dedc30557e77d295d1c3bb9fb00cfb5b497ca8e06c4223040c2e90dc8ca1f7a2

General

Target

71a278956e360787f976ae641b6b3bbc.exe
Size

907KB
MD5

71a278956e360787f976ae641b6b3bbc
SHA1

498e47b9099e51b803e7fb14fe892eaf9cff0d82
SHA256

dedc30557e77d295d1c3bb9fb00cfb5b497ca8e06c4223040c2e90dc8ca1f7a2
SHA512

535ad823fb46b1b4f09430482b9d5576de96947f41b4c9ed30f4b650eb8a0067e262e6cc75651401ae2bf1bb8bd9df53c319959862e901fefbab6ced74131c57
SSDEEP

24576:AZBBgrsqI0wdBwFtkU49Vfm8aM8gFvKVYLa/ZS1:+PgDwdGkU2pm8X8oLgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2324	71a278956e360787f976ae641b6b3bbc.exe

Executes dropped EXE 1 IoCs

pid	Process
2324	71a278956e360787f976ae641b6b3bbc.exe

Loads dropped DLL 1 IoCs

pid	Process
2896	71a278956e360787f976ae641b6b3bbc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	71a278956e360787f976ae641b6b3bbc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	71a278956e360787f976ae641b6b3bbc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	71a278956e360787f976ae641b6b3bbc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2896	71a278956e360787f976ae641b6b3bbc.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2896	71a278956e360787f976ae641b6b3bbc.exe
2324	71a278956e360787f976ae641b6b3bbc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2324	2896	71a278956e360787f976ae641b6b3bbc.exe	22
PID 2896 wrote to memory of 2324	2896	71a278956e360787f976ae641b6b3bbc.exe	22
PID 2896 wrote to memory of 2324	2896	71a278956e360787f976ae641b6b3bbc.exe	22
PID 2896 wrote to memory of 2324	2896	71a278956e360787f976ae641b6b3bbc.exe	22

C:\Users\Admin\AppData\Local\Temp\71a278956e360787f976ae641b6b3bbc.exe
"C:\Users\Admin\AppData\Local\Temp\71a278956e360787f976ae641b6b3bbc.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\71a278956e360787f976ae641b6b3bbc.exe
  C:\Users\Admin\AppData\Local\Temp\71a278956e360787f976ae641b6b3bbc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
24KB

MD5
4a7b5da8afca0388cf66e00689f7fff1

SHA1
3c38ccbe18532bc33c82c23bf08567cda54c658b

SHA256
a3347e3c74f66f17eccc3882c597ff1f953e302027f8858980bc5663584e527d

SHA512
9010c2d08883e7f94666edebcf73ff91a1fa83bb16506ad6ebf79739b8a3cf8cf54b4f185f30fdbcb5b4f31ecb65d7b652dd030fb9cb9affc3e85c2ceebe67bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\71a278956e360787f976ae641b6b3bbc.exe

Filesize
162KB

MD5
fb50c948b833467fe3056963e6bff412

SHA1
59b49965720efacbb0f959c87578174369774ee9

SHA256
4bb9220eae2759c6a54a15dac49c19390f7f030d70665e4143f7123dd66efcd6

SHA512
07bb013a13a1bade1348620a7ad339866e05c9bf922a21466cd532c46a6423110b3d2a4b7d91329b54c21875892ca3e11572a25a87158d60f198cc15a9d9d1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB3C.tmp

Filesize
21KB

MD5
df3fe7a6749ca31b6fceb82d52f3f6b5

SHA1
ddd5e7381201cf04ad664f0addabc79edeb5581a

SHA256
767a99ce11a1d71fa906034eafc46cb9a7f037a484889eca10385358134c5021

SHA512
5524ced5a4546b5d395206d80d5da5df3bc2fd87cd77c3c6b07688b748dd0162afb3a031a3b478bc93705dacbb1c1818519d90a82d2961c6a0309c5c8b66b831

Download Submit
\Users\Admin\AppData\Local\Temp\71a278956e360787f976ae641b6b3bbc.exe

Filesize
282KB

MD5
ca337e91204ed9787e40737f56a50f28

SHA1
7dab41747bed4810acc8f3dc71fa2c4b9bcb71c6

SHA256
c0d4d7aa74513dcf84397e64097b4acce9a37c52e423f94ed29b111f9be88eeb

SHA512
0c8d8fdf8776e2a103eb6c52c58d21f51a52a4db0d110324ebb864fe925048126d089735dd73caa78f93a95b34025525148935cf8337822cbb4269b60b5b31b9

Download Submit
memory/2324-29-0x0000000002F40000-0x0000000002FFB000-memory.dmp

Filesize
748KB

Download
memory/2324-18-0x00000000002D0000-0x00000000003B8000-memory.dmp

Filesize
928KB

Download
memory/2324-20-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2324-23-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2324-88-0x000000000A7E0000-0x000000000A878000-memory.dmp

Filesize
608KB

Download
memory/2324-82-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2896-13-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2896-14-0x0000000003210000-0x00000000032F8000-memory.dmp

Filesize
928KB

Download
memory/2896-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2896-4-0x00000000014F0000-0x00000000015D8000-memory.dmp

Filesize
928KB

Download
memory/2896-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing