c550c252b6c9796dbf605284b8a6a7060ced1c434ce2a8ad0bceaa6e657a9cec

General

Target

71224dc75fb2f86ab463fdee22681f86.exe
Size

133KB
MD5

71224dc75fb2f86ab463fdee22681f86
SHA1

58ec89b9ad8f9ce91478a17609e71c3465ec776a
SHA256

c550c252b6c9796dbf605284b8a6a7060ced1c434ce2a8ad0bceaa6e657a9cec
SHA512

276974f33a30f029e0a92cc790336fa3253a23858a65ebb20b56b759acbbdb3dbca55ed99dbdf6377dfe181707985bd1878c15bcf80af4e84c025044bd884274
SSDEEP

3072:XuMC9KDxSpbdB2bSfHug/rFk5kuPnu1es8NJidPwzpDSNrQJQ:+1EDxCbd8hrO1esaoogJsQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2264	71224dc75fb2f86ab463fdee22681f86.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	71224dc75fb2f86ab463fdee22681f86.exe

Loads dropped DLL 1 IoCs

pid	Process
2248	71224dc75fb2f86ab463fdee22681f86.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2248-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000d000000012251-11.dat	upx
behavioral1/files/0x000d000000012251-16.dat	upx
behavioral1/memory/2248-14-0x0000000000310000-0x0000000000396000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	71224dc75fb2f86ab463fdee22681f86.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	71224dc75fb2f86ab463fdee22681f86.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	71224dc75fb2f86ab463fdee22681f86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	71224dc75fb2f86ab463fdee22681f86.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2248	71224dc75fb2f86ab463fdee22681f86.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2248	71224dc75fb2f86ab463fdee22681f86.exe
2264	71224dc75fb2f86ab463fdee22681f86.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2264	2248	71224dc75fb2f86ab463fdee22681f86.exe	14
PID 2248 wrote to memory of 2264	2248	71224dc75fb2f86ab463fdee22681f86.exe	14
PID 2248 wrote to memory of 2264	2248	71224dc75fb2f86ab463fdee22681f86.exe	14
PID 2248 wrote to memory of 2264	2248	71224dc75fb2f86ab463fdee22681f86.exe	14

C:\Users\Admin\AppData\Local\Temp\71224dc75fb2f86ab463fdee22681f86.exe
C:\Users\Admin\AppData\Local\Temp\71224dc75fb2f86ab463fdee22681f86.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2264

C:\Users\Admin\AppData\Local\Temp\71224dc75fb2f86ab463fdee22681f86.exe
"C:\Users\Admin\AppData\Local\Temp\71224dc75fb2f86ab463fdee22681f86.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\71224dc75fb2f86ab463fdee22681f86.exe

Filesize
37KB

MD5
ceb12e8f42f25712acc989269cb59f4d

SHA1
0d05a2eae8b4696811aef4ed97d28f365ffdfa9c

SHA256
b72126a4c892620702b7521066379136e0310c5957515e0abea9372bae248f28

SHA512
a127dc1c55d693ba59f5e1b4b501c3e98efb7984e56e73d1e952674507bb318e40c7333db222a04f87c96a3bb2e89a6f02b45a51e0cc79af6e6b1b395142afb5

Download Submit
\Users\Admin\AppData\Local\Temp\71224dc75fb2f86ab463fdee22681f86.exe

Filesize
63KB

MD5
93387452ead3839ad7c53be297c7500a

SHA1
8da0f16fe13070c57c4a0f7d25a57d5cb1c9c030

SHA256
df2701310dc0cdd2380cd595efbef30434bdafe6ee3da559810b5229f3f2afb5

SHA512
6197299e9a3bf1563c70fcd8204a1e394ae4b75586644f3cc5aab9c733131e999a502ce304603d39df0684b415851bd490d9cc0ec077092017ca57b7f99c22ef

Download Submit
memory/2248-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2248-7-0x00000000002D0000-0x00000000002F1000-memory.dmp

Filesize
132KB

Download
memory/2248-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2248-14-0x0000000000310000-0x0000000000396000-memory.dmp

Filesize
536KB

Download
memory/2264-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2264-20-0x00000000001E0000-0x0000000000201000-memory.dmp

Filesize
132KB

Download
memory/2264-43-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing