32b2cf0613405b5e98aeb2fcd102d9f640f5739cd145ae812ff8ccac334f9f7e

General

Target

7cbffae4e51c7ff3c388f43a00910a27.exe
Size

3.2MB
MD5

7cbffae4e51c7ff3c388f43a00910a27
SHA1

017a0e8e2662767e88474314c723d1e729fe8dcd
SHA256

32b2cf0613405b5e98aeb2fcd102d9f640f5739cd145ae812ff8ccac334f9f7e
SHA512

cceb954e084460048128b5dae9d1aad25632b79a2fceb137d707501fa14b3564a81b34741f0a0a4eae1ecedefda7e052e07534fe9e1184047264c1a6b1325bf7
SSDEEP

98304:X5+sA34nbMWoscakchS87ccakcvR+yIboHACcakchS87ccakcO:XssAGjdlhS87cdlp+tbkldlhS87cdlO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1984	7cbffae4e51c7ff3c388f43a00910a27.exe

Executes dropped EXE 1 IoCs

pid	Process
1984	7cbffae4e51c7ff3c388f43a00910a27.exe

Loads dropped DLL 1 IoCs

pid	Process
2988	7cbffae4e51c7ff3c388f43a00910a27.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2988-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b0000000143f9-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1432	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	7cbffae4e51c7ff3c388f43a00910a27.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	7cbffae4e51c7ff3c388f43a00910a27.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7cbffae4e51c7ff3c388f43a00910a27.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7cbffae4e51c7ff3c388f43a00910a27.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2988	7cbffae4e51c7ff3c388f43a00910a27.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2988	7cbffae4e51c7ff3c388f43a00910a27.exe
1984	7cbffae4e51c7ff3c388f43a00910a27.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1984	2988	7cbffae4e51c7ff3c388f43a00910a27.exe	29
PID 2988 wrote to memory of 1984	2988	7cbffae4e51c7ff3c388f43a00910a27.exe	29
PID 2988 wrote to memory of 1984	2988	7cbffae4e51c7ff3c388f43a00910a27.exe	29
PID 2988 wrote to memory of 1984	2988	7cbffae4e51c7ff3c388f43a00910a27.exe	29
PID 1984 wrote to memory of 1432	1984	7cbffae4e51c7ff3c388f43a00910a27.exe	30
PID 1984 wrote to memory of 1432	1984	7cbffae4e51c7ff3c388f43a00910a27.exe	30
PID 1984 wrote to memory of 1432	1984	7cbffae4e51c7ff3c388f43a00910a27.exe	30
PID 1984 wrote to memory of 1432	1984	7cbffae4e51c7ff3c388f43a00910a27.exe	30
PID 1984 wrote to memory of 2656	1984	7cbffae4e51c7ff3c388f43a00910a27.exe	34
PID 1984 wrote to memory of 2656	1984	7cbffae4e51c7ff3c388f43a00910a27.exe	34
PID 1984 wrote to memory of 2656	1984	7cbffae4e51c7ff3c388f43a00910a27.exe	34
PID 1984 wrote to memory of 2656	1984	7cbffae4e51c7ff3c388f43a00910a27.exe	34
PID 2656 wrote to memory of 2872	2656	cmd.exe	32
PID 2656 wrote to memory of 2872	2656	cmd.exe	32
PID 2656 wrote to memory of 2872	2656	cmd.exe	32
PID 2656 wrote to memory of 2872	2656	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\7cbffae4e51c7ff3c388f43a00910a27.exe
"C:\Users\Admin\AppData\Local\Temp\7cbffae4e51c7ff3c388f43a00910a27.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\7cbffae4e51c7ff3c388f43a00910a27.exe
  C:\Users\Admin\AppData\Local\Temp\7cbffae4e51c7ff3c388f43a00910a27.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\7cbffae4e51c7ff3c388f43a00910a27.exe" /TN qm2lmOfce5f6 /F
    3⤵
    - Creates scheduled task(s)
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN qm2lmOfce5f6 > C:\Users\Admin\AppData\Local\Temp\Vf4mDm.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN qm2lmOfce5f6
1⤵
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Vf4mDm.xml

Filesize
1KB

MD5
db85ccbd825413540066dfc48b89333d

SHA1
2957efc5ad853ee90d4e7489ddb6c3fbdf3f8ee8

SHA256
b5384bae549789283805aff89ae7b9e15808b80bb68aa020645f9bda6a7baa80

SHA512
78d41683f896fcd533637932aa53248e7f5ce6928890d6393d3a856904e4d22f83868506a48ac31504fea0349063fdc6f6210309b74942fcfb9324d4cb009809

Download Submit
\Users\Admin\AppData\Local\Temp\7cbffae4e51c7ff3c388f43a00910a27.exe

Filesize
3.2MB

MD5
ba16a761772c5107b6b537153b752588

SHA1
84e3d5a6bcf362cc3947d34f2f10d84013fb6249

SHA256
4e81a1934dc98777f394f56d19178d9aa4d5acb5a1f64f86a590dc8d5984c762

SHA512
4e8fe3871fecc83d8362095fcb603e96c572ebe49a0ab7ee94f74c7c1d2517d7f0b561ca240cef9c03a95f858d2f05007b636ed59e074ac1419bbaf8d6abc032

Download Submit
memory/1984-18-0x00000000002D0000-0x000000000034E000-memory.dmp

Filesize
504KB

Download
memory/1984-23-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1984-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1984-30-0x0000000000350000-0x00000000003BB000-memory.dmp

Filesize
428KB

Download
memory/1984-43-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2988-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2988-3-0x0000000000280000-0x00000000002FE000-memory.dmp

Filesize
504KB

Download
memory/2988-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2988-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads