af3da8fb0bd36af6744479a6f571279438827f439840cab4d7aadf182be42edd

General

Target

2afdc34428f33e13a3ad8d946769dbb9.exe
Size

385KB
MD5

2afdc34428f33e13a3ad8d946769dbb9
SHA1

e1de243e00272ef8118394bd7f65ef6640c55939
SHA256

af3da8fb0bd36af6744479a6f571279438827f439840cab4d7aadf182be42edd
SHA512

28b3561c50ee6ffc980520fe99a94a5e215ab47076b8147f7181beea909d3bb29098a8dab5398b679c88482abff1f7b66a23ed69394eb72832c5d85ca5acb2bb
SSDEEP

6144:zcqM2YsE4pPk53KMf6bN2aDfesDUxFC73OQiid6f+wUSawWqyFSobjk28OlWQgLS:AqB4VApbgAv9HkAlW1+NB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1272	2afdc34428f33e13a3ad8d946769dbb9.exe

Executes dropped EXE 1 IoCs

pid	Process
1272	2afdc34428f33e13a3ad8d946769dbb9.exe

Loads dropped DLL 1 IoCs

pid	Process
2252	2afdc34428f33e13a3ad8d946769dbb9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	2afdc34428f33e13a3ad8d946769dbb9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2afdc34428f33e13a3ad8d946769dbb9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2afdc34428f33e13a3ad8d946769dbb9.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2252	2afdc34428f33e13a3ad8d946769dbb9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2252	2afdc34428f33e13a3ad8d946769dbb9.exe
1272	2afdc34428f33e13a3ad8d946769dbb9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1272	2252	2afdc34428f33e13a3ad8d946769dbb9.exe	17
PID 2252 wrote to memory of 1272	2252	2afdc34428f33e13a3ad8d946769dbb9.exe	17
PID 2252 wrote to memory of 1272	2252	2afdc34428f33e13a3ad8d946769dbb9.exe	17
PID 2252 wrote to memory of 1272	2252	2afdc34428f33e13a3ad8d946769dbb9.exe	17

C:\Users\Admin\AppData\Local\Temp\2afdc34428f33e13a3ad8d946769dbb9.exe
"C:\Users\Admin\AppData\Local\Temp\2afdc34428f33e13a3ad8d946769dbb9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\2afdc34428f33e13a3ad8d946769dbb9.exe
  C:\Users\Admin\AppData\Local\Temp\2afdc34428f33e13a3ad8d946769dbb9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2afdc34428f33e13a3ad8d946769dbb9.exe

Filesize
385KB

MD5
cc7152051b4b8dbb0468c5542f011a64

SHA1
b40099dca88c8eeddaf74fedb125f4043f374a1e

SHA256
8ce916c2ab3c2b79204d968f90149c511814f284ca2dddc0c7d50c37ccc967dc

SHA512
c7ca6fa73f9c89b55b4a5add3f6b54fa91c061f145bc3796909bcd881332dd33e2960e2bcb09a282ce7c67c83c21d118d468e0813e96f55a9edb89d80febb1c7

Download Submit
memory/1272-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1272-19-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/1272-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1272-23-0x00000000014C0000-0x000000000151F000-memory.dmp

Filesize
380KB

Download
memory/1272-83-0x0000000008570000-0x00000000085AC000-memory.dmp

Filesize
240KB

Download
memory/1272-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1272-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2252-15-0x0000000000290000-0x00000000002F6000-memory.dmp

Filesize
408KB

Download
memory/2252-3-0x0000000000220000-0x0000000000286000-memory.dmp

Filesize
408KB

Download
memory/2252-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2252-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2252-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing