3d2e30dde4841996188ea62b87434b53de52b737567c9fd3832e9781aab06553

General

Target

e061691f0dbcc9fde5beaf64f210f70c.exe
Size

385KB
MD5

e061691f0dbcc9fde5beaf64f210f70c
SHA1

8c6c087f3bcfa83ac7f0e6f770f6df4b1fafde16
SHA256

3d2e30dde4841996188ea62b87434b53de52b737567c9fd3832e9781aab06553
SHA512

24195e2b03b4c840edf0a54b3c9f13e038bf2cf6995f723dda92539130a9f1193533ead99bd485ef2705ad73d1c084e3185f62377895104c4f44994ebf7a5979
SSDEEP

6144:LLTK+k2lqi39drRCvxlLZ3mrL93I/adApyBDDUKoN0D+lqkIbhI4R6eLXOxQmJ2x:L/k3H53mG/aupUDUKohUfRxXOx/QB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1940	e061691f0dbcc9fde5beaf64f210f70c.exe

Executes dropped EXE 1 IoCs

pid	Process
1940	e061691f0dbcc9fde5beaf64f210f70c.exe

Loads dropped DLL 1 IoCs

pid	Process
2256	e061691f0dbcc9fde5beaf64f210f70c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
3	pastebin.com

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	e061691f0dbcc9fde5beaf64f210f70c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	e061691f0dbcc9fde5beaf64f210f70c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	e061691f0dbcc9fde5beaf64f210f70c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2256	e061691f0dbcc9fde5beaf64f210f70c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2256	e061691f0dbcc9fde5beaf64f210f70c.exe
1940	e061691f0dbcc9fde5beaf64f210f70c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1940	2256	e061691f0dbcc9fde5beaf64f210f70c.exe	28
PID 2256 wrote to memory of 1940	2256	e061691f0dbcc9fde5beaf64f210f70c.exe	28
PID 2256 wrote to memory of 1940	2256	e061691f0dbcc9fde5beaf64f210f70c.exe	28
PID 2256 wrote to memory of 1940	2256	e061691f0dbcc9fde5beaf64f210f70c.exe	28

C:\Users\Admin\AppData\Local\Temp\e061691f0dbcc9fde5beaf64f210f70c.exe
"C:\Users\Admin\AppData\Local\Temp\e061691f0dbcc9fde5beaf64f210f70c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\e061691f0dbcc9fde5beaf64f210f70c.exe
  C:\Users\Admin\AppData\Local\Temp\e061691f0dbcc9fde5beaf64f210f70c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar81D4.tmp

Filesize
133KB

MD5
e237dac07cff6e177a56e8f2c75a8e32

SHA1
347026016b1d6c231c2c4a0cc7f9648d9a16b539

SHA256
b633b616215a903a4a76d0e8aa80ccd2b36fd01e44fad79b663964f09530f95e

SHA512
0c2830ff1428d036a02bbfbdbc6ec21ee44e023d9f2cd748d940d2fb1eac865be18b250bed1c7562bd2485a5fea3b2eab83cbe02563551cdc83086cf8b160518

Download Submit
C:\Users\Admin\AppData\Local\Temp\e061691f0dbcc9fde5beaf64f210f70c.exe

Filesize
83KB

MD5
8e574139ec65ef72f5bc119d052fcdda

SHA1
9b91282beeac13331e394ee3e75fc85de47ce4b8

SHA256
45311c5703aed2ac1188a652b57ca39fb610d87c8e0f8901b2f4e4599e12244e

SHA512
a7e4afd48ee3dc18ca1e28767eaa5a37a961515d05b73979206d8ecdc70dc9fd60cc650a90edd50f29d0ab5ca7b54eaa4d57bf32329d5731ad94f714326829e4

Download Submit
\Users\Admin\AppData\Local\Temp\e061691f0dbcc9fde5beaf64f210f70c.exe

Filesize
49KB

MD5
5633c162fc53689f6a8ad8a2a1e80a42

SHA1
7ad8d4f20b9538e02260de1bb2b82b1509182c18

SHA256
33e0d972956e46db398558cea9b5d76d89b4f51118e18660d2bad641737854c8

SHA512
3562a9ad4893fa18f247392701ed606590703d531f8a00a30bac7b25b4ec6bf54c1b4c8e8847d3371a9b2c818353f3717e4085082a3514fbaf9f92ac70f33615

Download Submit
memory/1940-16-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/1940-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1940-26-0x00000000002F0000-0x000000000034F000-memory.dmp

Filesize
380KB

Download
memory/1940-80-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1940-83-0x000000000A5D0000-0x000000000A60C000-memory.dmp

Filesize
240KB

Download
memory/1940-86-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2256-14-0x0000000001680000-0x00000000016E6000-memory.dmp

Filesize
408KB

Download
memory/2256-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2256-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2256-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2256-2-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing