6ceb2e87af00951a55a4e6b07e7974ae52d20c08891144d1a8461f35ef4f497c

General

Target

4e425ea6ef3a473c682d2e76889092ff.exe
Size

385KB
MD5

4e425ea6ef3a473c682d2e76889092ff
SHA1

0b4dbf65cb23fefc37bbaf4fd260ae780f5aeaf9
SHA256

6ceb2e87af00951a55a4e6b07e7974ae52d20c08891144d1a8461f35ef4f497c
SHA512

fca1ab35946e2d5f37b9781e4666cde98eb790551f7c8e75daca2e1f30b8acbf25ef5db915822b374574c947dd4e0864ecbe35e9004055c4d618253317b3ff76
SSDEEP

12288:yEybioVQ/PB6px/qD5fvCQpAhgg/4xSmL6B:y/FVIB6px//6g/6SmL6B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2304	4e425ea6ef3a473c682d2e76889092ff.exe

Executes dropped EXE 1 IoCs

pid	Process
2304	4e425ea6ef3a473c682d2e76889092ff.exe

Loads dropped DLL 1 IoCs

pid	Process
2148	4e425ea6ef3a473c682d2e76889092ff.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	4e425ea6ef3a473c682d2e76889092ff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	4e425ea6ef3a473c682d2e76889092ff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	4e425ea6ef3a473c682d2e76889092ff.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2148	4e425ea6ef3a473c682d2e76889092ff.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2148	4e425ea6ef3a473c682d2e76889092ff.exe
2304	4e425ea6ef3a473c682d2e76889092ff.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2304	2148	4e425ea6ef3a473c682d2e76889092ff.exe	28
PID 2148 wrote to memory of 2304	2148	4e425ea6ef3a473c682d2e76889092ff.exe	28
PID 2148 wrote to memory of 2304	2148	4e425ea6ef3a473c682d2e76889092ff.exe	28
PID 2148 wrote to memory of 2304	2148	4e425ea6ef3a473c682d2e76889092ff.exe	28

C:\Users\Admin\AppData\Local\Temp\4e425ea6ef3a473c682d2e76889092ff.exe
"C:\Users\Admin\AppData\Local\Temp\4e425ea6ef3a473c682d2e76889092ff.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\4e425ea6ef3a473c682d2e76889092ff.exe
  C:\Users\Admin\AppData\Local\Temp\4e425ea6ef3a473c682d2e76889092ff.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4e425ea6ef3a473c682d2e76889092ff.exe

Filesize
361KB

MD5
d43a99bb3d104baef66a95007c6a3b59

SHA1
b7dbc11f63817475b5c023905fd91410c32f319b

SHA256
d185116eb4d9163c2d43bef822f288b3a5edf23868afab171ad9b807726e8967

SHA512
0ca2a55edfdf832a825fa5aafb6efc15a07a9c7032754d135c1a0d0a51399bad3d39f890feb2cc55d899e0a2f2ce9650eba525fe6d2b3cebe1f9d0590a495493

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab167F.tmp

Filesize
5KB

MD5
12575bc8af97f3409fe01045e218afda

SHA1
8938c52bb204c05bb1a34fdcc5730443f83bdd73

SHA256
7aa628b1c9b2a6db424fd0eec3199f1779467831ac8cf4d36495b902cec4d086

SHA512
978703b3456c2e82123da41c9ab0551d4ca3b78ae22a64fafd966eadb9f529e6ddff67bee426435d1388cfc745a753b3b5478ac1457e2834660a307802697398

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1692.tmp

Filesize
9KB

MD5
36dd7e1886c2abd48eb6c4d08ba2a4ba

SHA1
4d07382641ee120fe26ec06a60d7fbdc15bf6c93

SHA256
4f5e01f3a2370cc3739ccdc10bb32eb1250504af2722eefb846b2de8213ddeab

SHA512
7b4443aaf9b72cb291ec134d799c833a2134f22e73ec62f1bb9425e78672f39e052d38b712c04f65e249225cc7d706a74eaa52e17b06ebbc2ce8dcfbe03436f1

Download Submit
\Users\Admin\AppData\Local\Temp\4e425ea6ef3a473c682d2e76889092ff.exe

Filesize
385KB

MD5
14e6b6edf2d39dbdf8b7b0585b1d8b9a

SHA1
119192fda3b118377680edd883fcba35fdeae928

SHA256
7f13e2b0fbbd6bb5ec70c0905f293717fd60ff85baf079b18fe8366c9f6c8944

SHA512
6eaffce549dd8f86178f2ac6c9168514e5faac68d4e4d490a85869fcf12208cca82ea8e492cb1318cc7d7c2924629f71254b6567139030ed3c08126a2422e2a3

Download Submit
memory/2148-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2148-2-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2148-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2148-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2148-16-0x00000000002A0000-0x0000000000306000-memory.dmp

Filesize
408KB

Download
memory/2304-21-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2304-24-0x0000000002CD0000-0x0000000002D2F000-memory.dmp

Filesize
380KB

Download
memory/2304-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2304-19-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2304-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2304-82-0x00000000095E0000-0x000000000961C000-memory.dmp

Filesize
240KB

Download
memory/2304-83-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing