b6ab643664b74a120fdbd66c5f0e01388ff05bcd9f22f0c32532c612464d8cbc

General

Target

40c47e9111a3447061ed12bd69e09620.exe
Size

907KB
MD5

40c47e9111a3447061ed12bd69e09620
SHA1

0ffcbe09a6dcd1156d2825cfeb0e9267a4544821
SHA256

b6ab643664b74a120fdbd66c5f0e01388ff05bcd9f22f0c32532c612464d8cbc
SHA512

f119b76e98ef90f356e10c710ea61fc640b3b5f90ec957f8c2777a3cae6383607498ad9205a9fe805f14852288d6a8a25967357fef61b0805316a1aed5e742b5
SSDEEP

24576:apKdXZ8KZryfjMN+K2bNKe0f1lzbqa/ZS1:acdZ8+rUfbNf81xqgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3052	40c47e9111a3447061ed12bd69e09620.exe

Executes dropped EXE 1 IoCs

pid	Process
3052	40c47e9111a3447061ed12bd69e09620.exe

Loads dropped DLL 1 IoCs

pid	Process
2392	40c47e9111a3447061ed12bd69e09620.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	40c47e9111a3447061ed12bd69e09620.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	40c47e9111a3447061ed12bd69e09620.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	40c47e9111a3447061ed12bd69e09620.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2392	40c47e9111a3447061ed12bd69e09620.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2392	40c47e9111a3447061ed12bd69e09620.exe
3052	40c47e9111a3447061ed12bd69e09620.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 3052	2392	40c47e9111a3447061ed12bd69e09620.exe	29
PID 2392 wrote to memory of 3052	2392	40c47e9111a3447061ed12bd69e09620.exe	29
PID 2392 wrote to memory of 3052	2392	40c47e9111a3447061ed12bd69e09620.exe	29
PID 2392 wrote to memory of 3052	2392	40c47e9111a3447061ed12bd69e09620.exe	29

C:\Users\Admin\AppData\Local\Temp\40c47e9111a3447061ed12bd69e09620.exe
"C:\Users\Admin\AppData\Local\Temp\40c47e9111a3447061ed12bd69e09620.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\40c47e9111a3447061ed12bd69e09620.exe
  C:\Users\Admin\AppData\Local\Temp\40c47e9111a3447061ed12bd69e09620.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\40c47e9111a3447061ed12bd69e09620.exe

Filesize
93KB

MD5
2f48d635c54487ee26ab90c119a7c0cb

SHA1
c22ddc047100e9b924aea5a163d4ec282b52db8a

SHA256
94f79d73c7bc921cd5a3cb6579dbc0f016c9d30a6f2cc9c40e2d90b787b44f58

SHA512
5273dd24f466177a07cda357de4bc43d5718247a91038b7483e642e88f5a0b8bfb558408150e7dd85f34b13d14ab6804be69d43aed130ca49dfc9591a89f576e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar13F3.tmp

Filesize
92KB

MD5
71e4ce8b3a1b89f335a6936bbdafce4c

SHA1
6e0d450eb5f316a9924b3e58445b26bfb727001e

SHA256
a5edfae1527d0c8d9fe5e7a2c5c21b671e61f9981f3bcf9e8cc9f9bb9f3b44c5

SHA512
b80af88699330e1ff01e409daabdedeef350fe7d192724dfa8622afa71e132076144175f6e097f8136f1bba44c7cb30cfdd0414dbe4e0a4712b3bad7b70aeff7

Download Submit
\Users\Admin\AppData\Local\Temp\40c47e9111a3447061ed12bd69e09620.exe

Filesize
99KB

MD5
18c4eacc5b312f3b899069cb703cebc5

SHA1
c48b40a522579153b04793cfc93216d02a164eac

SHA256
f698a56e9ee5717077ebc53c635f129507e64668fca3eb359f9de6df38d5ab5a

SHA512
4a94d3a88869379d085a44f229e2d08155ce92ebfa510b7879ccab9929706bb3e4dec4faa6372369c16fd3911b172680f25e3f535893db3f343496ea6c50fd68

Download Submit
memory/2392-14-0x0000000003200000-0x00000000032E8000-memory.dmp

Filesize
928KB

Download
memory/2392-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2392-13-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2392-4-0x0000000000290000-0x0000000000378000-memory.dmp

Filesize
928KB

Download
memory/2392-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3052-17-0x00000000014F0000-0x00000000015D8000-memory.dmp

Filesize
928KB

Download
memory/3052-24-0x0000000002FA0000-0x000000000305B000-memory.dmp

Filesize
748KB

Download
memory/3052-23-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3052-19-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3052-88-0x000000000DED0000-0x000000000DF68000-memory.dmp

Filesize
608KB

Download
memory/3052-82-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing