f893bc98094713015557bcdc69cd36cefc9bfd51cd679b5afd0fa7fe7897b193

General

Target

3cc13e71556e38e5b8446989f3de37ad.exe
Size

918KB
MD5

3cc13e71556e38e5b8446989f3de37ad
SHA1

742c69f993c266ebaa75a74000d981383d103ed8
SHA256

f893bc98094713015557bcdc69cd36cefc9bfd51cd679b5afd0fa7fe7897b193
SHA512

12b6fa52acb0e63de8d274daf90dc603caf34c48c1c65af7736fca6b9feb3c3bdab8f41e16fedda360e07693d95a1b1668925c225528a471ece7f1276ef0dd0f
SSDEEP

12288:zA1Dwma8NpHssmTU6oGo7dBOTOLJcQHU6Ym3ku7pmTU6oGo7dBOTOLJcM:E1Dwu2TFoGohUe0YkuQTFoGohUi

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2360	3cc13e71556e38e5b8446989f3de37ad.exe

Executes dropped EXE 1 IoCs

pid	Process
2360	3cc13e71556e38e5b8446989f3de37ad.exe

Loads dropped DLL 1 IoCs

pid	Process
1220	3cc13e71556e38e5b8446989f3de37ad.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1220-0-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
behavioral1/files/0x000b000000012267-11.dat	upx
behavioral1/memory/1220-13-0x0000000022F90000-0x0000000023070000-memory.dmp	upx
behavioral1/files/0x000b000000012267-17.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	3cc13e71556e38e5b8446989f3de37ad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	3cc13e71556e38e5b8446989f3de37ad.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	3cc13e71556e38e5b8446989f3de37ad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	3cc13e71556e38e5b8446989f3de37ad.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1220	3cc13e71556e38e5b8446989f3de37ad.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1220	3cc13e71556e38e5b8446989f3de37ad.exe
2360	3cc13e71556e38e5b8446989f3de37ad.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2360	1220	3cc13e71556e38e5b8446989f3de37ad.exe	29
PID 1220 wrote to memory of 2360	1220	3cc13e71556e38e5b8446989f3de37ad.exe	29
PID 1220 wrote to memory of 2360	1220	3cc13e71556e38e5b8446989f3de37ad.exe	29
PID 1220 wrote to memory of 2360	1220	3cc13e71556e38e5b8446989f3de37ad.exe	29

C:\Users\Admin\AppData\Local\Temp\3cc13e71556e38e5b8446989f3de37ad.exe
"C:\Users\Admin\AppData\Local\Temp\3cc13e71556e38e5b8446989f3de37ad.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\3cc13e71556e38e5b8446989f3de37ad.exe
  C:\Users\Admin\AppData\Local\Temp\3cc13e71556e38e5b8446989f3de37ad.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3cc13e71556e38e5b8446989f3de37ad.exe

Filesize
51KB

MD5
c0ce354372d470956a030c8586afcddc

SHA1
7d1b7e47d4caf0337b8c3c18d9e28ef3cd610567

SHA256
648b41110dbdf5d405a9e242a6c28f65fa8c6da9e5c045b83cde0cfa7fec50db

SHA512
11f3b56fe79869bff30d171c87e06c8c9c60d231ca76105e651c8a096195a584dbe3f6fcc7d1fd5d4c5320cd9bca0a1f70aecf9d7066af02af093c636ef0fd14

Download Submit
\Users\Admin\AppData\Local\Temp\3cc13e71556e38e5b8446989f3de37ad.exe

Filesize
918KB

MD5
9eee4d4f7baad7eb38c8bb5c894a646e

SHA1
60046f89579e8552a78c868b97bfe5a0d758900b

SHA256
012fa7423d0cf532e565c3540136a64f138942dcbe0d7012cf955f6c4d0d423a

SHA512
a2017aef848b1a77fb62790f75c8b29101aa457a5f93c780ec2d186d9a288dc6b3d4cf06a68274771e98d2237a5833125f28582e1264fbb16406ebe57053cdef

Download Submit
memory/1220-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1220-2-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/1220-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1220-13-0x0000000022F90000-0x0000000023070000-memory.dmp

Filesize
896KB

Download
memory/1220-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-18-0x0000000000210000-0x0000000000241000-memory.dmp

Filesize
196KB

Download
memory/2360-42-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing