b3a10ff1241efa94a6baa9f0c2844b6d3450a818a7caa0c8de7a2bd49bfce362

General

Target

62248fe8856ecdd6200bbda5636976fe.exe
Size

133KB
MD5

62248fe8856ecdd6200bbda5636976fe
SHA1

8a5766e20252b72145effe77ce72132fffad7219
SHA256

b3a10ff1241efa94a6baa9f0c2844b6d3450a818a7caa0c8de7a2bd49bfce362
SHA512

7fc749c71fbee0ef14495edb0c23891f6b549ce153f77016f90904e3de017cf998aa906505352a6cbc4e0cd9647e1fc5dfebbceb334e128258c9f0ee874bc96d
SSDEEP

3072:cIFrpcoX4xBLl8ixyWzQiKimIYlP1WFHE9nDy6mRAIZ2m5GbnQ:7FVD79BlM0n9INYLTQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2088	62248fe8856ecdd6200bbda5636976fe.exe

Executes dropped EXE 1 IoCs

pid	Process
2088	62248fe8856ecdd6200bbda5636976fe.exe

Loads dropped DLL 1 IoCs

pid	Process
2404	62248fe8856ecdd6200bbda5636976fe.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2404-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000a000000015d70-14.dat	upx
behavioral1/files/0x000a000000015d70-11.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	62248fe8856ecdd6200bbda5636976fe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	62248fe8856ecdd6200bbda5636976fe.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	62248fe8856ecdd6200bbda5636976fe.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	62248fe8856ecdd6200bbda5636976fe.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2404	62248fe8856ecdd6200bbda5636976fe.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2404	62248fe8856ecdd6200bbda5636976fe.exe
2088	62248fe8856ecdd6200bbda5636976fe.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2088	2404	62248fe8856ecdd6200bbda5636976fe.exe	14
PID 2404 wrote to memory of 2088	2404	62248fe8856ecdd6200bbda5636976fe.exe	14
PID 2404 wrote to memory of 2088	2404	62248fe8856ecdd6200bbda5636976fe.exe	14
PID 2404 wrote to memory of 2088	2404	62248fe8856ecdd6200bbda5636976fe.exe	14

C:\Users\Admin\AppData\Local\Temp\62248fe8856ecdd6200bbda5636976fe.exe
C:\Users\Admin\AppData\Local\Temp\62248fe8856ecdd6200bbda5636976fe.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2088

C:\Users\Admin\AppData\Local\Temp\62248fe8856ecdd6200bbda5636976fe.exe
"C:\Users\Admin\AppData\Local\Temp\62248fe8856ecdd6200bbda5636976fe.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\62248fe8856ecdd6200bbda5636976fe.exe

Filesize
85KB

MD5
850ca5f9687fc6b5d33b01b9a9a11a34

SHA1
d43370bc25c8152a8b895d7e2a6c89f0d5976538

SHA256
77c164f181db5508284571440ad4a91a2f9812b5162ed9944bcf5261b97e2cf4

SHA512
0d5128ad6b39b3da04497688821eb863d1db2648cd0a9b3fca32bc231c4f538f3636308926f0ec6848bc480bf47ab2461a6a2dfcad66f45bff9fca6a02f7ad59

Download Submit
\Users\Admin\AppData\Local\Temp\62248fe8856ecdd6200bbda5636976fe.exe

Filesize
92KB

MD5
b6bb6a7a040188c1dd3eeca7ab0ff3cc

SHA1
1852f5b53c222addc988b93730dd9a9861c6649a

SHA256
06605c2981c15426767db66c1c526f3e4b06eaeb8805882546f984a8370df1b5

SHA512
f3cf6512fa80ba5ad60d8f509bd80217c7272631a682791116c80b6e18fed316bf0f21836fc631762cd54a7310ef44fe72c63b91e0371195e89cf38b63af8fea

Download Submit
memory/2088-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2088-20-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2088-42-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2404-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2404-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2404-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2404-16-0x00000000001B0000-0x0000000000236000-memory.dmp

Filesize
536KB

Download
memory/2404-5-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing