666e383e31242ad.exe
"C:\Users\Admin\AppData\Local\Temp\2611a1db2b3aaf52d666e383e31242ad.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\2611a1db2b3aaf52d666e383e31242ad.exe
  C:\Users\Admin\AppData\Local\Temp\2611a1db2b3aaf52d666e383e31242ad.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2611a1db2b3aaf52d666e383e31242ad.exe

Filesize
19KB

MD5
28ddd65ead884e40a82bf3e8bedc5cf9

SHA1
8a256db6befe41281b0aedd2a86d1afe0d128463

SHA256
5a561747738e0667c4e01b79e7a89df680b3732a7df635a9bb0c5502c73e508d

SHA512
d54c4070c55b314caa7fca294db3ab687349b4ba9c20aec9332425e8917ee5a94502b17da697ddf7ec17febfa6c3fa866d1f8643bc890023f538a44e524efbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA8BF.tmp

Filesize
16KB

MD5
cf73de57fb1b427ecade575aefdfe1c1

SHA1
7c5748933c8715ecf9a9fe850a0620713fe2c73c

SHA256
b49f8aa390b30afcf7a9ba6a214397efa45b28524b2da62d268c24d33edfff9c

SHA512
b1087a72519f9305542af5c62e5b520a5243978b6cc15eb155446a95659ed4a666d0ab6e2dd1f9eaf7bd7279bdaf65f980604289002b4417fc55fa78e433fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA930.tmp

Filesize
22KB

MD5
a0d2c67e5c266c6b5b9decb46ee1e076

SHA1
b24853016f896cb0241610ef2bae1023f56f8353

SHA256
9d2e0d83756dfdf7d6abf831a221cdb30393eddcba73ebe32ae4bb4c533d0599

SHA512
d40503b3355b0c422414ecfddf4dca57f082875d8e9ce32844735be6cd3b677229e3c23781a0a3d353e9106f4bbcda66912c22f67463b44d0b2e60489d5381d0

Download Submit
\Users\Admin\AppData\Local\Temp\2611a1db2b3aaf52d666e383e31242ad.exe

Filesize
16KB

MD5
e576410ae0bb5eac4bbe2703abafae9e

SHA1
331718914b46a19b5c28f8ced93b7ad0eec583ea

SHA256
bd33fe8e4c2544af40e3c48be15ff75814ea824fb5ab9aa34b88462d7f1fb675

SHA512
1f1c7ad95a09446ee79f3a0bcf213e903cb57dee527601642d832ea83f272e7191dc6410e21abdcf197768121189ecf964a55950cc24aad0d05cae29d95fe06d

Download Submit
memory/1300-23-0x00000000015E0000-0x000000000169B000-memory.dmp

Filesize
748KB

Download
memory/1300-22-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1300-21-0x00000000014F0000-0x00000000015D8000-memory.dmp

Filesize
928KB

Download
memory/1300-78-0x000000000EC60000-0x000000000ECF8000-memory.dmp

Filesize
608KB

Download
memory/1300-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1756-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1756-14-0x0000000003290000-0x0000000003378000-memory.dmp

Filesize
928KB

Download
memory/1756-13-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1756-3-0x0000000000280000-0x0000000000368000-memory.dmp

Filesize
928KB

Download
memory/1756-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing