ea530421275593d4b41ccc05bb151ab06a5195b6607575d72b398d1f4c06d15e

General

Target

7d3dd4d88bbb13c34773d5d3120cb861.exe
Size

3.9MB
MD5

7d3dd4d88bbb13c34773d5d3120cb861
SHA1

1646f429e499c818f75ce6ff11ddbfacfbe90c21
SHA256

ea530421275593d4b41ccc05bb151ab06a5195b6607575d72b398d1f4c06d15e
SHA512

bc58b968d9897133e57913d65f4d0ebeab3d999c05036fbd6b02b92b325dadb7c56c4089dfdc98ba83fcdf58c3b971112ce060362c11b802fe16aa51613dd33a
SSDEEP

98304:2weG/f0+zqcakcibiqhLKG939DhcakcibiqhHC8wqgxmBrPzsUm3cakcibiqhLKF:JeG/fJzqdlir9KG939hdlirYjqgxmxPs

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1232	7d3dd4d88bbb13c34773d5d3120cb861.exe

Executes dropped EXE 1 IoCs

pid	Process
1232	7d3dd4d88bbb13c34773d5d3120cb861.exe

Loads dropped DLL 1 IoCs

pid	Process
3064	7d3dd4d88bbb13c34773d5d3120cb861.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3064-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000d000000012251-11.dat	upx
behavioral1/files/0x000d000000012251-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2552	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	7d3dd4d88bbb13c34773d5d3120cb861.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	7d3dd4d88bbb13c34773d5d3120cb861.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7d3dd4d88bbb13c34773d5d3120cb861.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7d3dd4d88bbb13c34773d5d3120cb861.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3064	7d3dd4d88bbb13c34773d5d3120cb861.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3064	7d3dd4d88bbb13c34773d5d3120cb861.exe
1232	7d3dd4d88bbb13c34773d5d3120cb861.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1232	3064	7d3dd4d88bbb13c34773d5d3120cb861.exe	30
PID 3064 wrote to memory of 1232	3064	7d3dd4d88bbb13c34773d5d3120cb861.exe	30
PID 3064 wrote to memory of 1232	3064	7d3dd4d88bbb13c34773d5d3120cb861.exe	30
PID 3064 wrote to memory of 1232	3064	7d3dd4d88bbb13c34773d5d3120cb861.exe	30
PID 1232 wrote to memory of 2552	1232	7d3dd4d88bbb13c34773d5d3120cb861.exe	31
PID 1232 wrote to memory of 2552	1232	7d3dd4d88bbb13c34773d5d3120cb861.exe	31
PID 1232 wrote to memory of 2552	1232	7d3dd4d88bbb13c34773d5d3120cb861.exe	31
PID 1232 wrote to memory of 2552	1232	7d3dd4d88bbb13c34773d5d3120cb861.exe	31
PID 1232 wrote to memory of 2704	1232	7d3dd4d88bbb13c34773d5d3120cb861.exe	33
PID 1232 wrote to memory of 2704	1232	7d3dd4d88bbb13c34773d5d3120cb861.exe	33
PID 1232 wrote to memory of 2704	1232	7d3dd4d88bbb13c34773d5d3120cb861.exe	33
PID 1232 wrote to memory of 2704	1232	7d3dd4d88bbb13c34773d5d3120cb861.exe	33
PID 2704 wrote to memory of 2800	2704	cmd.exe	34
PID 2704 wrote to memory of 2800	2704	cmd.exe	34
PID 2704 wrote to memory of 2800	2704	cmd.exe	34
PID 2704 wrote to memory of 2800	2704	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\7d3dd4d88bbb13c34773d5d3120cb861.exe
"C:\Users\Admin\AppData\Local\Temp\7d3dd4d88bbb13c34773d5d3120cb861.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\7d3dd4d88bbb13c34773d5d3120cb861.exe
  C:\Users\Admin\AppData\Local\Temp\7d3dd4d88bbb13c34773d5d3120cb861.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\7d3dd4d88bbb13c34773d5d3120cb861.exe" /TN U5Z8sQiHf24d /F
    3⤵
    - Creates scheduled task(s)
    PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\P1UJFf.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN U5Z8sQiHf24d
      4⤵
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7d3dd4d88bbb13c34773d5d3120cb861.exe

Filesize
606KB

MD5
62eb7f8349bc27e0b5fe3548b5091292

SHA1
6ea1f5dc0a01bfb5011922229ff651d348a661ed

SHA256
22d02340c4842bf13cc03e0f3bc3fc34660e9048565eb6ca5ad4fcae400d4919

SHA512
cef97f8a5616f65b1b97c42fa47bfb041cecf88deaab7f51bd931440d40bf9c1b157048baedbe3d44cbaf6fe18644b174c701f23b6bf4326f11e3a66478307b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\P1UJFf.xml

Filesize
1KB

MD5
2bac322afec8e4506521d84a57d90bab

SHA1
1e86f00278d476763d356aefa975ee8767536e39

SHA256
43122b9fa7bd86564e06293901898bfb71f48a8a0c7cc4cf1ffc6159b618a4e0

SHA512
1e6db7f045a3c862aaf0ba2c99edcbf29bafe55a9be2b388b39dd50723c480660db1b3c3efa68c139c6a10eea244dab1d95b9c40464f8a95eeb6d7b8e31c4f11

Download Submit
\Users\Admin\AppData\Local\Temp\7d3dd4d88bbb13c34773d5d3120cb861.exe

Filesize
681KB

MD5
e03370ed1c6ffd33f18863745aa80b7e

SHA1
bfc353f1edb148e135cc27f9c26bf1aaa99bbc33

SHA256
60f4371264cba4c429ff964b9d966684fb61fd52ea55b1ba019a4fa9937b2881

SHA512
6b070061c11e6c50b13240c1d17a5af71ef3adfc014a09f7dd9f71c9d9ee39b719d1743578661379848b5f5ac241bf20caafa812e618ca15f18626a056c56fd4

Download Submit
memory/1232-18-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/1232-21-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1232-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1232-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1232-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3064-19-0x00000000236E0000-0x000000002393C000-memory.dmp

Filesize
2.4MB

Download
memory/3064-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3064-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3064-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3064-4-0x00000000001F0000-0x000000000026E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads