4a51d475a21dd8cc4d62d8b665b13dcf95c18ca9830f528092236fc8303b3cfa

General

Target

79f8a6855bff25672d8de0eb51b794ca.exe
Size

1.5MB
MD5

79f8a6855bff25672d8de0eb51b794ca
SHA1

833dd25b7df608612b1e92979076c8f92e40fe84
SHA256

4a51d475a21dd8cc4d62d8b665b13dcf95c18ca9830f528092236fc8303b3cfa
SHA512

ced9d2a7fb781325ae970af597c0bc7a0d951e7ce8d035b2bf9b7f83b5c3ec67a2a8243dd2d66d5fabd908c66bf3b3efc88be312d4ca9dbd69f09edeecdf63a5
SSDEEP

24576:JsG0fR6HHfS/cG6cplv/cjukL2ZEN2TinYbR+FNvXU7cjukL2Y:JsHfR6HHfST6Qlv/cakLiIwinYb4FBUy

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2920	79f8a6855bff25672d8de0eb51b794ca.exe

Executes dropped EXE 1 IoCs

pid	Process
2920	79f8a6855bff25672d8de0eb51b794ca.exe

Loads dropped DLL 1 IoCs

pid	Process
2520	79f8a6855bff25672d8de0eb51b794ca.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2520-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000d00000001232b-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2848	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	79f8a6855bff25672d8de0eb51b794ca.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	79f8a6855bff25672d8de0eb51b794ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	79f8a6855bff25672d8de0eb51b794ca.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	79f8a6855bff25672d8de0eb51b794ca.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2520	79f8a6855bff25672d8de0eb51b794ca.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2520	79f8a6855bff25672d8de0eb51b794ca.exe
2920	79f8a6855bff25672d8de0eb51b794ca.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2920	2520	79f8a6855bff25672d8de0eb51b794ca.exe	29
PID 2520 wrote to memory of 2920	2520	79f8a6855bff25672d8de0eb51b794ca.exe	29
PID 2520 wrote to memory of 2920	2520	79f8a6855bff25672d8de0eb51b794ca.exe	29
PID 2520 wrote to memory of 2920	2520	79f8a6855bff25672d8de0eb51b794ca.exe	29
PID 2920 wrote to memory of 2848	2920	79f8a6855bff25672d8de0eb51b794ca.exe	30
PID 2920 wrote to memory of 2848	2920	79f8a6855bff25672d8de0eb51b794ca.exe	30
PID 2920 wrote to memory of 2848	2920	79f8a6855bff25672d8de0eb51b794ca.exe	30
PID 2920 wrote to memory of 2848	2920	79f8a6855bff25672d8de0eb51b794ca.exe	30
PID 2920 wrote to memory of 2764	2920	79f8a6855bff25672d8de0eb51b794ca.exe	34
PID 2920 wrote to memory of 2764	2920	79f8a6855bff25672d8de0eb51b794ca.exe	34
PID 2920 wrote to memory of 2764	2920	79f8a6855bff25672d8de0eb51b794ca.exe	34
PID 2920 wrote to memory of 2764	2920	79f8a6855bff25672d8de0eb51b794ca.exe	34
PID 2764 wrote to memory of 2096	2764	cmd.exe	33
PID 2764 wrote to memory of 2096	2764	cmd.exe	33
PID 2764 wrote to memory of 2096	2764	cmd.exe	33
PID 2764 wrote to memory of 2096	2764	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\79f8a6855bff25672d8de0eb51b794ca.exe
"C:\Users\Admin\AppData\Local\Temp\79f8a6855bff25672d8de0eb51b794ca.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\79f8a6855bff25672d8de0eb51b794ca.exe
  C:\Users\Admin\AppData\Local\Temp\79f8a6855bff25672d8de0eb51b794ca.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\79f8a6855bff25672d8de0eb51b794ca.exe" /TN QxutJGth3fd4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN QxutJGth3fd4 > C:\Users\Admin\AppData\Local\Temp\VV4Lf5t.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN QxutJGth3fd4
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VV4Lf5t.xml

Filesize
1KB

MD5
df488c8a40e0a66ddaa869db45c974db

SHA1
fed50b845dfe3f336006fff251e17a5fa35bb22a

SHA256
299a49a2007a90156f60c008fb9e23cd5d31c4c92b764336ea8d3536bd556aa1

SHA512
78067b6436e5aa361dde13cfa5691571f242e0d12bd07599c0b154583e11be6b1da0b887b663b1a1e1882d25c46f7e8e6af9a2eb5b94d1b4d1249708a8056587

Download Submit
\Users\Admin\AppData\Local\Temp\79f8a6855bff25672d8de0eb51b794ca.exe

Filesize
1.5MB

MD5
fb1c06f903f66d6af438921a6410d39c

SHA1
5e08112054544ccf7e65d4b261a65126d382fb4b

SHA256
1cf4156813dc3c0584a7d7229b0b6ad7a7d5fa27b2b880cb158d8bc79e887903

SHA512
107748e3be71c9a42b5890552288ca77767805ef047be3f5649fdce5d99fa3ec875a057f97a742c36907c224d1895820758a2c0dddd2a6a56180e55a8d1a51ab

Download Submit
memory/2520-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2520-3-0x0000000000290000-0x000000000030E000-memory.dmp

Filesize
504KB

Download
memory/2520-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2520-17-0x0000000023180000-0x00000000233DC000-memory.dmp

Filesize
2.4MB

Download
memory/2520-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2920-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2920-21-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2920-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2920-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2920-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads