58295916d79066eb5040d0d92d2f2f99221b2d82410f3d41b25590da9f2bd559

General

Target

61d2efa9c1768ab71cc1cc51f0f3b729.exe
Size

1.6MB
MD5

61d2efa9c1768ab71cc1cc51f0f3b729
SHA1

e01a4a89e0191ea4d0d6f63bb2b323eeec3cd59d
SHA256

58295916d79066eb5040d0d92d2f2f99221b2d82410f3d41b25590da9f2bd559
SHA512

11c4de8f64f5c3ab8bcf6752fbb238bbb69bf7ec0b88e6367f3d845aeb821209ba135a73f7ae5b43f5d13b4426e0a13cd6b67e4d6091761fefe57170b36da896
SSDEEP

49152:eeAhCiUlen8zRYBcakLz0JuWDptmi4vF3RcakLz0O:euiUon8zqBcakcJu4ptmi4NBcakcO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1916	61d2efa9c1768ab71cc1cc51f0f3b729.exe

Executes dropped EXE 1 IoCs

pid	Process
1916	61d2efa9c1768ab71cc1cc51f0f3b729.exe

Loads dropped DLL 1 IoCs

pid	Process
1680	61d2efa9c1768ab71cc1cc51f0f3b729.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000900000001447e-13.dat	upx
behavioral1/files/0x000900000001447e-15.dat	upx
behavioral1/files/0x000900000001447e-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2572	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	61d2efa9c1768ab71cc1cc51f0f3b729.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	61d2efa9c1768ab71cc1cc51f0f3b729.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	61d2efa9c1768ab71cc1cc51f0f3b729.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	61d2efa9c1768ab71cc1cc51f0f3b729.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1680	61d2efa9c1768ab71cc1cc51f0f3b729.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1680	61d2efa9c1768ab71cc1cc51f0f3b729.exe
1916	61d2efa9c1768ab71cc1cc51f0f3b729.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1916	1680	61d2efa9c1768ab71cc1cc51f0f3b729.exe	26
PID 1680 wrote to memory of 1916	1680	61d2efa9c1768ab71cc1cc51f0f3b729.exe	26
PID 1680 wrote to memory of 1916	1680	61d2efa9c1768ab71cc1cc51f0f3b729.exe	26
PID 1680 wrote to memory of 1916	1680	61d2efa9c1768ab71cc1cc51f0f3b729.exe	26
PID 1916 wrote to memory of 2572	1916	61d2efa9c1768ab71cc1cc51f0f3b729.exe	29
PID 1916 wrote to memory of 2572	1916	61d2efa9c1768ab71cc1cc51f0f3b729.exe	29
PID 1916 wrote to memory of 2572	1916	61d2efa9c1768ab71cc1cc51f0f3b729.exe	29
PID 1916 wrote to memory of 2572	1916	61d2efa9c1768ab71cc1cc51f0f3b729.exe	29
PID 1916 wrote to memory of 2748	1916	61d2efa9c1768ab71cc1cc51f0f3b729.exe	32
PID 1916 wrote to memory of 2748	1916	61d2efa9c1768ab71cc1cc51f0f3b729.exe	32
PID 1916 wrote to memory of 2748	1916	61d2efa9c1768ab71cc1cc51f0f3b729.exe	32
PID 1916 wrote to memory of 2748	1916	61d2efa9c1768ab71cc1cc51f0f3b729.exe	32
PID 2748 wrote to memory of 2624	2748	cmd.exe	30
PID 2748 wrote to memory of 2624	2748	cmd.exe	30
PID 2748 wrote to memory of 2624	2748	cmd.exe	30
PID 2748 wrote to memory of 2624	2748	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\61d2efa9c1768ab71cc1cc51f0f3b729.exe
"C:\Users\Admin\AppData\Local\Temp\61d2efa9c1768ab71cc1cc51f0f3b729.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\61d2efa9c1768ab71cc1cc51f0f3b729.exe
  C:\Users\Admin\AppData\Local\Temp\61d2efa9c1768ab71cc1cc51f0f3b729.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\61d2efa9c1768ab71cc1cc51f0f3b729.exe" /TN 6ek6uOO9da42 /F
    3⤵
    - Creates scheduled task(s)
    PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 6ek6uOO9da42 > C:\Users\Admin\AppData\Local\Temp\OHukunFUX.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN 6ek6uOO9da42
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\61d2efa9c1768ab71cc1cc51f0f3b729.exe

Filesize
291KB

MD5
51b86590195301abd9baa73f193a7a39

SHA1
89df86d29a5d77bf9ec59c6ebb632f027109a331

SHA256
849822a708df2b607694f10e68643fc75dc60955f7963378d39dee7dcb1d708a

SHA512
2e26762d93081a8ea354d1a73b5d5a6d2ae9be620436c37c467dcfdd9559e05588703e4c26c8dfef38859a46b33d9e03918a6ac87c2e20617c33b22beefe1b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\61d2efa9c1768ab71cc1cc51f0f3b729.exe

Filesize
181KB

MD5
77c0f1e4ce44b6e7359cb5ec85de8c27

SHA1
46397b0707513c49d44658815b75fe721f6dc4e3

SHA256
6c602a2e4148847e8f6809bb9e296540800e0b94b65af0dec2e20dd920da3439

SHA512
d9497feb65bdbe83a145a6d33150f35335b14fc4acf0404fb885d000b6ae59703ccd56e5b6cc8e92bba0b5095f9236049bfe5e783dbe50fc4771f92a9a8aaa46

Download Submit
\Users\Admin\AppData\Local\Temp\61d2efa9c1768ab71cc1cc51f0f3b729.exe

Filesize
374KB

MD5
763da50aa2bf6e825ae08c4f80856946

SHA1
2e98d5d1633db7732ffd58a14370e5e4affe009f

SHA256
0192d902ea04821862b3de06142e5fee71a9ab3b3c3ef6eecef156030880e72f

SHA512
42e78a89fbf17f4b78e164d63452c711ba7fd43053ef7eeab0d160acf15c3bd505742e04a6c3ec67f53c5bc4e48dff72382164b5d0aa6b9ba453440c81430c18

Download Submit
memory/1680-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1680-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1680-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1680-2-0x00000000002A0000-0x000000000031E000-memory.dmp

Filesize
504KB

Download
memory/1916-21-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1916-30-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/1916-19-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/1916-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1916-43-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads