d169642e23c3803cda44034a73d0c14679eab8b348be9ed90f063aad0d15ddc7

General

Target

56e3668a822309f9e5cdaaf5e18d4c9c.exe
Size

6.0MB
MD5

56e3668a822309f9e5cdaaf5e18d4c9c
SHA1

21bf0d1c75a7167be360fcf4c23411be330d950e
SHA256

d169642e23c3803cda44034a73d0c14679eab8b348be9ed90f063aad0d15ddc7
SHA512

4f709887301334fb635c466e8bee26a5b4f2350e3452ba121d97d83347578ec835b5f237f6c79412a16663b843276bbb45ca12eb70d2bc1d0f1a6a4f1531af1b
SSDEEP

98304:VyarrQEcakhy595sgp9cak6fE8TPIcakhy595sgp9caku/nUZnAQokWcakhy595z:hrUEdBXTdm8TPIdBXTdfghokWdBXTdmw

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2188	56e3668a822309f9e5cdaaf5e18d4c9c.exe

Executes dropped EXE 1 IoCs

pid	Process
2188	56e3668a822309f9e5cdaaf5e18d4c9c.exe

Loads dropped DLL 1 IoCs

pid	Process
2696	56e3668a822309f9e5cdaaf5e18d4c9c.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2696-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000c00000001415e-11.dat	upx
behavioral1/memory/2696-16-0x00000000239B0000-0x0000000023C0C000-memory.dmp	upx
behavioral1/files/0x000c00000001415e-17.dat	upx
behavioral1/files/0x000c00000001415e-14.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2980	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	56e3668a822309f9e5cdaaf5e18d4c9c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	56e3668a822309f9e5cdaaf5e18d4c9c.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	56e3668a822309f9e5cdaaf5e18d4c9c.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	56e3668a822309f9e5cdaaf5e18d4c9c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2696	56e3668a822309f9e5cdaaf5e18d4c9c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2696	56e3668a822309f9e5cdaaf5e18d4c9c.exe
2188	56e3668a822309f9e5cdaaf5e18d4c9c.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2188	2696	56e3668a822309f9e5cdaaf5e18d4c9c.exe	30
PID 2696 wrote to memory of 2188	2696	56e3668a822309f9e5cdaaf5e18d4c9c.exe	30
PID 2696 wrote to memory of 2188	2696	56e3668a822309f9e5cdaaf5e18d4c9c.exe	30
PID 2696 wrote to memory of 2188	2696	56e3668a822309f9e5cdaaf5e18d4c9c.exe	30
PID 2188 wrote to memory of 2980	2188	56e3668a822309f9e5cdaaf5e18d4c9c.exe	31
PID 2188 wrote to memory of 2980	2188	56e3668a822309f9e5cdaaf5e18d4c9c.exe	31
PID 2188 wrote to memory of 2980	2188	56e3668a822309f9e5cdaaf5e18d4c9c.exe	31
PID 2188 wrote to memory of 2980	2188	56e3668a822309f9e5cdaaf5e18d4c9c.exe	31
PID 2188 wrote to memory of 2268	2188	56e3668a822309f9e5cdaaf5e18d4c9c.exe	34
PID 2188 wrote to memory of 2268	2188	56e3668a822309f9e5cdaaf5e18d4c9c.exe	34
PID 2188 wrote to memory of 2268	2188	56e3668a822309f9e5cdaaf5e18d4c9c.exe	34
PID 2188 wrote to memory of 2268	2188	56e3668a822309f9e5cdaaf5e18d4c9c.exe	34
PID 2268 wrote to memory of 2192	2268	cmd.exe	35
PID 2268 wrote to memory of 2192	2268	cmd.exe	35
PID 2268 wrote to memory of 2192	2268	cmd.exe	35
PID 2268 wrote to memory of 2192	2268	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\56e3668a822309f9e5cdaaf5e18d4c9c.exe
"C:\Users\Admin\AppData\Local\Temp\56e3668a822309f9e5cdaaf5e18d4c9c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\56e3668a822309f9e5cdaaf5e18d4c9c.exe
  C:\Users\Admin\AppData\Local\Temp\56e3668a822309f9e5cdaaf5e18d4c9c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\56e3668a822309f9e5cdaaf5e18d4c9c.exe" /TN x1iLRz9v069a /F
    3⤵
    - Creates scheduled task(s)
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN x1iLRz9v069a > C:\Users\Admin\AppData\Local\Temp\Glfiyxna.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN x1iLRz9v069a
      4⤵
      PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\56e3668a822309f9e5cdaaf5e18d4c9c.exe

Filesize
595KB

MD5
0382709c9316aa72bf7bbbf4d62eea8d

SHA1
4a58282afb335211fbc05baf723fdc3fb7f35c89

SHA256
0312ca73f55e6903a804f9945d09dfd4b56fb657c29487a8dd698e3fc84cd341

SHA512
1cac31c2e0aaa75170cd6f23b0650bf7f67c09764f421fddf35efb271c5a3ff3f64fe3738b1a1eae5f5408236d2f549bdee0f0ec3a2430184836e29728e06313

Download Submit
C:\Users\Admin\AppData\Local\Temp\56e3668a822309f9e5cdaaf5e18d4c9c.exe

Filesize
701KB

MD5
da4032cfa42a02797fd273f885965cca

SHA1
4eb641655acb7862045ad80163e0d758098a4b33

SHA256
dac2c5a1fe6e90816b90874643ed223a5bd2806517bb93471f7dde3979979dcd

SHA512
986381da3d71f21ef51d87f2d2775a42c795a7129e9e2db933951cb8f7bdc87b58d0b887a6e518406c8a0cf1c0f07b7ed158cec329c9df6ebc50b7d544c9f542

Download Submit
C:\Users\Admin\AppData\Local\Temp\Glfiyxna.xml

Filesize
1KB

MD5
ba676034da5a4c1097c52643f69fa7ba

SHA1
e6d7bbc107fa1ec53662ac33b7ce0ba0cfbd0992

SHA256
d21360e3c10c9fe4ac0e5ce40e82da3ae688330e42da9049c76a4c5a9bfbd19a

SHA512
b3c3d9181eaf21f6dbab3e720d589134920fd9104e10e499a6e3385f66e05bb3ca93774143de3c4d64af021589564c7c3b3e3e53052a67df1b5873cf655db38b

Download Submit
\Users\Admin\AppData\Local\Temp\56e3668a822309f9e5cdaaf5e18d4c9c.exe

Filesize
638KB

MD5
4b36d70d2305e6f326da5be99a72d34d

SHA1
ffec9095c5869c8231fec114308acdf21d539b55

SHA256
9a4cfb2e34db813f6cc34183018762b7d3639739d9806e7890c9f612c28526f2

SHA512
2cf8b616d40d6ba73dce8dce46bf13af2fed96201ad55b15be01fae7872f1c9b6481b19cbe5dd30cc080879740809619aef4eee591b823f944d3067888204c3b

Download Submit
memory/2188-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2188-21-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2188-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2188-31-0x00000000002D0000-0x000000000033B000-memory.dmp

Filesize
428KB

Download
memory/2188-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2696-16-0x00000000239B0000-0x0000000023C0C000-memory.dmp

Filesize
2.4MB

Download
memory/2696-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2696-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2696-3-0x0000000000380000-0x00000000003FE000-memory.dmp

Filesize
504KB

Download
memory/2696-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads