6a029f08825631d6ec9a3f2f8c3e23d8ed479c276b73d22cd40745019c80d126

General

Target

76a366077f8f604b2b4edb9ed92236df.exe
Size

907KB
MD5

76a366077f8f604b2b4edb9ed92236df
SHA1

05143abb300fc5b92de1780fa6580d3e6249af6c
SHA256

6a029f08825631d6ec9a3f2f8c3e23d8ed479c276b73d22cd40745019c80d126
SHA512

1b7aa2278afc869d5fac82fa14101a6fd6c0edfc7441cc2fa4798494706ef98b28e52e603445236811ef0619c2b35f97e1bd07b8d7b81e784a074f21c8fe8141
SSDEEP

12288:8Vzw5FOtVpHg7WAPnMbjK+5RhD9gPW/xM66cTamNbxNCpwG1jVDa/ZS1:SWg9Hg9ojb19mkujxMSqGra/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1768	76a366077f8f604b2b4edb9ed92236df.exe

Executes dropped EXE 1 IoCs

pid	Process
1768	76a366077f8f604b2b4edb9ed92236df.exe

Loads dropped DLL 1 IoCs

pid	Process
2220	76a366077f8f604b2b4edb9ed92236df.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	76a366077f8f604b2b4edb9ed92236df.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	76a366077f8f604b2b4edb9ed92236df.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	76a366077f8f604b2b4edb9ed92236df.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2220	76a366077f8f604b2b4edb9ed92236df.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2220	76a366077f8f604b2b4edb9ed92236df.exe
1768	76a366077f8f604b2b4edb9ed92236df.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1768	2220	76a366077f8f604b2b4edb9ed92236df.exe	29
PID 2220 wrote to memory of 1768	2220	76a366077f8f604b2b4edb9ed92236df.exe	29
PID 2220 wrote to memory of 1768	2220	76a366077f8f604b2b4edb9ed92236df.exe	29
PID 2220 wrote to memory of 1768	2220	76a366077f8f604b2b4edb9ed92236df.exe	29

C:\Users\Admin\AppData\Local\Temp\76a366077f8f604b2b4edb9ed92236df.exe
"C:\Users\Admin\AppData\Local\Temp\76a366077f8f604b2b4edb9ed92236df.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\76a366077f8f604b2b4edb9ed92236df.exe
  C:\Users\Admin\AppData\Local\Temp\76a366077f8f604b2b4edb9ed92236df.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
11KB

MD5
5d9be6b81c60b5dbe2a007b8791d8b20

SHA1
bb5f83cbd3b2ce12636126e8ee0703b4204063b8

SHA256
8c9ab7c245b543a3d9e3a651e0d7a1544d278d52cf84b2f680a4565a71d0ce7b

SHA512
b8ead835fa81553c84563d11879ef96572769e49b48af5a20076f2647ea8ae772a243b31030c5bc15c1f816450f6247f240b413606e07e4ef8e91ec8dcaba55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\76a366077f8f604b2b4edb9ed92236df.exe

Filesize
219KB

MD5
07846e8a54bd98216feb75dc1be1f867

SHA1
6e359f9b94490ab718bdc252294b225aad0d0759

SHA256
b4e09f71c16e6a21f8ae0592d551e831c75a83c1e32802227d0726af55daf39c

SHA512
bc1682b640e99933b219b1b8608ba7db06224febbd4f8e76e0a0ce265f5e1a7a390ed253c46b9752d98a4f6b44e34cb5b0f4d568d628d104f9c9e6d341373631

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2081.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\76a366077f8f604b2b4edb9ed92236df.exe

Filesize
320KB

MD5
849877a781cd37312f29a77588d41410

SHA1
42e5cb9cbf2f32588785937a7429f03e529d9411

SHA256
434439e0959e512025ed1a3781ffabaf917c699e78f4c04e8bc47e431171d143

SHA512
1b448b617e833ad5150f4edfbf59fac7c3a3652da2ac5fb2ff226e1a72b09f5a22ebd84d3d84aa2bb5e7f93bb8cbd6478d5694588a148afe0d70ac187f9d7eff

Download Submit
memory/1768-23-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1768-17-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1768-19-0x00000000014F0000-0x00000000015D8000-memory.dmp

Filesize
928KB

Download
memory/1768-26-0x0000000001710000-0x00000000017CB000-memory.dmp

Filesize
748KB

Download
memory/1768-82-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1768-88-0x000000000D920000-0x000000000D9B8000-memory.dmp

Filesize
608KB

Download
memory/2220-14-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2220-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2220-15-0x0000000002F70000-0x0000000003058000-memory.dmp

Filesize
928KB

Download
memory/2220-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2220-2-0x00000000014F0000-0x00000000015D8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing