bb41715196dec211423526d1e3184c00ce2f3cbe2ed8acbf973a92552fca84f0

General

Target

6244bf58c3d11d905fbb17ba1649e9b2.exe
Size

266KB
MD5

6244bf58c3d11d905fbb17ba1649e9b2
SHA1

06b6235fdfb5941b59bf9344bdf0704251fda697
SHA256

bb41715196dec211423526d1e3184c00ce2f3cbe2ed8acbf973a92552fca84f0
SHA512

69cfa48b3085b514f58d7683dde52e46484670abaffd83e1b50e8ffa5bf4fe59e9e3fa9da351042d37e4d436be235134bfc5230520abba42e9d1e336cbab42f0
SSDEEP

6144:e3QysUGUY5mXSFFCNGvCL8J6sijaRBJwIXhdeZa2HQ:eAheY5miKuM8JAazSg7ejw

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2792	6244bf58c3d11d905fbb17ba1649e9b2.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	6244bf58c3d11d905fbb17ba1649e9b2.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	6244bf58c3d11d905fbb17ba1649e9b2.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000b0000000122dc-11.dat	upx
behavioral1/files/0x000b0000000122dc-16.dat	upx
behavioral1/memory/1712-14-0x0000000000190000-0x0000000000216000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	6244bf58c3d11d905fbb17ba1649e9b2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	6244bf58c3d11d905fbb17ba1649e9b2.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	6244bf58c3d11d905fbb17ba1649e9b2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	6244bf58c3d11d905fbb17ba1649e9b2.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1712	6244bf58c3d11d905fbb17ba1649e9b2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1712	6244bf58c3d11d905fbb17ba1649e9b2.exe
2792	6244bf58c3d11d905fbb17ba1649e9b2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2792	1712	6244bf58c3d11d905fbb17ba1649e9b2.exe	16
PID 1712 wrote to memory of 2792	1712	6244bf58c3d11d905fbb17ba1649e9b2.exe	16
PID 1712 wrote to memory of 2792	1712	6244bf58c3d11d905fbb17ba1649e9b2.exe	16
PID 1712 wrote to memory of 2792	1712	6244bf58c3d11d905fbb17ba1649e9b2.exe	16

C:\Users\Admin\AppData\Local\Temp\6244bf58c3d11d905fbb17ba1649e9b2.exe
"C:\Users\Admin\AppData\Local\Temp\6244bf58c3d11d905fbb17ba1649e9b2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\6244bf58c3d11d905fbb17ba1649e9b2.exe
  C:\Users\Admin\AppData\Local\Temp\6244bf58c3d11d905fbb17ba1649e9b2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6244bf58c3d11d905fbb17ba1649e9b2.exe

Filesize
38KB

MD5
575f66bdd84ebfbd4ded3445c258ed49

SHA1
83383b6b63a7570d3476620c62c934494b5b1b3f

SHA256
0cba0c234d259626358772ca2d72e5cea6528130c50944449b3ce417a9641a20

SHA512
ce3ddf793d4bd746094adb659eb013b83b984f9c77d9b105c438ffe9662e8d9f5370c3d07d7e72be0d6aed540cf44a0ffb7598304aa3509cdbe8a7e20b09e5e5

Download Submit
\Users\Admin\AppData\Local\Temp\6244bf58c3d11d905fbb17ba1649e9b2.exe

Filesize
5KB

MD5
35ba07fd33569728fcb9fc31b4125e68

SHA1
957d651bcd63603b3d356851625781a94fa3b27e

SHA256
3c79c8c0cfa7b78fa4c89a852bc17c96a21561de9fcc81895bed4033e3ada1f8

SHA512
552ffb9643f369ce3b6f1fa2e7d5f4a3d41c22e63da5bd549e10a998a8a153ea1325aea001e0602d8457f08afdd9a8451d762e2aef0a37d9ca5707da837167cc

Download Submit
memory/1712-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1712-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1712-1-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/1712-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1712-14-0x0000000000190000-0x0000000000216000-memory.dmp

Filesize
536KB

Download
memory/2792-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2792-20-0x00000000002F0000-0x0000000000311000-memory.dmp

Filesize
132KB

Download
memory/2792-33-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing