1a0f18815358ffff754e3c2a8b4bea3f03735265800c63ea55a7cc0cbeb5898a

General

Target

7e1f2861bc2c6452f243b5c1a5d1dc5d.exe
Size

3.9MB
MD5

7e1f2861bc2c6452f243b5c1a5d1dc5d
SHA1

fb0f39266c4d0fe9a4f160414debca158f999a48
SHA256

1a0f18815358ffff754e3c2a8b4bea3f03735265800c63ea55a7cc0cbeb5898a
SHA512

231f57c8235abd32250c6281999279b077e75d740993f9169ee82b258dd39c039e1516f8e16340c6afb35ba56e5f47babc52eabee0bb07f90444dd00012593e0
SSDEEP

98304:R7FdrbRVunJUrcakcibiqhw5vB5HycakcibiqhEV1JX9cakcibiqhw5vB5Hycakh:lrbRVGUrdlirSdydlirmLJX9dlirSdy+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2324	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe

Executes dropped EXE 1 IoCs

pid	Process
2324	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe

Loads dropped DLL 1 IoCs

pid	Process
2888	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2888-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b0000000133a9-11.dat	upx
behavioral1/files/0x000b0000000133a9-15.dat	upx
behavioral1/memory/2324-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2596	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2888	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2888	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe
2324	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2324	2888	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe	29
PID 2888 wrote to memory of 2324	2888	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe	29
PID 2888 wrote to memory of 2324	2888	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe	29
PID 2888 wrote to memory of 2324	2888	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe	29
PID 2324 wrote to memory of 2596	2324	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe	31
PID 2324 wrote to memory of 2596	2324	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe	31
PID 2324 wrote to memory of 2596	2324	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe	31
PID 2324 wrote to memory of 2596	2324	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe	31
PID 2324 wrote to memory of 2652	2324	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe	33
PID 2324 wrote to memory of 2652	2324	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe	33
PID 2324 wrote to memory of 2652	2324	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe	33
PID 2324 wrote to memory of 2652	2324	7e1f2861bc2c6452f243b5c1a5d1dc5d.exe	33
PID 2652 wrote to memory of 2676	2652	cmd.exe	34
PID 2652 wrote to memory of 2676	2652	cmd.exe	34
PID 2652 wrote to memory of 2676	2652	cmd.exe	34
PID 2652 wrote to memory of 2676	2652	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\7e1f2861bc2c6452f243b5c1a5d1dc5d.exe
"C:\Users\Admin\AppData\Local\Temp\7e1f2861bc2c6452f243b5c1a5d1dc5d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\7e1f2861bc2c6452f243b5c1a5d1dc5d.exe
  C:\Users\Admin\AppData\Local\Temp\7e1f2861bc2c6452f243b5c1a5d1dc5d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\7e1f2861bc2c6452f243b5c1a5d1dc5d.exe" /TN qm2lmOfce5f6 /F
    3⤵
    - Creates scheduled task(s)
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN qm2lmOfce5f6 > C:\Users\Admin\AppData\Local\Temp\i0mw2oE.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN qm2lmOfce5f6
      4⤵
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7e1f2861bc2c6452f243b5c1a5d1dc5d.exe

Filesize
1.8MB

MD5
ea4e6f5447dad82f3b1bcd3cb4166574

SHA1
868bab169e3feb02ad043bd15be172850da9f01c

SHA256
0360bcf0ae9232aea7871b71378e71527da40f617cd1828e6615df2e5a4a6742

SHA512
c969c7acdfc2d0a9a90dc37ffacf1d1316d217c19c4a300f7ca788ad112c74053c663989d7f2ee4752bee6b71b5eb569ef0547395ede227fbc4e8dec44a25473

Download Submit
C:\Users\Admin\AppData\Local\Temp\i0mw2oE.xml

Filesize
1KB

MD5
27f188b0427f454bd1619eb61e35cc74

SHA1
709499bc717e4f644efba507d6c3bc4f98e18307

SHA256
dde8a7219ce48b21807958406e133013d241119fbc830a42688617ad6ceb5fbf

SHA512
4b378ae24ff308e9411e484b93d247d2d7ac12f1fa0692461471051ebf6cc97aa664b8d07f9096662b09927f321ecdf1f99fe7ff98478e00833910c5fcd66a01

Download Submit
\Users\Admin\AppData\Local\Temp\7e1f2861bc2c6452f243b5c1a5d1dc5d.exe

Filesize
1.4MB

MD5
1cd22ce99a965cba1ebf9ff053a0e890

SHA1
5fd44950fd7f0f9b4935809ca5aa45079a33c629

SHA256
0bf3b557d4073463a3f8ae77b14befb5b0a4b92fe8285e173e5b200941cfd89d

SHA512
847e8e5bb401936a7b37f94649329f2e53b2e46993f4b902457aceb0b967afd281e200424293deab819ddf47d98ac34dc67dd21db6c59194edf33dc4f3da6687

Download Submit
memory/2324-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2324-19-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2324-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2324-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2324-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2888-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2888-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2888-3-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2888-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads