9d12a2495919f42e952ebe1cd38785c912a639e92ead179081891027d1b87863

General

Target

72de7a1e06392946dbda10750c60318b.exe
Size

2.6MB
MD5

72de7a1e06392946dbda10750c60318b
SHA1

b4fb0788605a63bb9d32d67f69d845fca7b9741b
SHA256

9d12a2495919f42e952ebe1cd38785c912a639e92ead179081891027d1b87863
SHA512

456cc5cf2bfd10998c312b4573c11b336b4b749aaeaad1de62ed040de2ed474785507cae7fbb731b6bee752afc09ce520e34c6f6036f4e1394f5918de2af7544
SSDEEP

49152:NKydJAg5zPvhSPKuqk1vyXJ6ytJHOday3:nHuK5JSd3

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2284	72de7a1e06392946dbda10750c60318b.exe

Executes dropped EXE 1 IoCs

pid	Process
2284	72de7a1e06392946dbda10750c60318b.exe

Loads dropped DLL 1 IoCs

pid	Process
1680	72de7a1e06392946dbda10750c60318b.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-1-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000900000001447e-14.dat	upx
behavioral1/files/0x000900000001447e-13.dat	upx
behavioral1/files/0x000900000001447e-11.dat	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	72de7a1e06392946dbda10750c60318b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	72de7a1e06392946dbda10750c60318b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1680	72de7a1e06392946dbda10750c60318b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1680	72de7a1e06392946dbda10750c60318b.exe
2284	72de7a1e06392946dbda10750c60318b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2284	1680	72de7a1e06392946dbda10750c60318b.exe	17
PID 1680 wrote to memory of 2284	1680	72de7a1e06392946dbda10750c60318b.exe	17
PID 1680 wrote to memory of 2284	1680	72de7a1e06392946dbda10750c60318b.exe	17
PID 1680 wrote to memory of 2284	1680	72de7a1e06392946dbda10750c60318b.exe	17

C:\Users\Admin\AppData\Local\Temp\72de7a1e06392946dbda10750c60318b.exe
"C:\Users\Admin\AppData\Local\Temp\72de7a1e06392946dbda10750c60318b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\72de7a1e06392946dbda10750c60318b.exe
  C:\Users\Admin\AppData\Local\Temp\72de7a1e06392946dbda10750c60318b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\72de7a1e06392946dbda10750c60318b.exe

Filesize
62KB

MD5
25bf98c1c4a9ad121e15f63b592dc0f4

SHA1
2ba83b06924f85d14d19aa14e768a1bb87286a27

SHA256
25d053f543f06e8a6789d4dfdf7c13ebccfaa26ce3264a9c649489bccbcf9166

SHA512
1b4bd4944a42fbfab2aa46586516ef05999ac3b569ed3e016f67d14416e3989366f7382cb17cc6ce5bc890361b2cb60dcf0638fe5bb7ea1b5daf0e28b23f4719

Download Submit
C:\Users\Admin\AppData\Local\Temp\72de7a1e06392946dbda10750c60318b.exe

Filesize
39KB

MD5
222069e73b50baa310f80ab694de3de2

SHA1
e25eec91fed06edc698a2be9334208df6ba88901

SHA256
405112162b0d2bf1e37d70fe501569492e7ba816d3b9fd8472f1c0d0238595a6

SHA512
4c3c11558323f426eb2936b5a96a2cbbfcd2ec1a7362fd0d9a457bc51ce09f82a0fc8089971be5b3a91084289f2af52de9f92a0be136541223c260f1712f7383

Download Submit
\Users\Admin\AppData\Local\Temp\72de7a1e06392946dbda10750c60318b.exe

Filesize
92KB

MD5
068295a2345159cdfcb47ba5d91b4863

SHA1
5a4e9ec262fc05ce6c19deba829c8ec67cc7688f

SHA256
389aede65429df24c4ca1d970db355c75d9316526cf82a7cad59b2c478b28a48

SHA512
4759d467171642b731ef2643b3b9e74e9e791e176c43eac3c63ec78806dc9507b693eaf48beaa7fafe925b922825eec135cc2f01e9118d63ee72df51ec5f274c

Download Submit
memory/1680-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/1680-3-0x0000000002240000-0x000000000249A000-memory.dmp

Filesize
2.4MB

Download
memory/1680-0-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1680-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1680-16-0x0000000003B40000-0x00000000044DE000-memory.dmp

Filesize
9.6MB

Download
memory/1680-34-0x0000000003B40000-0x00000000044DE000-memory.dmp

Filesize
9.6MB

Download
memory/2284-19-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2284-21-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2284-35-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing