023314cd35c34c510b62f4a1edb4728089036f93c34b40459b2e3f8e490af1f8

General

Target

7227d5b1458363e3f18a248cce952284.exe
Size

133KB
MD5

7227d5b1458363e3f18a248cce952284
SHA1

8dbc5f90b87af801e475056078642f13eec7f2c5
SHA256

023314cd35c34c510b62f4a1edb4728089036f93c34b40459b2e3f8e490af1f8
SHA512

b6141704f68989c6ed60e7f961d803ff291347b3e2a189327fb71f3ace9e0375064427b65625fcaa5bf65213ee85480ee88c0c4543345d45b13f69fc45b10b11
SSDEEP

3072:Jph+TXf1+9V+ypTEZU93sIMHTqtaKcdVoS/UX/bDYQJDxQa0ZQ:Jiz1+9V+yp4I3YzrdVPUX/bc7dQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2052	7227d5b1458363e3f18a248cce952284.exe

Executes dropped EXE 1 IoCs

pid	Process
2052	7227d5b1458363e3f18a248cce952284.exe

Loads dropped DLL 1 IoCs

pid	Process
2240	7227d5b1458363e3f18a248cce952284.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2240-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000c00000001220d-16.dat	upx
behavioral1/files/0x000c00000001220d-13.dat	upx
behavioral1/files/0x000c00000001220d-11.dat	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7227d5b1458363e3f18a248cce952284.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7227d5b1458363e3f18a248cce952284.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2240	7227d5b1458363e3f18a248cce952284.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2240	7227d5b1458363e3f18a248cce952284.exe
2052	7227d5b1458363e3f18a248cce952284.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2052	2240	7227d5b1458363e3f18a248cce952284.exe	15
PID 2240 wrote to memory of 2052	2240	7227d5b1458363e3f18a248cce952284.exe	15
PID 2240 wrote to memory of 2052	2240	7227d5b1458363e3f18a248cce952284.exe	15
PID 2240 wrote to memory of 2052	2240	7227d5b1458363e3f18a248cce952284.exe	15

C:\Users\Admin\AppData\Local\Temp\7227d5b1458363e3f18a248cce952284.exe
C:\Users\Admin\AppData\Local\Temp\7227d5b1458363e3f18a248cce952284.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2052

C:\Users\Admin\AppData\Local\Temp\7227d5b1458363e3f18a248cce952284.exe
"C:\Users\Admin\AppData\Local\Temp\7227d5b1458363e3f18a248cce952284.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7227d5b1458363e3f18a248cce952284.exe

Filesize
61KB

MD5
9e8f69e3ba9bcc8b4f5b29100c26fba5

SHA1
fe62ab15f803c674e904ffcde42e93bcc2aae2bd

SHA256
e6cdc268c6a9b5b26e7d511c85f83165e468da5d89d8d31ab7155adfef67c2de

SHA512
15449fcd7700736112556228503c87222a63992a707ac87047a4e0d9597dbfb3b29bb2e6629b870457ba7ad6b6d1616e2d31a0ca346ad8a401125de0322268cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7227d5b1458363e3f18a248cce952284.exe

Filesize
1KB

MD5
c3d36978bc3b92804505e8db7232ccef

SHA1
7ffde297ab239b77bb8516caaac4185c0d8b8880

SHA256
f22d8a339dbdcad05af1777f0f274aef6d9b1a0dad9bfc0d9fa98a69cc88bd23

SHA512
23f56e74d5be25dec07264109860969459581e33340d447ebfe0be5064110c87835001b4001b49de7b519f0e0a3f32b72028f92a303cd36a94d4645c96dfc9a4

Download Submit
\Users\Admin\AppData\Local\Temp\7227d5b1458363e3f18a248cce952284.exe

Filesize
7KB

MD5
075112244b7954a5977000ded9c00745

SHA1
da35691c102b37a33b0dd3ca65e897f9fd8e07a7

SHA256
dfe22ba160ddfb643393ad154d8217bcb5cdcb4640b6dbfe2f23f721dc6e93b5

SHA512
a5d339a3d2eb2f4c47027ba484ec7676528a9d1dce0a6eae5b8f56721a3cb30d10cf0db155bb32b697255f005b48e3e821630987e499c5b66ec7ae479a163556

Download Submit
memory/2052-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2052-19-0x00000000000E0000-0x0000000000101000-memory.dmp

Filesize
132KB

Download
memory/2052-33-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2240-3-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2240-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2240-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2240-15-0x00000000001A0000-0x0000000000226000-memory.dmp

Filesize
536KB

Download
memory/2240-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing