5d0cf221808309858ffcb9595b3fd9791d66c012b65438b2615d31b962d8120e

General

Target

4271e0db6d02b5445fd2171f1193a273.exe
Size

771KB
MD5

4271e0db6d02b5445fd2171f1193a273
SHA1

b53b69b335a9daffd0aa4ad3abb9c53661072cb4
SHA256

5d0cf221808309858ffcb9595b3fd9791d66c012b65438b2615d31b962d8120e
SHA512

4f9134cfa2ae8967b46ed496b41e02f100e83ea596e94fd9bc9b426cda530dc71f153621f8f0c531b1546247069bc853f53ca92e8e41291c79326a92a2c1d983
SSDEEP

12288:mcWQlL5JSFKfxAwkzl3ijwDK0NS8zb10VHmDXTuFaa2AtyGTKOF25ZoJJyhRge8V:TWSJM0Awc9e8zb10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2992	4271e0db6d02b5445fd2171f1193a273.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	4271e0db6d02b5445fd2171f1193a273.exe

Loads dropped DLL 1 IoCs

pid	Process
804	4271e0db6d02b5445fd2171f1193a273.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	4271e0db6d02b5445fd2171f1193a273.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	4271e0db6d02b5445fd2171f1193a273.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	4271e0db6d02b5445fd2171f1193a273.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
804	4271e0db6d02b5445fd2171f1193a273.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
804	4271e0db6d02b5445fd2171f1193a273.exe
2992	4271e0db6d02b5445fd2171f1193a273.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2992	804	4271e0db6d02b5445fd2171f1193a273.exe	16
PID 804 wrote to memory of 2992	804	4271e0db6d02b5445fd2171f1193a273.exe	16
PID 804 wrote to memory of 2992	804	4271e0db6d02b5445fd2171f1193a273.exe	16
PID 804 wrote to memory of 2992	804	4271e0db6d02b5445fd2171f1193a273.exe	16

C:\Users\Admin\AppData\Local\Temp\4271e0db6d02b5445fd2171f1193a273.exe
"C:\Users\Admin\AppData\Local\Temp\4271e0db6d02b5445fd2171f1193a273.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\4271e0db6d02b5445fd2171f1193a273.exe
  C:\Users\Admin\AppData\Local\Temp\4271e0db6d02b5445fd2171f1193a273.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4271e0db6d02b5445fd2171f1193a273.exe

Filesize
123KB

MD5
622c9e878b74b33aabaec96d5cdec40e

SHA1
7c9faddff206d1d3bae71683afc6c1e48bba2293

SHA256
fa55fc77c3952ab84d01537b61a8cde316477e94a7b2b9fb13a757b6423de107

SHA512
d9a144e0832795f0d6d4a2995a18564bcc4be37a76408bf56f05340ad394599e8cba6916b0433b19ea099794faf1fa8244954f1e60a4a5f6a9a639b5c5454472

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar405F.tmp

Filesize
92KB

MD5
71e4ce8b3a1b89f335a6936bbdafce4c

SHA1
6e0d450eb5f316a9924b3e58445b26bfb727001e

SHA256
a5edfae1527d0c8d9fe5e7a2c5c21b671e61f9981f3bcf9e8cc9f9bb9f3b44c5

SHA512
b80af88699330e1ff01e409daabdedeef350fe7d192724dfa8622afa71e132076144175f6e097f8136f1bba44c7cb30cfdd0414dbe4e0a4712b3bad7b70aeff7

Download Submit
\Users\Admin\AppData\Local\Temp\4271e0db6d02b5445fd2171f1193a273.exe

Filesize
381KB

MD5
89ddeb63f7c54eb25aa133a731b5c343

SHA1
8036a07e8cd7303b416e5e24e06cbfc29e7c8a29

SHA256
d6aff167397c7ee4b9d42c9769d039a8dc4368d83b68a2ccb415a274eafa6bae

SHA512
739cd9c4a8c549d3441512da6647ec4ddea639bedb9774124a670037858ed3dbbc20553e6be516bf3c21b21ea7af2237839d265bfb2b80355cca9d88e777a20b

Download Submit
memory/804-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/804-15-0x0000000002FB0000-0x0000000003016000-memory.dmp

Filesize
408KB

Download
memory/804-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/804-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/804-2-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2992-28-0x0000000002C70000-0x0000000002CCF000-memory.dmp

Filesize
380KB

Download
memory/2992-19-0x0000000000310000-0x0000000000376000-memory.dmp

Filesize
408KB

Download
memory/2992-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2992-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2992-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2992-88-0x00000000095B0000-0x00000000095EC000-memory.dmp

Filesize
240KB

Download
memory/2992-87-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing