e351dc5187e624ada105df7b86e97509ab58067ba7219cca84ab7a4404951efc

General

Target

677263265cc525cfd549134dcbd89ac8.exe
Size

133KB
MD5

677263265cc525cfd549134dcbd89ac8
SHA1

64d2a11e38fc04bb9ef6bb59d1d47c563196ccee
SHA256

e351dc5187e624ada105df7b86e97509ab58067ba7219cca84ab7a4404951efc
SHA512

9a1380c93fbf5e722f6331788d8288b0eaeede645b1cead924001c88308e186655e65bcc0fabdbee545ea898e8f9f492a3513a488f7b404c0ff594bb0d2e0f11
SSDEEP

3072:j8feB6y3E/coPZ+ZyKwILqIYoGX0k0s6eZGacBNnUw/5Q:j6eB5E/cvwKwILqIYoGXB6QGacBz/5Q

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2276	677263265cc525cfd549134dcbd89ac8.exe

Executes dropped EXE 1 IoCs

pid	Process
2276	677263265cc525cfd549134dcbd89ac8.exe

Loads dropped DLL 1 IoCs

pid	Process
3020	677263265cc525cfd549134dcbd89ac8.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3020-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000b00000001223f-11.dat	upx
behavioral1/files/0x000b00000001223f-14.dat	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	677263265cc525cfd549134dcbd89ac8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	677263265cc525cfd549134dcbd89ac8.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3020	677263265cc525cfd549134dcbd89ac8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3020	677263265cc525cfd549134dcbd89ac8.exe
2276	677263265cc525cfd549134dcbd89ac8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2276	3020	677263265cc525cfd549134dcbd89ac8.exe	16
PID 3020 wrote to memory of 2276	3020	677263265cc525cfd549134dcbd89ac8.exe	16
PID 3020 wrote to memory of 2276	3020	677263265cc525cfd549134dcbd89ac8.exe	16
PID 3020 wrote to memory of 2276	3020	677263265cc525cfd549134dcbd89ac8.exe	16

C:\Users\Admin\AppData\Local\Temp\677263265cc525cfd549134dcbd89ac8.exe
"C:\Users\Admin\AppData\Local\Temp\677263265cc525cfd549134dcbd89ac8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\677263265cc525cfd549134dcbd89ac8.exe
  C:\Users\Admin\AppData\Local\Temp\677263265cc525cfd549134dcbd89ac8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2276

Network

DNS

cutit.org

677263265cc525cfd549134dcbd89ac8.exe

Remote address:

8.8.8.8:53

Request

cutit.org

IN A

Response

cutit.org

IN A

64.91.240.248
DNS

ww7.cutit.org

Remote address:

8.8.8.8:53

Request

ww7.cutit.org

IN A

Response

ww7.cutit.org

IN CNAME

78626.bodis.com

78626.bodis.com

IN A

199.59.243.225
GET

http://ww7.cutit.org/oxgBR?usid=25&utid=4365005176

Remote address:

199.59.243.225:80

Request

GET /oxgBR?usid=25&utid=4365005176 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: ww7.cutit.org

Response

HTTP/1.1 200 OK

date: Fri, 22 Dec 2023 08:21:34 GMT
content-type: text/html; charset=utf-8
content-length: 1097
x-request-id: c20dcabb-9625-4d1d-8f76-24add3af48a2
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_I0hSG69y56HCN94ACrYJ7o22HTYojJlBWhUsDuIvyeA6ziqbJ8Zz5gf1zCg5KBYosD8ydbUEoIK+uzM930e6kA==
set-cookie: parking_session=c20dcabb-9625-4d1d-8f76-24add3af48a2; expires=Fri, 22 Dec 2023 08:36:35 GMT; path=/

64.91.240.248:443

cutit.org

tls

677263265cc525cfd549134dcbd89ac8.exe

1.3kB
3.4kB
12
9
199.59.243.225:80

http://ww7.cutit.org/oxgBR?usid=25&utid=4365005176

http

813 B
2.6kB
13
6

HTTP Request

GET http://ww7.cutit.org/oxgBR?usid=25&utid=4365005176

HTTP Response

200

8.8.8.8:53

cutit.org

dns

677263265cc525cfd549134dcbd89ac8.exe

55 B
71 B
1
1

DNS Request

cutit.org

DNS Response

64.91.240.248
8.8.8.8:53

ww7.cutit.org

dns

59 B
104 B
1
1

DNS Request

ww7.cutit.org

DNS Response

199.59.243.225

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\677263265cc525cfd549134dcbd89ac8.exe

Filesize
76KB

MD5
dbcab8580f09947adf83bffc1e7f2400

SHA1
4b6729738a15b9da3426921f1b72bec0407a098d

SHA256
5b63bebd0f43dbc2202f816db7e257e83148c2288973eb0d0c3e80b5fc70c4c7

SHA512
b552fd6b2a2bd29560e3b0cd23cf2855a4bace127b6b885e161a1274e38bda5b8a7c39fc5a4ca7854d8b58eb1eb18cd874e3d808d813f74b03eafb3e2a99ce5c

Download Submit
\Users\Admin\AppData\Local\Temp\677263265cc525cfd549134dcbd89ac8.exe

Filesize
133KB

MD5
0a1a9aa9e2d4bf603945781711dbb275

SHA1
47ce64a98257b7a581cbaabab70072bd0b658f11

SHA256
07c5ee08008c981b3c7195b38af2671245c6e95ec687199ae5dbbc2a28f0afae

SHA512
e33900fd86e3992c8e9e5c1d5ac18a8ca2b27b1419449bab7da3a798024f005bc5fe9ded21e03d4e9fe67db093d591538fd87bc6f00df5163f8891788eb522e5

Download Submit
memory/2276-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2276-20-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2276-43-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3020-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3020-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3020-1-0x00000000001E0000-0x0000000000201000-memory.dmp

Filesize
132KB

Download
memory/3020-16-0x0000000002CB0000-0x0000000002D36000-memory.dmp

Filesize
536KB

Download
memory/3020-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response