c7f9a8de3ec6adb1dd9d1b492b1cbb8c7665afd9462d2226be7aa5574c337092

General

Target

2781d09349e62aaf2423ad21712938d4.exe
Size

385KB
MD5

2781d09349e62aaf2423ad21712938d4
SHA1

b6d5b8c4a2904800a24953a0aa32a43ac032b543
SHA256

c7f9a8de3ec6adb1dd9d1b492b1cbb8c7665afd9462d2226be7aa5574c337092
SHA512

caaff5e2ebf413d99bb1cf28e5a47eb073ce5a28e80d9bd9c0d614f63a91782847b5cc1b21287437fafa31464600f3598d7e6d5583e8034832eded412c471aae
SSDEEP

6144:UGwKZ5R/Qb5kaXTsV+18zNz1jIuP8ZzmRc4MGh4mgTAzYDB:XxdQb2aX9KNpEuP849MGhSDB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2136	2781d09349e62aaf2423ad21712938d4.exe

Executes dropped EXE 1 IoCs

pid	Process
2136	2781d09349e62aaf2423ad21712938d4.exe

Loads dropped DLL 1 IoCs

pid	Process
1220	2781d09349e62aaf2423ad21712938d4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	2781d09349e62aaf2423ad21712938d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2781d09349e62aaf2423ad21712938d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2781d09349e62aaf2423ad21712938d4.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1220	2781d09349e62aaf2423ad21712938d4.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1220	2781d09349e62aaf2423ad21712938d4.exe
2136	2781d09349e62aaf2423ad21712938d4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2136	1220	2781d09349e62aaf2423ad21712938d4.exe	19
PID 1220 wrote to memory of 2136	1220	2781d09349e62aaf2423ad21712938d4.exe	19
PID 1220 wrote to memory of 2136	1220	2781d09349e62aaf2423ad21712938d4.exe	19
PID 1220 wrote to memory of 2136	1220	2781d09349e62aaf2423ad21712938d4.exe	19

C:\Users\Admin\AppData\Local\Temp\2781d09349e62aaf2423ad21712938d4.exe
"C:\Users\Admin\AppData\Local\Temp\2781d09349e62aaf2423ad21712938d4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\2781d09349e62aaf2423ad21712938d4.exe
  C:\Users\Admin\AppData\Local\Temp\2781d09349e62aaf2423ad21712938d4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2781d09349e62aaf2423ad21712938d4.exe

Filesize
25KB

MD5
1b620fd8370472e1e8388f98c4109b6b

SHA1
0f7e40f0df0dfda4062de8d29a7516a888db179d

SHA256
9231372ef0c542b71a0687b72a85d3284b69fd05f9cd836cf19b24783bc1b395

SHA512
2a78aa356125b0c965b6b22f5b2e2f1eca7083c453a2b790dcad371a8df7f7caea1161428c90ed01b85b1de31ff2b20df3d96728c33db47f326eaeec0e77c99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE736.tmp

Filesize
33KB

MD5
acee706cd88b666d4ef69f418af8f059

SHA1
dccd0fa6feca847a8a6dccb2593a6a7a4c59e07f

SHA256
b8499e6da492b62c5eab7b395666ea859f07618cacc0a9fc79a07fbed8aff6f6

SHA512
bceddac18ad92bd70d3f3599fd94d211a3196a37bbb730eab4ff41732153827d8f2607b836a356532761134d3a137f9451701398b607065e954110794fd25a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE767.tmp

Filesize
22KB

MD5
b8bc09fe8fc70921be95d51154c0859a

SHA1
14454b29ba10d9b27b4e77630a40931965caf59e

SHA256
a6dc838fa0ec70cc8bcc32f084a0037154ba996ef320c3ca2301a55f3e8355ef

SHA512
2c2f9000b34e094b1e5a5a35e08a6d7e51c5ba1b0b204f88ba586b173a2f1fe63868e468f1571aa7bd491a043aaa63da4ace4b95c4d283da6251168aa05fea3f

Download Submit
\Users\Admin\AppData\Local\Temp\2781d09349e62aaf2423ad21712938d4.exe

Filesize
78KB

MD5
d1f43b7d60dc9af01a9c661f2c6d0b23

SHA1
ec21b3b9f5d5131c1211d5f2744d6eace98ee793

SHA256
f831ca53444615d70d683ba34d55112b92a5c2f8a59a578b9a1c3171385725fa

SHA512
87bd2c9607b48dd42e4416c17769e806cf573fe4d4bfdffce32dbf05559ba5f3be895de5035e783a8f451b5e0d9fe95808c1a812d9fb5708faf90c19cce9e988

Download Submit
memory/1220-12-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/1220-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1220-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1220-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1220-2-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2136-17-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/2136-25-0x00000000002E0000-0x000000000033F000-memory.dmp

Filesize
380KB

Download
memory/2136-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2136-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2136-82-0x0000000007710000-0x000000000774C000-memory.dmp

Filesize
240KB

Download
memory/2136-81-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing