40e47a3ac1aedd13b13b02421cc6583d5544f88a3394d9d998fe9abebff29004

General

Target

b526d51bbe38d595f87a63d1d48efb51.exe
Size

178KB
MD5

b526d51bbe38d595f87a63d1d48efb51
SHA1

de9e489e6c9c15b9ea7d939f9906ef85e8466cb0
SHA256

40e47a3ac1aedd13b13b02421cc6583d5544f88a3394d9d998fe9abebff29004
SHA512

e1329df6ccf89c079ecd2b77e07e7e9e8720b5d5e6c08fc067355d60f0107455baa903ef438b33ebd745b39473bcadd1b8a42fb6e12110745ce8fe24f26003dc
SSDEEP

3072:wHIedu9fC8sk5Aymo9QTiZcnffoqsHrmGX7vfzNdK6o9:168skeviZcnffoTlX92

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
2724	IH8iy78b97HuU88hgoiv9.exe

Executes dropped EXE 2 IoCs

pid	Process
2724	IH8iy78b97HuU88hgoiv9.exe
3004	Bypass.exe

Loads dropped DLL 2 IoCs

pid	Process
1688	b526d51bbe38d595f87a63d1d48efb51.exe
3048	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	IH8iy78b97HuU88hgoiv9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	IH8iy78b97HuU88hgoiv9.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2724	IH8iy78b97HuU88hgoiv9.exe
2724	IH8iy78b97HuU88hgoiv9.exe
2724	IH8iy78b97HuU88hgoiv9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	IH8iy78b97HuU88hgoiv9.exe
Token: SeDebugPrivilege	3004	Bypass.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2724	1688	b526d51bbe38d595f87a63d1d48efb51.exe	29
PID 1688 wrote to memory of 2724	1688	b526d51bbe38d595f87a63d1d48efb51.exe	29
PID 1688 wrote to memory of 2724	1688	b526d51bbe38d595f87a63d1d48efb51.exe	29
PID 2724 wrote to memory of 3004	2724	IH8iy78b97HuU88hgoiv9.exe	31
PID 2724 wrote to memory of 3004	2724	IH8iy78b97HuU88hgoiv9.exe	31
PID 2724 wrote to memory of 3004	2724	IH8iy78b97HuU88hgoiv9.exe	31
PID 2724 wrote to memory of 3004	2724	IH8iy78b97HuU88hgoiv9.exe	31

C:\Users\Admin\AppData\Local\Temp\b526d51bbe38d595f87a63d1d48efb51.exe
"C:\Users\Admin\AppData\Local\Temp\b526d51bbe38d595f87a63d1d48efb51.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\IH8iy78b97HuU88hgoiv9.exe
  "C:\Users\Admin\AppData\Local\Temp\IH8iy78b97HuU88hgoiv9.exe" -parent 1688 b526d51bbe38d595f87a63d1d48efb51.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\Bypass.exe
    "C:\Users\Admin\AppData\Local\Temp\Bypass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bypass.exe

Filesize
14KB

MD5
7197a31368cee20c5d7f44013bf6d2cb

SHA1
15ef58f4806ea0f627a87d6e8bacd1d0a89cdf50

SHA256
df269afb4e2f437350497ad5c5ed46911a29bed4cc366f6b0455f5db4c26220d

SHA512
49709f9fcd0d77b3a9105be2f175f1bb57838db988e19f6dca748a2a8dcfbaf1294fedfad440041766f6940c4831a1523e81024ad0d5f65b6f5ae06e504f6f04

Download Submit
\Users\Admin\AppData\Local\Temp\IH8iy78b97HuU88hgoiv9.exe

Filesize
178KB

MD5
b526d51bbe38d595f87a63d1d48efb51

SHA1
de9e489e6c9c15b9ea7d939f9906ef85e8466cb0

SHA256
40e47a3ac1aedd13b13b02421cc6583d5544f88a3394d9d998fe9abebff29004

SHA512
e1329df6ccf89c079ecd2b77e07e7e9e8720b5d5e6c08fc067355d60f0107455baa903ef438b33ebd745b39473bcadd1b8a42fb6e12110745ce8fe24f26003dc

Download Submit
memory/1688-1-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-10-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-0-0x000000013FF00000-0x000000013FF32000-memory.dmp

Filesize
200KB

Download
memory/2724-23-0x000000001BC10000-0x000000001BC90000-memory.dmp

Filesize
512KB

Download
memory/2724-12-0x000000001BC10000-0x000000001BC90000-memory.dmp

Filesize
512KB

Download
memory/2724-11-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2724-22-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2724-9-0x000000013F3D0000-0x000000013F402000-memory.dmp

Filesize
200KB

Download
memory/2724-28-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/3004-19-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/3004-20-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/3004-21-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/3004-24-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/3004-25-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing