0759682c37bea5625e5b69762b9267a9837296d4a08624a923a1cd28097904a5

General

Target

54a744d5d9c73a40a799a4cd91b9475f.exe
Size

385KB
MD5

54a744d5d9c73a40a799a4cd91b9475f
SHA1

d25b7123a2bcf880d5cd607d2712d97217d54d9d
SHA256

0759682c37bea5625e5b69762b9267a9837296d4a08624a923a1cd28097904a5
SHA512

6f2e665df03f0340c1a56f92b651e996d2f6f57f876baf8272dfd861312d72a72d697a69b32c1fd945d480248851fb4f17345914b6a4ddca7eb464f120734bcf
SSDEEP

6144:/m5VcDcpkeeZQs5iZJSTVv4qFjiAk6XajXE+FgFIf+ZIhWqL7Z6rG/fbQs6svwTB:u5VWk/wwmOj7gFImzo7QwxvwTB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1740	54a744d5d9c73a40a799a4cd91b9475f.exe

Executes dropped EXE 1 IoCs

pid	Process
1740	54a744d5d9c73a40a799a4cd91b9475f.exe

Loads dropped DLL 1 IoCs

pid	Process
2380	54a744d5d9c73a40a799a4cd91b9475f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	54a744d5d9c73a40a799a4cd91b9475f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	54a744d5d9c73a40a799a4cd91b9475f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	54a744d5d9c73a40a799a4cd91b9475f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2380	54a744d5d9c73a40a799a4cd91b9475f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2380	54a744d5d9c73a40a799a4cd91b9475f.exe
1740	54a744d5d9c73a40a799a4cd91b9475f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1740	2380	54a744d5d9c73a40a799a4cd91b9475f.exe	17
PID 2380 wrote to memory of 1740	2380	54a744d5d9c73a40a799a4cd91b9475f.exe	17
PID 2380 wrote to memory of 1740	2380	54a744d5d9c73a40a799a4cd91b9475f.exe	17
PID 2380 wrote to memory of 1740	2380	54a744d5d9c73a40a799a4cd91b9475f.exe	17

C:\Users\Admin\AppData\Local\Temp\54a744d5d9c73a40a799a4cd91b9475f.exe
"C:\Users\Admin\AppData\Local\Temp\54a744d5d9c73a40a799a4cd91b9475f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\54a744d5d9c73a40a799a4cd91b9475f.exe
  C:\Users\Admin\AppData\Local\Temp\54a744d5d9c73a40a799a4cd91b9475f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\54a744d5d9c73a40a799a4cd91b9475f.exe

Filesize
278KB

MD5
c8d6cd0080c12a1fe16df0e9b9da3293

SHA1
adfdac6c0a088f7a81107d2734f5f1beca82d966

SHA256
e90c92c84111f5b8ad0dda57b399be816635c6ea42a5b7ea5cfe9283b0c2eedd

SHA512
a3c0d15dd058256d16c1ccdfc9f60b282fede476dc7090a01409951f787c1010c3b05b8266514626222cf8568b83eb8b801af32ac87359a673a50e1df7156ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1354.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1367.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\54a744d5d9c73a40a799a4cd91b9475f.exe

Filesize
219KB

MD5
48fd66784f24da71733e9de937efcdfc

SHA1
833db37f9e3f5162120c8ddcb4ab03da210d918a

SHA256
83b75cce6bec992755a4d1901d39f499f34b7e4fe088899eb778834956215174

SHA512
57709e69e4441bfd40bccedd59ee1ac3bc98c6049b41b060b9699ec0ba208c8dd223ee0f6aacd33950f7da33ace7d5cac9eed84d91eb4d71d9f68760f6f30743

Download Submit
memory/1740-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1740-19-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/1740-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1740-26-0x0000000002BF0000-0x0000000002C4F000-memory.dmp

Filesize
380KB

Download
memory/1740-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1740-82-0x000000000ED60000-0x000000000ED9C000-memory.dmp

Filesize
240KB

Download
memory/1740-81-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2380-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2380-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2380-2-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2380-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing