Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:43
Static task
static1
Behavioral task
behavioral1
Sample
751f73044d0b419d6ddb606917bb59ac.exe
Resource
win7-20231215-en
General
-
Target
751f73044d0b419d6ddb606917bb59ac.exe
-
Size
385KB
-
MD5
751f73044d0b419d6ddb606917bb59ac
-
SHA1
20c19cff1d3a5b38cd5fe9725f84dad4fd065f5e
-
SHA256
85cdb11bbcb91fa874b5ff4eee8565d7f64421bc17965dbafc932e387397ad71
-
SHA512
b8893a18922041cb3825f88f5cf3749aafbcb36ee0f0459251e1c770207833975fb69237782b948f8a32c39764e71d29368d7ad30925a462682edbe2a70cb69b
-
SSDEEP
6144:NcXKbTgeHqR6t3AFVZFv7c6j2R5EmKblrvM/wBQb+RHSgJKQfJWCB:NweHKBZF1YZIlSPwHSgJdfJWCB
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
751f73044d0b419d6ddb606917bb59ac.exepid process 2232 751f73044d0b419d6ddb606917bb59ac.exe -
Executes dropped EXE 1 IoCs
Processes:
751f73044d0b419d6ddb606917bb59ac.exepid process 2232 751f73044d0b419d6ddb606917bb59ac.exe -
Loads dropped DLL 1 IoCs
Processes:
751f73044d0b419d6ddb606917bb59ac.exepid process 2804 751f73044d0b419d6ddb606917bb59ac.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Processes:
751f73044d0b419d6ddb606917bb59ac.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 751f73044d0b419d6ddb606917bb59ac.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 751f73044d0b419d6ddb606917bb59ac.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 751f73044d0b419d6ddb606917bb59ac.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
751f73044d0b419d6ddb606917bb59ac.exepid process 2804 751f73044d0b419d6ddb606917bb59ac.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
751f73044d0b419d6ddb606917bb59ac.exe751f73044d0b419d6ddb606917bb59ac.exepid process 2804 751f73044d0b419d6ddb606917bb59ac.exe 2232 751f73044d0b419d6ddb606917bb59ac.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
751f73044d0b419d6ddb606917bb59ac.exedescription pid process target process PID 2804 wrote to memory of 2232 2804 751f73044d0b419d6ddb606917bb59ac.exe 751f73044d0b419d6ddb606917bb59ac.exe PID 2804 wrote to memory of 2232 2804 751f73044d0b419d6ddb606917bb59ac.exe 751f73044d0b419d6ddb606917bb59ac.exe PID 2804 wrote to memory of 2232 2804 751f73044d0b419d6ddb606917bb59ac.exe 751f73044d0b419d6ddb606917bb59ac.exe PID 2804 wrote to memory of 2232 2804 751f73044d0b419d6ddb606917bb59ac.exe 751f73044d0b419d6ddb606917bb59ac.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\751f73044d0b419d6ddb606917bb59ac.exe"C:\Users\Admin\AppData\Local\Temp\751f73044d0b419d6ddb606917bb59ac.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\751f73044d0b419d6ddb606917bb59ac.exeC:\Users\Admin\AppData\Local\Temp\751f73044d0b419d6ddb606917bb59ac.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
385KB
MD50132d5bf16a22e3a46817ce687be1691
SHA1a4c29b3b96d64242726a794783064a1908b827cf
SHA25646fd749fe6f0a99eee954312d5f5d2a7fb3607ee414496788eb2e771a1aba6f5
SHA5127f3e2a9f4bbc5aaf6a710201dc859f22e62671e4c9fae2cd1efbb570b47ac7357f5e2fcd5f76c2a655eb1e2c2b1706481ce72c2788a3ce6e77b8fe429b8134c7