d8afe2235b27994d29a40060f82abbfddc0bc5d24efec6a53d7e1540e4455ce8

General

Target

456cb72b97bffcbb308d95382bc5f7ab.exe
Size

385KB
MD5

456cb72b97bffcbb308d95382bc5f7ab
SHA1

1663a70901350b66c23a1aa1cb6921c2626f1dd9
SHA256

d8afe2235b27994d29a40060f82abbfddc0bc5d24efec6a53d7e1540e4455ce8
SHA512

83761382baacb6bab8bc0d0dd5476558fda723d9ac6b275be3f15f4e425f189dec9c91fc4c2a1d47344d388ed907a19028509e7fe4ceaea606fc9355f6b0e92c
SSDEEP

6144:1UeSzrb8GTBeI3XDc+7NnKSMZQaoa57Z2+H3o2f2EeobDtLhYQe32B:1UBbzBeQXDc+9KSZa5h42f7bD4QemB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	456cb72b97bffcbb308d95382bc5f7ab.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	456cb72b97bffcbb308d95382bc5f7ab.exe

Loads dropped DLL 1 IoCs

pid	Process
2528	456cb72b97bffcbb308d95382bc5f7ab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	456cb72b97bffcbb308d95382bc5f7ab.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	456cb72b97bffcbb308d95382bc5f7ab.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	456cb72b97bffcbb308d95382bc5f7ab.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2528	456cb72b97bffcbb308d95382bc5f7ab.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2528	456cb72b97bffcbb308d95382bc5f7ab.exe
2676	456cb72b97bffcbb308d95382bc5f7ab.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2676	2528	456cb72b97bffcbb308d95382bc5f7ab.exe	28
PID 2528 wrote to memory of 2676	2528	456cb72b97bffcbb308d95382bc5f7ab.exe	28
PID 2528 wrote to memory of 2676	2528	456cb72b97bffcbb308d95382bc5f7ab.exe	28
PID 2528 wrote to memory of 2676	2528	456cb72b97bffcbb308d95382bc5f7ab.exe	28

C:\Users\Admin\AppData\Local\Temp\456cb72b97bffcbb308d95382bc5f7ab.exe
"C:\Users\Admin\AppData\Local\Temp\456cb72b97bffcbb308d95382bc5f7ab.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\456cb72b97bffcbb308d95382bc5f7ab.exe
  C:\Users\Admin\AppData\Local\Temp\456cb72b97bffcbb308d95382bc5f7ab.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\456cb72b97bffcbb308d95382bc5f7ab.exe

Filesize
116KB

MD5
ae7c0692e635324e5564822a2b131e08

SHA1
65794db92ec3689c31a79808c508daf654f10b7b

SHA256
13a5857b16c2432ff3b56f675709ad3e8212a19b1fd43989aa2b42982691f5d5

SHA512
feeb9d791c53301049b99ccc951ce59d5af6a11ad558c35265deaab92375b5affc0917fdc89d9f7bec7a4d4b9f35c26bd41a67169ba33d741af55fd27c9ba793

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab428E.tmp

Filesize
53KB

MD5
a843c6a7638585c52e988363ac9cb704

SHA1
1fdd16f449e7eb04209cc332cf1aa7ca0252f48f

SHA256
ea0544e432a3b395495aff993eb6270169d877eefdbd9811507cf20d21927667

SHA512
78768b1188656ef4a0c6c76bca555534db2e2705abf5e1032f6b0f2b7287ad123876ea308adec708f46b1aac72518bd46ec469775ad4406320881cde940334d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar42C0.tmp

Filesize
89KB

MD5
9a5dd06189d4876c7eefed8fbdb7ffa6

SHA1
4f11afdd61d48b388c1e1db79431c2d3f5e8184d

SHA256
5b346699b48f38522563715713401bf5b82e444252826d384cdb441dad24d571

SHA512
59481a7856b8a4102d81dec1290f6c01f95589c7d871d987bff66523e80352cdd8d78b733761d2b4f82b90ffae802a37ef5085a3fb6865001f3d213567ecd587

Download Submit
\Users\Admin\AppData\Local\Temp\456cb72b97bffcbb308d95382bc5f7ab.exe

Filesize
152KB

MD5
c49f9534811e3f5d089efa3034bd2078

SHA1
1115215c146aafd94423f0de9d1c64b38397856f

SHA256
75501fd71a34ef114921c4229d625faef28d98a9e85c03d94c8f19487f56fdcd

SHA512
0ca8222fada6dd4c8d6d79b0370b7f8cd096fd251cd54ea93ccf191e930754187df9b6acddbf4c3338a90bbc3d4e3fc4723fd9a5319bcd38bb918f0b3e7d0c44

Download Submit
memory/2528-12-0x0000000002E30000-0x0000000002E96000-memory.dmp

Filesize
408KB

Download
memory/2528-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2528-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2528-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2528-2-0x0000000000350000-0x00000000003B6000-memory.dmp

Filesize
408KB

Download
memory/2676-23-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/2676-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2676-18-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2676-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2676-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2676-78-0x000000000D7D0000-0x000000000D80C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing