a60b310bb5e53515c319e765ce0f04f83b16703f7910c44228eda35741ab0b86

General

Target

6439825726ab2c6d37be560ab2372ed8.exe
Size

771KB
MD5

6439825726ab2c6d37be560ab2372ed8
SHA1

b3332fe2470d74342fe8fa32b874b49c6ae918ca
SHA256

a60b310bb5e53515c319e765ce0f04f83b16703f7910c44228eda35741ab0b86
SHA512

90d2cb965b9cce40086be969685dfd81baf9beac1743dc1c519c5f60b141d88367726663bff563613a6906d2d5dada130c7cddb2da0a58a288bd920c5d18353c
SSDEEP

12288:Hx2X1IVs7a11XAcnl3zcv51LBg3PzJLniYZ/C9OFEIif0F6rerfrEhU8zFVMB:HoCVsaXlDcvfBg3tvZWqEIz6qrfiTMB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2992	6439825726ab2c6d37be560ab2372ed8.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	6439825726ab2c6d37be560ab2372ed8.exe

Loads dropped DLL 1 IoCs

pid	Process
804	6439825726ab2c6d37be560ab2372ed8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	6439825726ab2c6d37be560ab2372ed8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	6439825726ab2c6d37be560ab2372ed8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	6439825726ab2c6d37be560ab2372ed8.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
804	6439825726ab2c6d37be560ab2372ed8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
804	6439825726ab2c6d37be560ab2372ed8.exe
2992	6439825726ab2c6d37be560ab2372ed8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2992	804	6439825726ab2c6d37be560ab2372ed8.exe	20
PID 804 wrote to memory of 2992	804	6439825726ab2c6d37be560ab2372ed8.exe	20
PID 804 wrote to memory of 2992	804	6439825726ab2c6d37be560ab2372ed8.exe	20
PID 804 wrote to memory of 2992	804	6439825726ab2c6d37be560ab2372ed8.exe	20

C:\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exe
"C:\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exe
  C:\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
54KB

MD5
285da7bb579888b8eafaf9b6b8923b90

SHA1
6dc76e557fd8a9cf9d6b33d7852beab1818dc38b

SHA256
d86a4bd7b93b3a380d6874f87cde7fb230643544b593154f5ed65e42058b0857

SHA512
74886c67264409d5b44c3119700262c266d134641e4d95b99c7c60c9d99f9d7c73acc5ca3cfcca0c8e8fc02ef5bd0e4cc0b32ad8369166fafc1ebc3bd5383f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exe

Filesize
332KB

MD5
2020e22e70369d711dadf200779f0012

SHA1
886ebc7f2be9099c3cb72be77fea963d82cbc443

SHA256
08fe57e94f497872a23a0e948fd7dd5e2686abdfbfe2b97af49f75e5e1f5314a

SHA512
bec195c3673556c5a1ffe88fc6ad7769ef0e90193a8b0efca9d2aaeca98a2926f645496390e2fceac430ba88b76871b0f0ae5fb21cf984b25c19e47f5a2402a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD6E.tmp

Filesize
17KB

MD5
752560b3f41ed6e4ea6fba906b7a48c1

SHA1
28982e5841f23b09e00ccdb7fe13efc4c58194ee

SHA256
0d8fd8bab6f1b79d5bd7ca846f4aecc74c505244da8b2c1ab7562b0a887c9b1e

SHA512
99371c79a53b00f4a25d153ee491e2c6cf24e3d13302a4463e4f94b87674c9ae141de23e207e48334bebba99f5c2833ee66d734668eea1598bb965ecbb98dec1

Download Submit
\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exe

Filesize
597KB

MD5
e08493cb4cc11226cf2fbeb40596f022

SHA1
c2d5e6c45c02467059b260b09ed0bfa1ee06e39a

SHA256
00999cc20a6fe4a02f0c6cb25ee896aa8b54639dced8d39ac95eb20ec4523b80

SHA512
60540e225d002ea3d9738a803218b2eb20a3d4334a49b2f697e59ff1e1c55d930176a2b22ebd643bc62ff78677da3ce057a1b698b978d6f8745ee78aa617443b

Download Submit
memory/804-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/804-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/804-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/804-2-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2992-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2992-28-0x0000000002D20000-0x0000000002D7F000-memory.dmp

Filesize
380KB

Download
memory/2992-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2992-18-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/2992-87-0x000000000D630000-0x000000000D66C000-memory.dmp

Filesize
240KB

Download
memory/2992-86-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2992-81-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing