cd2c884778cfc69f058d80300b573edd6f5db470ad9b220acba1b9778ed11d96

General

Target

73d1305faf8436f0b70965b4df650fbf.exe
Size

385KB
MD5

73d1305faf8436f0b70965b4df650fbf
SHA1

fcc897df50b9788e10dd1a42a0fee5e5e40d7d25
SHA256

cd2c884778cfc69f058d80300b573edd6f5db470ad9b220acba1b9778ed11d96
SHA512

95aabbb6e4b97644fd44aaed52b21f70ca0f6da127d72deee109d7edbe0dbf32ac35743f4ebf9475589257b4efb45680dfce61b76e225f48fb372b2a6cd37c90
SSDEEP

6144:7v2UsaugAcQzYtfZ0io5smHsUw96/8M4jNxK4Xx505WDvCznNEL+B:z2UsaugUKBo+mE6kRX9Xx69z+L+B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2668	73d1305faf8436f0b70965b4df650fbf.exe

Executes dropped EXE 1 IoCs

pid	Process
2668	73d1305faf8436f0b70965b4df650fbf.exe

Loads dropped DLL 1 IoCs

pid	Process
2248	73d1305faf8436f0b70965b4df650fbf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	73d1305faf8436f0b70965b4df650fbf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	73d1305faf8436f0b70965b4df650fbf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	73d1305faf8436f0b70965b4df650fbf.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2248	73d1305faf8436f0b70965b4df650fbf.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2248	73d1305faf8436f0b70965b4df650fbf.exe
2668	73d1305faf8436f0b70965b4df650fbf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2668	2248	73d1305faf8436f0b70965b4df650fbf.exe	27
PID 2248 wrote to memory of 2668	2248	73d1305faf8436f0b70965b4df650fbf.exe	27
PID 2248 wrote to memory of 2668	2248	73d1305faf8436f0b70965b4df650fbf.exe	27
PID 2248 wrote to memory of 2668	2248	73d1305faf8436f0b70965b4df650fbf.exe	27

C:\Users\Admin\AppData\Local\Temp\73d1305faf8436f0b70965b4df650fbf.exe
"C:\Users\Admin\AppData\Local\Temp\73d1305faf8436f0b70965b4df650fbf.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\73d1305faf8436f0b70965b4df650fbf.exe
  C:\Users\Admin\AppData\Local\Temp\73d1305faf8436f0b70965b4df650fbf.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\73d1305faf8436f0b70965b4df650fbf.exe

Filesize
170KB

MD5
e8e53a9458bb01613e20193607b88e9b

SHA1
f3a2dfa5eebc982691bce0da8e1e10e061b8ba02

SHA256
0bdde099a83eb2f9874453ebbce547c4f4139fc4a2a58ed873751c376f3c1a3e

SHA512
c87925d903443325f9f08e4228b1859d9adfba708ce97c2de7d9b6165e503d84ed662a7c702831098e4ef1626f9fdfec0a6e58a22de9aa7f807497d4a614425b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab607A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar60BB.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\73d1305faf8436f0b70965b4df650fbf.exe

Filesize
238KB

MD5
402e727a3ebf8af5c1029ab5a37e37c1

SHA1
836d8bf9f3140714211622f42dc730c93988c16c

SHA256
c9efd24535412f7ce6e382fb94c7776bdc109f6db137132e78f1165d6aed055f

SHA512
69bd5933021a04edb85fbe7ac68658628fd7207acaa9b48b6de2b5d0c1123d8eaa9072c180af0510c898e640e675664bfe65c21d8cc66c25c3dad0e64039cbad

Download Submit
memory/2248-12-0x0000000002DD0000-0x0000000002E36000-memory.dmp

Filesize
408KB

Download
memory/2248-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2248-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2248-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2248-3-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/2668-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2668-28-0x0000000000240000-0x000000000029F000-memory.dmp

Filesize
380KB

Download
memory/2668-17-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2668-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2668-80-0x00000000096F0000-0x000000000972C000-memory.dmp

Filesize
240KB

Download
memory/2668-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing