fe5a36b3393bed4bec26a4738d9ab01b593d320f8fdb316c6787313d2778ca00

General

Target

fe5a36b3393bed4bec26a4738d9ab01b593d320f8fdb316c6787313d2778ca00.exe
Size

13.4MB
MD5

d0907740678802d7b10c4a547b665060
SHA1

ed49f0e6b66abd858085fb7d4305169aaaefd8d5
SHA256

fe5a36b3393bed4bec26a4738d9ab01b593d320f8fdb316c6787313d2778ca00
SHA512

b62b4b21b9a4a03177b5e170b6b37a5e2187265823a4b4be0062cb7e925bd3690746da3f0bd6ac8cb5baac4393f0c8001bbd7f67fb386fff265e65df0af98b67

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1732-0-0x0000000000400000-0x00000000010B8000-memory.dmp	upx
behavioral1/memory/1732-1-0x0000000000400000-0x00000000010B8000-memory.dmp	upx
behavioral1/memory/1732-2-0x0000000000400000-0x00000000010B8000-memory.dmp	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

fe5a36b3393bed4bec26a4738d9ab01b593d320f8fdb316c6787313d2778ca00.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	fe5a36b3393bed4bec26a4738d9ab01b593d320f8fdb316c6787313d2778ca00.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	fe5a36b3393bed4bec26a4738d9ab01b593d320f8fdb316c6787313d2778ca00.exe

C:\Users\Admin\AppData\Local\Temp\fe5a36b3393bed4bec26a4738d9ab01b593d320f8fdb316c6787313d2778ca00.exe
"C:\Users\Admin\AppData\Local\Temp\fe5a36b3393bed4bec26a4738d9ab01b593d320f8fdb316c6787313d2778ca00.exe"
1⤵
- Modifies system certificate store
PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1732-0-0x0000000000400000-0x00000000010B8000-memory.dmp

Filesize
12.7MB

Download
memory/1732-1-0x0000000000400000-0x00000000010B8000-memory.dmp

Filesize
12.7MB

Download
memory/1732-2-0x0000000000400000-0x00000000010B8000-memory.dmp

Filesize
12.7MB

Download

Analysis

Sharing