8fe1cb4180c5ed787e5d1583e525ddff3383edd503c4b95e14ed4655cb63412a

General

Target

438194de19ad7eefd4762cbd6c68c991.exe
Size

771KB
MD5

438194de19ad7eefd4762cbd6c68c991
SHA1

2268cec06ea9925a86cfd4e7b824613356b169e2
SHA256

8fe1cb4180c5ed787e5d1583e525ddff3383edd503c4b95e14ed4655cb63412a
SHA512

414e1a065291a52efe37fb35cdc8b9ac5c92b5208aad551e3199f2d528c91d0e073127ac590a8653e973d8b65283f5375e82546d1e43f4c081c011be11c74465
SSDEEP

12288:h1cU4A1bkV1QnKMUQctX2ZQWjrBrb10VHmDXTuFaa2AtyGTKOF25ZoJJyhRge8B/:0V19MUQ87s9b10hJaothZ2/T6FBBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2292	438194de19ad7eefd4762cbd6c68c991.exe

Executes dropped EXE 1 IoCs

pid	Process
2292	438194de19ad7eefd4762cbd6c68c991.exe

Loads dropped DLL 1 IoCs

pid	Process
860	438194de19ad7eefd4762cbd6c68c991.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	438194de19ad7eefd4762cbd6c68c991.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	438194de19ad7eefd4762cbd6c68c991.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	438194de19ad7eefd4762cbd6c68c991.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
860	438194de19ad7eefd4762cbd6c68c991.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
860	438194de19ad7eefd4762cbd6c68c991.exe
2292	438194de19ad7eefd4762cbd6c68c991.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 2292	860	438194de19ad7eefd4762cbd6c68c991.exe	19
PID 860 wrote to memory of 2292	860	438194de19ad7eefd4762cbd6c68c991.exe	19
PID 860 wrote to memory of 2292	860	438194de19ad7eefd4762cbd6c68c991.exe	19
PID 860 wrote to memory of 2292	860	438194de19ad7eefd4762cbd6c68c991.exe	19

C:\Users\Admin\AppData\Local\Temp\438194de19ad7eefd4762cbd6c68c991.exe
"C:\Users\Admin\AppData\Local\Temp\438194de19ad7eefd4762cbd6c68c991.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\Temp\438194de19ad7eefd4762cbd6c68c991.exe
  C:\Users\Admin\AppData\Local\Temp\438194de19ad7eefd4762cbd6c68c991.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\438194de19ad7eefd4762cbd6c68c991.exe

Filesize
96KB

MD5
942a50164ff798d845f04f87bbdea5ba

SHA1
222e196cd06a9db41ddaac11136c8b00b578aa77

SHA256
300496b2f8e4ad4b43bee503280e3a34dd0c747a54d4a4af30dc4d6d066035fe

SHA512
7d52ef28427404f42892265b68ed2ecb1bbab9c33dabe8f97d6eb84dbf6f750c5ec1857ead07b045ce443070eec6b679241b9a350676db2838d70269a2dab27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE9A6.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEE3B.tmp

Filesize
142KB

MD5
f7483bf26f3a9fd6abd1d261f2ab5e45

SHA1
4efc8d1e8e2bd7c0e1d89f3154dc97979a4d2d6d

SHA256
966bde41c739ed119e5c78ac782bb98ea771ece09105f774117ff43d794528c5

SHA512
1534df790102c220d8447d50e962f9eb677abf908508cb7b5c4457d4b9a80d9afb1d592faca87ce634348258bea23284e4b0cd14257635e70fbf60691455ed05

Download Submit
\Users\Admin\AppData\Local\Temp\438194de19ad7eefd4762cbd6c68c991.exe

Filesize
22KB

MD5
2bea60a463eb78b476694d8270acf357

SHA1
80477f77938e1577b4d05a711f2a5b2ffe8d0955

SHA256
64624e6b3cfbe09132241f748266faac212202681cd884baa0f1fecd44bbd402

SHA512
dfde7dcf86c51584969ca6b7801caea2dfd3dd3f3f4d8820b57f88f61e3127750d018a18bf11d31b743123769ebd6a2dda600ac66d90bf32f73156094b0ad08f

Download Submit
memory/860-2-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/860-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/860-12-0x0000000003090000-0x00000000030F6000-memory.dmp

Filesize
408KB

Download
memory/860-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/860-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2292-17-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2292-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2292-23-0x00000000003A0000-0x00000000003FF000-memory.dmp

Filesize
380KB

Download
memory/2292-82-0x0000000008890000-0x00000000088CC000-memory.dmp

Filesize
240KB

Download
memory/2292-81-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2292-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2292-83-0x0000000008890000-0x00000000088CC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing