258451171e15a3041ac70bf4f8f3ba60bd557f247b19b6ab20aa2fc900c46aa9

General

Target

41c3f96ef89d41ecdbd1527db03eedcb.exe
Size

385KB
MD5

41c3f96ef89d41ecdbd1527db03eedcb
SHA1

59b5e853046491dc3a4a4d39149527667f328823
SHA256

258451171e15a3041ac70bf4f8f3ba60bd557f247b19b6ab20aa2fc900c46aa9
SHA512

9bfbb0b9962d6bcacab5e360d1eac96789879e4ed224020fb11df0cf3538786802f4cb9015ad6db661279987b7f7d96630103adf6a7d8e3bd8e7e43e5117a256
SSDEEP

6144:3gUlhEf//A4uwZ35emPL8bz2YAfdicdsKD0hHZjJxAPd5BGz/EzNqB:FlKnawZ35emmPAEcKKQVZjJuPd7Q/1B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1856	41c3f96ef89d41ecdbd1527db03eedcb.exe

Executes dropped EXE 1 IoCs

pid	Process
1856	41c3f96ef89d41ecdbd1527db03eedcb.exe

Loads dropped DLL 1 IoCs

pid	Process
1688	41c3f96ef89d41ecdbd1527db03eedcb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	41c3f96ef89d41ecdbd1527db03eedcb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	41c3f96ef89d41ecdbd1527db03eedcb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	41c3f96ef89d41ecdbd1527db03eedcb.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1688	41c3f96ef89d41ecdbd1527db03eedcb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1688	41c3f96ef89d41ecdbd1527db03eedcb.exe
1856	41c3f96ef89d41ecdbd1527db03eedcb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1856	1688	41c3f96ef89d41ecdbd1527db03eedcb.exe	16
PID 1688 wrote to memory of 1856	1688	41c3f96ef89d41ecdbd1527db03eedcb.exe	16
PID 1688 wrote to memory of 1856	1688	41c3f96ef89d41ecdbd1527db03eedcb.exe	16
PID 1688 wrote to memory of 1856	1688	41c3f96ef89d41ecdbd1527db03eedcb.exe	16

C:\Users\Admin\AppData\Local\Temp\41c3f96ef89d41ecdbd1527db03eedcb.exe
C:\Users\Admin\AppData\Local\Temp\41c3f96ef89d41ecdbd1527db03eedcb.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:1856

C:\Users\Admin\AppData\Local\Temp\41c3f96ef89d41ecdbd1527db03eedcb.exe
"C:\Users\Admin\AppData\Local\Temp\41c3f96ef89d41ecdbd1527db03eedcb.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41c3f96ef89d41ecdbd1527db03eedcb.exe

Filesize
39KB

MD5
a7e92da21cf4e29a2ec4e14e97683d97

SHA1
b51abf25a3ab812793247fdf66f7ba363b4511fd

SHA256
a537a36809090d5e8ce5fdf9bbcb3debb0095d8a75a3b9e6e68460b6704172fd

SHA512
5e0f37adcc282fd7a5036d91497e7e3ba8c30385febd6007e5b3674fa1a8cd035f87188ece8d1e1b8230ac62710af9750cc8e27770a244f861d18eb840fb3f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\41c3f96ef89d41ecdbd1527db03eedcb.exe

Filesize
50KB

MD5
f3fa634c5e43e965e29032a8438da003

SHA1
55fd0d4f078268958faa836eec23e6a18ebc0b86

SHA256
a875ac70003802540b74388e5fb1162b84bccb2ce31208f6a962d5def60bb677

SHA512
7834c3ae7045954fae4a8df65f518a684fd0cc29f33c268e3c88505b6addbfc81ef68882883cce286a86dc7e2ea2458cdaa253289f4b5e2ee246229d3d2c45d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFFD.tmp

Filesize
124KB

MD5
8eedf15de34b38cb3a1cb20ffdcb363c

SHA1
dbe50ace899139ea16a80d4524f6e5553c13237f

SHA256
4fea1616ca7f4af17d1fb0cc31967471a746e8333dc8681ea989f689d2bb9e89

SHA512
464cb34fd25c2232b936b1da2a58be511f354dc1a33cf3ab17d7338a77c0e86368483938dd0e823448bf6a3d2defbad018f6eb8770ad7b215feb93ba4ab8852a

Download Submit
\Users\Admin\AppData\Local\Temp\41c3f96ef89d41ecdbd1527db03eedcb.exe

Filesize
74KB

MD5
ef668ad32e4b25bce9daec8e6e26e8bb

SHA1
98f4e44f316a42131f5f9449ffa0712ff74e5f11

SHA256
54b02e3262a0c137299d44da1a68d6a9142b6bf416e604317dae5193bb044ebf

SHA512
54d7e4a20ce3388232d5783f19f38587ae3f912dc5a8659018c36a2c78e13428376435779d85b13a606e9640af0de1e10bf10f81b8118800a5fd145d75a04a7d

Download Submit
memory/1688-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1688-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1688-16-0x0000000002DF0000-0x0000000002E56000-memory.dmp

Filesize
408KB

Download
memory/1688-2-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/1688-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1856-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1856-21-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/1856-29-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/1856-19-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1856-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1856-88-0x000000000D620000-0x000000000D65C000-memory.dmp

Filesize
240KB

Download
memory/1856-87-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1856-89-0x000000000D620000-0x000000000D65C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing