1b8c20b0a5e69765e68c548d2e3ef8000ecf925eff12efa07a8514e40c7a12a5

General

Target

48fb3d1982bef037cb2ffeb72df170f1.exe
Size

385KB
MD5

48fb3d1982bef037cb2ffeb72df170f1
SHA1

39c9ed5bee8f7a99e1ede5972e37a1a000e612f9
SHA256

1b8c20b0a5e69765e68c548d2e3ef8000ecf925eff12efa07a8514e40c7a12a5
SHA512

befe5377da25d9f600c77f43b9680bbd947fd5bfdd432cdc5c01da4d1924f91dd0a22a89f9584b6108a0cf81edcd89a5aca2f9029b21c5fada4cac5fcf6770eb
SSDEEP

6144:OIRljmsyiqEhzThWVe0ptWtzRKxDAc/aip+j11SzXkTjxK8JYSjFcqvB:OUlisMEhvwVqjKxDZ/atmYDAqvB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2140	48fb3d1982bef037cb2ffeb72df170f1.exe

Executes dropped EXE 1 IoCs

pid	Process
2140	48fb3d1982bef037cb2ffeb72df170f1.exe

Loads dropped DLL 1 IoCs

pid	Process
2392	48fb3d1982bef037cb2ffeb72df170f1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	48fb3d1982bef037cb2ffeb72df170f1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	48fb3d1982bef037cb2ffeb72df170f1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	48fb3d1982bef037cb2ffeb72df170f1.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2392	48fb3d1982bef037cb2ffeb72df170f1.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2392	48fb3d1982bef037cb2ffeb72df170f1.exe
2140	48fb3d1982bef037cb2ffeb72df170f1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2140	2392	48fb3d1982bef037cb2ffeb72df170f1.exe	25
PID 2392 wrote to memory of 2140	2392	48fb3d1982bef037cb2ffeb72df170f1.exe	25
PID 2392 wrote to memory of 2140	2392	48fb3d1982bef037cb2ffeb72df170f1.exe	25
PID 2392 wrote to memory of 2140	2392	48fb3d1982bef037cb2ffeb72df170f1.exe	25

C:\Users\Admin\AppData\Local\Temp\48fb3d1982bef037cb2ffeb72df170f1.exe
"C:\Users\Admin\AppData\Local\Temp\48fb3d1982bef037cb2ffeb72df170f1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\48fb3d1982bef037cb2ffeb72df170f1.exe
  C:\Users\Admin\AppData\Local\Temp\48fb3d1982bef037cb2ffeb72df170f1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\48fb3d1982bef037cb2ffeb72df170f1.exe

Filesize
265KB

MD5
77fa012496caf8a9cce756d22622c04c

SHA1
2b27f13652fd9f7b54612191e3410cf391953c4c

SHA256
2e392703296cd6a4cb0d81c21cc6c0c4264b7dcc24e94d492d23ca46f58babc4

SHA512
e2b7346ec286316bde679e8afd4ab33b36d192e73a29066db16c296576804556c4d7847dc358f0e98a0e03bcd1c7e65bf199d4c971d0c48bcc3b32f2f3a7ce0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4B06.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4B48.tmp

Filesize
101KB

MD5
c91839c3f232a27ab942bc22e8c9d99d

SHA1
a335bad31dd20cecbddb9e4043a6996bc5eaa5be

SHA256
9efd921f81e3f4bbabde193a4b8bcdd7ddd9e92422e877f19d06561dc99b848d

SHA512
3e042c7078025c16e5d96157466d9ffe9f63d6a528887bc1e33527317bf682ca8f83acf8f0564893e8a7be31cd7d7b32b47e6e919c7532e542e2ff08a62596e3

Download Submit
\Users\Admin\AppData\Local\Temp\48fb3d1982bef037cb2ffeb72df170f1.exe

Filesize
219KB

MD5
a650cb3d7182e9c53c99ffef7ad06d64

SHA1
256088f9d84c4f41ed8a3d6a6e7b4eefa7d7c044

SHA256
13db722e215d7afc841604b48a455c8bab823d5ff5ac6e9fc365461144bb7da7

SHA512
68b40faada044b4efbc53fe52b8d1991d68783387d9b182a655cbf4c7a1d9678b61611c9b8793c603128056f0d5022957ab820b4eba17b7ec8ba0a6f60abe11f

Download Submit
memory/2140-23-0x00000000003A0000-0x00000000003FF000-memory.dmp

Filesize
380KB

Download
memory/2140-19-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/2140-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-80-0x000000000D6D0000-0x000000000D70C000-memory.dmp

Filesize
240KB

Download
memory/2140-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2140-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2392-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2392-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2392-12-0x0000000002DE0000-0x0000000002E46000-memory.dmp

Filesize
408KB

Download
memory/2392-2-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2392-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing