797b23a2a291ae92f09654f16af98258232115834075df7c7914ca35ea124aa3

General

Target

2acae01af62c3bca5ec444f87b8a3246.exe
Size

385KB
MD5

2acae01af62c3bca5ec444f87b8a3246
SHA1

79d1f91b0a49cd88cae2b217d7f0c82c66465a97
SHA256

797b23a2a291ae92f09654f16af98258232115834075df7c7914ca35ea124aa3
SHA512

17817275a66928c8a0cfea07da717dea654b9bd035dce19afe36f48153b5a04dd5dcdf2d10e230f2da59e84491bee22e983a8d55e477a8abba6e50c7ea229b38
SSDEEP

6144:tR3YlqwRRDiH2UpsB1708Ao29XgYWvnAzOlZG3jY7k7WkL0dmOZHRQumYsLloDmB:b3YMw/s2P08721VWvnZRoruWLrB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3024	2acae01af62c3bca5ec444f87b8a3246.exe

Executes dropped EXE 1 IoCs

pid	Process
3024	2acae01af62c3bca5ec444f87b8a3246.exe

Loads dropped DLL 1 IoCs

pid	Process
2136	2acae01af62c3bca5ec444f87b8a3246.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	2acae01af62c3bca5ec444f87b8a3246.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2acae01af62c3bca5ec444f87b8a3246.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2acae01af62c3bca5ec444f87b8a3246.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2136	2acae01af62c3bca5ec444f87b8a3246.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2136	2acae01af62c3bca5ec444f87b8a3246.exe
3024	2acae01af62c3bca5ec444f87b8a3246.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 3024	2136	2acae01af62c3bca5ec444f87b8a3246.exe	14
PID 2136 wrote to memory of 3024	2136	2acae01af62c3bca5ec444f87b8a3246.exe	14
PID 2136 wrote to memory of 3024	2136	2acae01af62c3bca5ec444f87b8a3246.exe	14
PID 2136 wrote to memory of 3024	2136	2acae01af62c3bca5ec444f87b8a3246.exe	14

C:\Users\Admin\AppData\Local\Temp\2acae01af62c3bca5ec444f87b8a3246.exe
C:\Users\Admin\AppData\Local\Temp\2acae01af62c3bca5ec444f87b8a3246.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:3024

C:\Users\Admin\AppData\Local\Temp\2acae01af62c3bca5ec444f87b8a3246.exe
"C:\Users\Admin\AppData\Local\Temp\2acae01af62c3bca5ec444f87b8a3246.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\2acae01af62c3bca5ec444f87b8a3246.exe

Filesize
33KB

MD5
135a325c426d17df721634246f72ee09

SHA1
db9964b0551adce012614c8f11108ec6f24ffe06

SHA256
e1b07228c14b1d8de8ac0ecf583f1d195f5a4212f3581b5a4950fe491760ae0b

SHA512
b9559b7f9b79c328f7f97010a57fc246d1b9d28eb37720a1accace5877ad69c9fe9292db12686eba1a4b7ee0674c6debf6160a600fade72be95828d780d6bda9

Download Submit
memory/2136-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2136-16-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2136-2-0x0000000000330000-0x0000000000396000-memory.dmp

Filesize
408KB

Download
memory/2136-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2136-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3024-18-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3024-29-0x0000000002D50000-0x0000000002DAF000-memory.dmp

Filesize
380KB

Download
memory/3024-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-20-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3024-88-0x000000000DC10000-0x000000000DC4C000-memory.dmp

Filesize
240KB

Download
memory/3024-87-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3024-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3024-89-0x000000000DC10000-0x000000000DC4C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing