61301b818dfb1401e3354bcd7ceeb461230de86f63cd7b6a0716616aaf01477c

General

Target

72faae5ab5df6ec8cf01da8f71b7d3b1.exe
Size

11.0MB
MD5

72faae5ab5df6ec8cf01da8f71b7d3b1
SHA1

13e47ec3f668867c06fa00eced2cd338d6d000c3
SHA256

61301b818dfb1401e3354bcd7ceeb461230de86f63cd7b6a0716616aaf01477c
SHA512

b9da7d3b208b300f98887862cb928427396509eec0f3d9e81efb3f996ca5b098be037a865f246f4cfd0b608a205449f7b197a1709909ffdbb3ace0092a4154d7
SSDEEP

98304:XMhSIsXcqnY1DcZFeDG35mCckFR+vicS43cxNg8R3PG35mCckFR+vicS43:XMhOXVY5wKm33FR+6ckJ/m33FR+6c

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2800	72faae5ab5df6ec8cf01da8f71b7d3b1.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	72faae5ab5df6ec8cf01da8f71b7d3b1.exe

Loads dropped DLL 1 IoCs

pid	Process
2316	72faae5ab5df6ec8cf01da8f71b7d3b1.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2316-0-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000900000001224e-14.dat	upx
behavioral1/files/0x000900000001224e-11.dat	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	72faae5ab5df6ec8cf01da8f71b7d3b1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	72faae5ab5df6ec8cf01da8f71b7d3b1.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2316	72faae5ab5df6ec8cf01da8f71b7d3b1.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2316	72faae5ab5df6ec8cf01da8f71b7d3b1.exe
2800	72faae5ab5df6ec8cf01da8f71b7d3b1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2800	2316	72faae5ab5df6ec8cf01da8f71b7d3b1.exe	18
PID 2316 wrote to memory of 2800	2316	72faae5ab5df6ec8cf01da8f71b7d3b1.exe	18
PID 2316 wrote to memory of 2800	2316	72faae5ab5df6ec8cf01da8f71b7d3b1.exe	18
PID 2316 wrote to memory of 2800	2316	72faae5ab5df6ec8cf01da8f71b7d3b1.exe	18

C:\Users\Admin\AppData\Local\Temp\72faae5ab5df6ec8cf01da8f71b7d3b1.exe
"C:\Users\Admin\AppData\Local\Temp\72faae5ab5df6ec8cf01da8f71b7d3b1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\72faae5ab5df6ec8cf01da8f71b7d3b1.exe
  C:\Users\Admin\AppData\Local\Temp\72faae5ab5df6ec8cf01da8f71b7d3b1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\72faae5ab5df6ec8cf01da8f71b7d3b1.exe

Filesize
10KB

MD5
ed60fbe3bbd38bb36b130b6ede4422c1

SHA1
4409673b0da0a83087d4ce33b6352a05f5084210

SHA256
97acbd28c4cd913c3d51988386f413604b899f9a33c023a0640ea8627bfdb465

SHA512
00e68781e53b696f251d3ed3feb303acbb1212537828134bc7f51ca58890e2c48959ce4f2aaead02bd2bfb0a21a4df8e35b7f5ac0a6979061fb3d3814f81ae08

Download Submit
\Users\Admin\AppData\Local\Temp\72faae5ab5df6ec8cf01da8f71b7d3b1.exe

Filesize
5KB

MD5
ab1af0942c1742fe52b327f2c6ee4a32

SHA1
99e7f8e756d107eeb8b99973c7af5702732203d4

SHA256
26db755678ff74453bc56f6ac8ee7a8f34d313dbff9fb37297048d5cb63fdf3b

SHA512
50d693e9ed6b72431ef40e05211b6ad4db69956741e77de5a4762646671dced652ddb5cadc19df0a1c7229de53f8245d124525ddbcba3f2e49c262ea6fb7a7b5

Download Submit
memory/2316-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2316-2-0x0000000002270000-0x00000000024CA000-memory.dmp

Filesize
2.4MB

Download
memory/2316-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2316-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2800-18-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2800-16-0x0000000002250000-0x00000000024AA000-memory.dmp

Filesize
2.4MB

Download
memory/2800-42-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing