a0ba4caaefbeb0d04d34652448425a049f92779614440fdd28404f8ff0dbea7f

General

Target

533f6f09bb02ae7bfecc1ed784fae1af.exe
Size

1.6MB
MD5

533f6f09bb02ae7bfecc1ed784fae1af
SHA1

606329afe46cb8737f0022474bfc34b79f69729d
SHA256

a0ba4caaefbeb0d04d34652448425a049f92779614440fdd28404f8ff0dbea7f
SHA512

7614fcec65ca429983f7c8bc2d5d5a8ca39337108034c9466da3ae24dd97c572f8e0252aef3b11aa350c57f01d50a2e9f2c9c3d75d5e07e9256ba2e28c15e65b
SSDEEP

49152:Y5YH2Xa3jjaOJr5d1lGcakLz06u6Ftc7YcaDjXXUiLcakLz0O:Y5YH0a3jHx5HEcakc6u6rc7LaD7kWcaw

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
860	533f6f09bb02ae7bfecc1ed784fae1af.exe

Executes dropped EXE 1 IoCs

pid	Process
860	533f6f09bb02ae7bfecc1ed784fae1af.exe

Loads dropped DLL 1 IoCs

pid	Process
2004	533f6f09bb02ae7bfecc1ed784fae1af.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000014825-13.dat	upx
behavioral1/files/0x000a000000014825-17.dat	upx
behavioral1/files/0x000a000000014825-11.dat	upx
behavioral1/memory/2004-9-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2728	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	533f6f09bb02ae7bfecc1ed784fae1af.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	533f6f09bb02ae7bfecc1ed784fae1af.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	533f6f09bb02ae7bfecc1ed784fae1af.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	533f6f09bb02ae7bfecc1ed784fae1af.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2004	533f6f09bb02ae7bfecc1ed784fae1af.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2004	533f6f09bb02ae7bfecc1ed784fae1af.exe
860	533f6f09bb02ae7bfecc1ed784fae1af.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 860	2004	533f6f09bb02ae7bfecc1ed784fae1af.exe	22
PID 2004 wrote to memory of 860	2004	533f6f09bb02ae7bfecc1ed784fae1af.exe	22
PID 2004 wrote to memory of 860	2004	533f6f09bb02ae7bfecc1ed784fae1af.exe	22
PID 2004 wrote to memory of 860	2004	533f6f09bb02ae7bfecc1ed784fae1af.exe	22
PID 860 wrote to memory of 2728	860	533f6f09bb02ae7bfecc1ed784fae1af.exe	18
PID 860 wrote to memory of 2728	860	533f6f09bb02ae7bfecc1ed784fae1af.exe	18
PID 860 wrote to memory of 2728	860	533f6f09bb02ae7bfecc1ed784fae1af.exe	18
PID 860 wrote to memory of 2728	860	533f6f09bb02ae7bfecc1ed784fae1af.exe	18
PID 860 wrote to memory of 2580	860	533f6f09bb02ae7bfecc1ed784fae1af.exe	19
PID 860 wrote to memory of 2580	860	533f6f09bb02ae7bfecc1ed784fae1af.exe	19
PID 860 wrote to memory of 2580	860	533f6f09bb02ae7bfecc1ed784fae1af.exe	19
PID 860 wrote to memory of 2580	860	533f6f09bb02ae7bfecc1ed784fae1af.exe	19
PID 2580 wrote to memory of 2636	2580	cmd.exe	20
PID 2580 wrote to memory of 2636	2580	cmd.exe	20
PID 2580 wrote to memory of 2636	2580	cmd.exe	20
PID 2580 wrote to memory of 2636	2580	cmd.exe	20

C:\Users\Admin\AppData\Local\Temp\533f6f09bb02ae7bfecc1ed784fae1af.exe
"C:\Users\Admin\AppData\Local\Temp\533f6f09bb02ae7bfecc1ed784fae1af.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\533f6f09bb02ae7bfecc1ed784fae1af.exe
  C:\Users\Admin\AppData\Local\Temp\533f6f09bb02ae7bfecc1ed784fae1af.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:860

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\533f6f09bb02ae7bfecc1ed784fae1af.exe" /TN 6ek6uOO9da42 /F
1⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN 6ek6uOO9da42 > C:\Users\Admin\AppData\Local\Temp\ML4NycuC.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Query /XML /TN 6ek6uOO9da42
  2⤵
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\533f6f09bb02ae7bfecc1ed784fae1af.exe

Filesize
203KB

MD5
be813077a75bd3c147eae27dbaed8cd7

SHA1
7d627d79bc63ae77cbe90a31e15ae37fa1ad5a66

SHA256
a35092ffe187baff31b3aa8be08ccb6e1adb0bf54a4abf5bc9589a94287988ad

SHA512
ccd57bca5501f6ffdb7a79f2e9765a919d1a7f2345acabdc412fbdfa9bf3755404e6d515ac7864c71287f890ef6a9b46962a80c3c4da1c537cd1c0015764e9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\533f6f09bb02ae7bfecc1ed784fae1af.exe

Filesize
111KB

MD5
a5251add32b91e54a22d37f4b0cf0e9f

SHA1
979341cbf49d1d8cf2db85cd07129a39f5e0d4bc

SHA256
8220f2331c16671a3df6600de0281547c5e19ebfaa25240cf14785dcfc3a3044

SHA512
0195ba8d2b2e9bb58a3ae6e93a670b203c90c69d8109f6e5ac6e3a0558c81c7d5a7d735ed5710c035ec99fa9bfaac0a195dcc47bd449ba94ce7568db98bf1867

Download Submit
C:\Users\Admin\AppData\Local\Temp\ML4NycuC.xml

Filesize
1KB

MD5
677b0a850aac86a524e55b04cdf1a579

SHA1
62d202976a74637ed1e8bc7b8a89ea084c684adb

SHA256
0ed0c4f179d8acee2b477b82232b87b2e749660781218c863f43cc2ea580a4d2

SHA512
f399bf3da113d40a475eb0a9fb17926e7d9449f3408ae07dbb20163a64e79b6003d9865ae54ad613a57e633a1a2ad766ba72ab00119f873273bd91916e187228

Download Submit
\Users\Admin\AppData\Local\Temp\533f6f09bb02ae7bfecc1ed784fae1af.exe

Filesize
75KB

MD5
ff9fc0aeb00248428b4654682d0fb89f

SHA1
3ed1c34f7238b165e96d03ec5bc5707bff6fdd75

SHA256
44aaf596f1e6d434dc549c6d622b1809820c25639024beda1b7691d714fe2c04

SHA512
30d153fb4fa40af80543f57f750077cf976825921b44b440b3383776142bd0aaa8a92eada26bc7ae91df9785d293a52d3c8646ebeba88fcd0eced736aae4ec6f

Download Submit
memory/860-28-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/860-22-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/860-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/860-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/860-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2004-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2004-16-0x0000000023070000-0x00000000232CC000-memory.dmp

Filesize
2.4MB

Download
memory/2004-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2004-10-0x00000000001F0000-0x000000000026E000-memory.dmp

Filesize
504KB

Download
memory/2004-9-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads