7768e69970fd566ddbf4f28ca26ef3f988afd629e75ada0034f332446380c270

General

Target

4f0f7abfe049cae5886f01c4f1b8a193.exe
Size

1.5MB
MD5

4f0f7abfe049cae5886f01c4f1b8a193
SHA1

b40dd7e48f6c9ad1ab6e77a27e6551713b171cbf
SHA256

7768e69970fd566ddbf4f28ca26ef3f988afd629e75ada0034f332446380c270
SHA512

c4b7ad80aed56f3f1d2fca852d09c7e5b0b43692631031d77d1f2ac7d7d7f539c53ee27ed096a30afa080a02b58f181ab7530be53ba1b4bd4851be2d37d8338c
SSDEEP

24576:FOfrQBh6b10hJaothZ2/T6FBBjNPI5lqkfZSkHR82b10hJaothZ2/T6FBBT:UDac/ofqg4/ofp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3036	4f0f7abfe049cae5886f01c4f1b8a193.exe

Executes dropped EXE 1 IoCs

pid	Process
3036	4f0f7abfe049cae5886f01c4f1b8a193.exe

Loads dropped DLL 1 IoCs

pid	Process
2956	4f0f7abfe049cae5886f01c4f1b8a193.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	4f0f7abfe049cae5886f01c4f1b8a193.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	4f0f7abfe049cae5886f01c4f1b8a193.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	4f0f7abfe049cae5886f01c4f1b8a193.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2956	4f0f7abfe049cae5886f01c4f1b8a193.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2956	4f0f7abfe049cae5886f01c4f1b8a193.exe
3036	4f0f7abfe049cae5886f01c4f1b8a193.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 3036	2956	4f0f7abfe049cae5886f01c4f1b8a193.exe	28
PID 2956 wrote to memory of 3036	2956	4f0f7abfe049cae5886f01c4f1b8a193.exe	28
PID 2956 wrote to memory of 3036	2956	4f0f7abfe049cae5886f01c4f1b8a193.exe	28
PID 2956 wrote to memory of 3036	2956	4f0f7abfe049cae5886f01c4f1b8a193.exe	28

C:\Users\Admin\AppData\Local\Temp\4f0f7abfe049cae5886f01c4f1b8a193.exe
"C:\Users\Admin\AppData\Local\Temp\4f0f7abfe049cae5886f01c4f1b8a193.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\4f0f7abfe049cae5886f01c4f1b8a193.exe
  C:\Users\Admin\AppData\Local\Temp\4f0f7abfe049cae5886f01c4f1b8a193.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f0f7abfe049cae5886f01c4f1b8a193.exe

Filesize
382KB

MD5
a7a7bd3956feb950bfccb13cb86011cb

SHA1
3a2211b2c4409621d58dc0b32cdda1152753834f

SHA256
7b16d18c7a59dfaf86769f9d2985d839ec4cb97f0dff3cca41f1d90c223e261c

SHA512
3d95318d72374d93c446ec7c3643a9e68c71c2f40bc405fbf1cb461c367fa7555e0a3bb60e2c6e9588891102ca2362b2d72b252fba0b9d576b44d79ba84161ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B53.tmp

Filesize
98KB

MD5
371aef904c2a44b47aeefa7c5bb3312d

SHA1
b1058296c351474166e45ea27423122bb191efc3

SHA256
0836be0716e46b765bc8c79b573e98af6e058dcd5ef6a6f38e29f30b7ad77ad4

SHA512
8a40153454ad5319c7e5c6c5e6d818a483bdb3bd4a7d250359e8d393ff87378a384ff007a80ee9ed76243f83a7db1662f3b0d5c7debfe704fff8e724f7886812

Download Submit
\Users\Admin\AppData\Local\Temp\4f0f7abfe049cae5886f01c4f1b8a193.exe

Filesize
1.4MB

MD5
407d6e82835dcbabf04a7f7003777724

SHA1
cb8274a0f0ad659e22505bdd56c83271b6e4265c

SHA256
e49c5e7ad12013d0e5f694df0930d846dd645db38bd3dfc7dcc44f0bfbb25041

SHA512
e7b40782d255c9c8b8db446f07e25ce12a6388bf4a559dc83ca7ab8a5e31f0accb224e94e7fc1f21747a66324b69e1d172a3ea5a3270f75f545f544966f31411

Download Submit
memory/2956-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2956-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2956-12-0x0000000003140000-0x00000000031A6000-memory.dmp

Filesize
408KB

Download
memory/2956-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2956-1-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/3036-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3036-19-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/3036-29-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/3036-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3036-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3036-88-0x000000000D6E0000-0x000000000D71C000-memory.dmp

Filesize
240KB

Download
memory/3036-87-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3036-89-0x000000000D6E0000-0x000000000D71C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing