dfdf2009841854a38373f417760e36c88b21792edf690c8f0d3a3ccfb20d4348

General

Target

29febba89277c809e45844c1fdf7b44e.exe
Size

385KB
MD5

29febba89277c809e45844c1fdf7b44e
SHA1

ddd978ccc99465bc78ffd0f63bd3b2c156a65211
SHA256

dfdf2009841854a38373f417760e36c88b21792edf690c8f0d3a3ccfb20d4348
SHA512

0b4220a69b99becd8c52aced06a69454de28b67ccbb0260ec6c3f760c167b78be9daf11e1327d36de13c46a769e36a463efdf61f5d6ee84b2f43d0dc960b4be6
SSDEEP

12288:jSNPeUOe4nX5UhTSH+bV5YSjYzVnTmRhN9LB:0Pf1KX+SW3YsqVnTmzLB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1928	29febba89277c809e45844c1fdf7b44e.exe

Executes dropped EXE 1 IoCs

pid	Process
1928	29febba89277c809e45844c1fdf7b44e.exe

Loads dropped DLL 1 IoCs

pid	Process
2932	29febba89277c809e45844c1fdf7b44e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	29febba89277c809e45844c1fdf7b44e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	29febba89277c809e45844c1fdf7b44e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	29febba89277c809e45844c1fdf7b44e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2932	29febba89277c809e45844c1fdf7b44e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2932	29febba89277c809e45844c1fdf7b44e.exe
1928	29febba89277c809e45844c1fdf7b44e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1928	2932	29febba89277c809e45844c1fdf7b44e.exe	14
PID 2932 wrote to memory of 1928	2932	29febba89277c809e45844c1fdf7b44e.exe	14
PID 2932 wrote to memory of 1928	2932	29febba89277c809e45844c1fdf7b44e.exe	14
PID 2932 wrote to memory of 1928	2932	29febba89277c809e45844c1fdf7b44e.exe	14

C:\Users\Admin\AppData\Local\Temp\29febba89277c809e45844c1fdf7b44e.exe
C:\Users\Admin\AppData\Local\Temp\29febba89277c809e45844c1fdf7b44e.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:1928

C:\Users\Admin\AppData\Local\Temp\29febba89277c809e45844c1fdf7b44e.exe
"C:\Users\Admin\AppData\Local\Temp\29febba89277c809e45844c1fdf7b44e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29febba89277c809e45844c1fdf7b44e.exe

Filesize
92KB

MD5
f841ea1e69b119798e92a100f16778a5

SHA1
4ec6c4cd73cc4813b3f502af95112351a857e8e4

SHA256
bf77d2c9dcf3edbb429b2db63bf68d5c89fed5ff8380f689cce2931b80ec3663

SHA512
f2210e320eec3ee93edc03a64aec1dc2d52a7423a26ab8c3b6a18b1a415fa1226e9df96d2012842bea6a294893bd07be09f0633218e94dc549fd548ff703875d

Download Submit
memory/1928-88-0x000000000D610000-0x000000000D64C000-memory.dmp

Filesize
240KB

Download
memory/1928-89-0x000000000D610000-0x000000000D64C000-memory.dmp

Filesize
240KB

Download
memory/1928-18-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1928-29-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/1928-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1928-20-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/1928-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1928-87-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2932-16-0x0000000002C70000-0x0000000002CD6000-memory.dmp

Filesize
408KB

Download
memory/2932-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2932-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2932-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2932-2-0x0000000000310000-0x0000000000376000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing