b8beb089f369ffc86f76b1700d8938adeff41c6535770c3899ac113ed644fac3

General

Target

e0647ad5202ed4a2b09a10b71e185f52.exe
Size

1.5MB
MD5

e0647ad5202ed4a2b09a10b71e185f52
SHA1

cbbd5e8b046533cd2369e7c957933af84c56eec3
SHA256

b8beb089f369ffc86f76b1700d8938adeff41c6535770c3899ac113ed644fac3
SHA512

eafd0e7ffd95f2ee783ed5cf987ef1d904931df295de699e20e7da203874f56be0b9218d858e32adbd30e0470d556af03287cb991d96842271e1cb3d6b2564fd
SSDEEP

24576:uDwxnIsBgIBtD65b10hJaothZ2/T6FBBjNPI5lqkfZSkHR82b10hJaothZ2/T6FP:eUIW5Bta/ofqg4/ofp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2996	e0647ad5202ed4a2b09a10b71e185f52.exe

Executes dropped EXE 1 IoCs

pid	Process
2996	e0647ad5202ed4a2b09a10b71e185f52.exe

Loads dropped DLL 1 IoCs

pid	Process
2440	e0647ad5202ed4a2b09a10b71e185f52.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	e0647ad5202ed4a2b09a10b71e185f52.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	e0647ad5202ed4a2b09a10b71e185f52.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	e0647ad5202ed4a2b09a10b71e185f52.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2440	e0647ad5202ed4a2b09a10b71e185f52.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2440	e0647ad5202ed4a2b09a10b71e185f52.exe
2996	e0647ad5202ed4a2b09a10b71e185f52.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2996	2440	e0647ad5202ed4a2b09a10b71e185f52.exe	28
PID 2440 wrote to memory of 2996	2440	e0647ad5202ed4a2b09a10b71e185f52.exe	28
PID 2440 wrote to memory of 2996	2440	e0647ad5202ed4a2b09a10b71e185f52.exe	28
PID 2440 wrote to memory of 2996	2440	e0647ad5202ed4a2b09a10b71e185f52.exe	28

C:\Users\Admin\AppData\Local\Temp\e0647ad5202ed4a2b09a10b71e185f52.exe
"C:\Users\Admin\AppData\Local\Temp\e0647ad5202ed4a2b09a10b71e185f52.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\e0647ad5202ed4a2b09a10b71e185f52.exe
  C:\Users\Admin\AppData\Local\Temp\e0647ad5202ed4a2b09a10b71e185f52.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB062.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0647ad5202ed4a2b09a10b71e185f52.exe

Filesize
136KB

MD5
0a7799ae33a527c7778b3e080d1b41a4

SHA1
1cbd82ea73399887f536fca2716fe6e2424cd734

SHA256
46a509023ef1f317a6fde20d5dd32e7bf3c2a123d21ee0ecb44e215781f7dffa

SHA512
6e7c9d3564cdf14e33eab8fc9999ea91b57f263a1dff7c9439d8200c078895e3d37766772ced41105b2c689fc89ac42fe31ad3d25e2783d99cb6145e9b146a07

Download Submit
\Users\Admin\AppData\Local\Temp\e0647ad5202ed4a2b09a10b71e185f52.exe

Filesize
1.0MB

MD5
a26373892313b8a97a8f90382cedaf13

SHA1
03b2f24173dbaf549a5ae82e5ab18cb2e32125ad

SHA256
85b0114592f820944c87193450aca2dc49f96a30d9e3a76fc03ed763584a7e2c

SHA512
6b153486282bfe458e532d8d4d2a15db65ebb013057b957b08542742144aba7fc143270fd20d349d13986a00ec0e8f75b638ca238289129d87a0f3c5afa236a3

Download Submit
memory/2440-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2440-2-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2440-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2440-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2440-12-0x0000000002D40000-0x0000000002DA6000-memory.dmp

Filesize
408KB

Download
memory/2996-16-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/2996-24-0x0000000001470000-0x00000000014CF000-memory.dmp

Filesize
380KB

Download
memory/2996-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-80-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2996-85-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2996-86-0x0000000009680000-0x00000000096BC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing