adea4fca625dd47fb7188c900a76eea4ffab31e952e129bd0775646ad1241e1c

General

Target

791b5d254d26c587d6ed6a85ed95c680.exe
Size

2.0MB
MD5

791b5d254d26c587d6ed6a85ed95c680
SHA1

4ac10b0d90e40b56bcfca407bff107541687df53
SHA256

adea4fca625dd47fb7188c900a76eea4ffab31e952e129bd0775646ad1241e1c
SHA512

ae86d2e16f144699eb08c64b58405f70e3a0150c88dbb5b0f07e232637cd0bcb20ab541225acb2af9c07a9ed25b7aa9f10df4c5797b03f276e69719685a643e2
SSDEEP

49152:RKYR/IJMIM9jwBlXd3sToyPc0DpidVpO8xplMIM9jwBlXd3s:RT/IJM9cB51Drsi7pXxplM9cB51

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3044	791b5d254d26c587d6ed6a85ed95c680.exe

Executes dropped EXE 1 IoCs

pid	Process
3044	791b5d254d26c587d6ed6a85ed95c680.exe

Loads dropped DLL 1 IoCs

pid	Process
1848	791b5d254d26c587d6ed6a85ed95c680.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1848-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b0000000126e7-11.dat	upx
behavioral1/files/0x000b0000000126e7-17.dat	upx
behavioral1/memory/1848-16-0x0000000023270000-0x00000000234CC000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2744	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	791b5d254d26c587d6ed6a85ed95c680.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	791b5d254d26c587d6ed6a85ed95c680.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	791b5d254d26c587d6ed6a85ed95c680.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	791b5d254d26c587d6ed6a85ed95c680.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1848	791b5d254d26c587d6ed6a85ed95c680.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1848	791b5d254d26c587d6ed6a85ed95c680.exe
3044	791b5d254d26c587d6ed6a85ed95c680.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 3044	1848	791b5d254d26c587d6ed6a85ed95c680.exe	29
PID 1848 wrote to memory of 3044	1848	791b5d254d26c587d6ed6a85ed95c680.exe	29
PID 1848 wrote to memory of 3044	1848	791b5d254d26c587d6ed6a85ed95c680.exe	29
PID 1848 wrote to memory of 3044	1848	791b5d254d26c587d6ed6a85ed95c680.exe	29
PID 3044 wrote to memory of 2744	3044	791b5d254d26c587d6ed6a85ed95c680.exe	30
PID 3044 wrote to memory of 2744	3044	791b5d254d26c587d6ed6a85ed95c680.exe	30
PID 3044 wrote to memory of 2744	3044	791b5d254d26c587d6ed6a85ed95c680.exe	30
PID 3044 wrote to memory of 2744	3044	791b5d254d26c587d6ed6a85ed95c680.exe	30
PID 3044 wrote to memory of 2672	3044	791b5d254d26c587d6ed6a85ed95c680.exe	32
PID 3044 wrote to memory of 2672	3044	791b5d254d26c587d6ed6a85ed95c680.exe	32
PID 3044 wrote to memory of 2672	3044	791b5d254d26c587d6ed6a85ed95c680.exe	32
PID 3044 wrote to memory of 2672	3044	791b5d254d26c587d6ed6a85ed95c680.exe	32
PID 2672 wrote to memory of 2088	2672	cmd.exe	34
PID 2672 wrote to memory of 2088	2672	cmd.exe	34
PID 2672 wrote to memory of 2088	2672	cmd.exe	34
PID 2672 wrote to memory of 2088	2672	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\791b5d254d26c587d6ed6a85ed95c680.exe
"C:\Users\Admin\AppData\Local\Temp\791b5d254d26c587d6ed6a85ed95c680.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\791b5d254d26c587d6ed6a85ed95c680.exe
  C:\Users\Admin\AppData\Local\Temp\791b5d254d26c587d6ed6a85ed95c680.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\791b5d254d26c587d6ed6a85ed95c680.exe" /TN U5Z8sQiHf24d /F
    3⤵
    - Creates scheduled task(s)
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\DQCEhw.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN U5Z8sQiHf24d
      4⤵
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\791b5d254d26c587d6ed6a85ed95c680.exe

Filesize
870KB

MD5
91cdb52cf7b1351245ae195d677bee1e

SHA1
5204e72d046d7043fd615c3c63e6929d6f161880

SHA256
87b9f3239db0b42fb1480bc95873eb6d73dd62a537088e2363fecb0e765c4e10

SHA512
ca1352bc4b783ad62ff2f2f9da0e2a236d5b91d35c0b1eec066887d33d1a5edaf4f45f72ad12569756e5d941320e1e3606efe9abc23c171b72c19035ab8c34e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQCEhw.xml

Filesize
1KB

MD5
c3a2615605491c3c3a5c0abbe3b154e3

SHA1
c56180fa03e229c072cd405df90d80ab8de20dfc

SHA256
5809d3be52d18018090560068c04d727e80c0cc6940913e1d9c48340c6d56642

SHA512
0b10882c958ebea61472d6228705b3b9473925779d8785aeed27788f67fd04407c8f550f57a7979ab20bda3dff4eaecc4e866b863c36ac14678ff50558b71e3f

Download Submit
\Users\Admin\AppData\Local\Temp\791b5d254d26c587d6ed6a85ed95c680.exe

Filesize
1.5MB

MD5
003fd112f6171946f88bf1be24c8e2cf

SHA1
26acc6ca8cfefbef6575d0531efcc99a4491b64d

SHA256
1a4fb28af4bbe0c60791dc5e5a9c75be7b865e8d956d8b1e6e6b0aecd63cc5bd

SHA512
32b6518f5a250b9a55afb16355ea2a827c7b99adef565d33bb9da06c686ad940408d55873076ad27bb8edda572c4dfd37387e6b3a745ae78b544af1c02854382

Download Submit
memory/1848-16-0x0000000023270000-0x00000000234CC000-memory.dmp

Filesize
2.4MB

Download
memory/1848-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1848-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1848-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1848-3-0x0000000022DD0000-0x0000000022E4E000-memory.dmp

Filesize
504KB

Download
memory/3044-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3044-21-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/3044-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3044-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/3044-41-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads