6554fa82f9154d6d39c129916a39e2643695ff0ee7b48fb8680dac4c6b1e44c0

General

Target

85adf8728a5c0a353c13c90bcc41cf71.exe
Size

1.5MB
MD5

85adf8728a5c0a353c13c90bcc41cf71
SHA1

d02bf9774c4e225e70f658c815c4130ab815444b
SHA256

6554fa82f9154d6d39c129916a39e2643695ff0ee7b48fb8680dac4c6b1e44c0
SHA512

68782f8755c2475cd3a4df0583f61daa8fad3a95097f7d07ebadb68c346dee9b32484c81915535c8ebeb465ef8a5eb72c201ad10313988a69f2ac0fdb51fc73b
SSDEEP

24576:43x60yh/8B+uJvnEcjukL2Iqxui71kyhJH6cjukL2Y:8x63h/8B+uhnEcakLxi71kiJacakLj

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2460	85adf8728a5c0a353c13c90bcc41cf71.exe

Executes dropped EXE 1 IoCs

pid	Process
2460	85adf8728a5c0a353c13c90bcc41cf71.exe

Loads dropped DLL 1 IoCs

pid	Process
3036	85adf8728a5c0a353c13c90bcc41cf71.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3036-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/memory/2460-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012233-16.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2812	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	85adf8728a5c0a353c13c90bcc41cf71.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	85adf8728a5c0a353c13c90bcc41cf71.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	85adf8728a5c0a353c13c90bcc41cf71.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	85adf8728a5c0a353c13c90bcc41cf71.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3036	85adf8728a5c0a353c13c90bcc41cf71.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3036	85adf8728a5c0a353c13c90bcc41cf71.exe
2460	85adf8728a5c0a353c13c90bcc41cf71.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2460	3036	85adf8728a5c0a353c13c90bcc41cf71.exe	29
PID 3036 wrote to memory of 2460	3036	85adf8728a5c0a353c13c90bcc41cf71.exe	29
PID 3036 wrote to memory of 2460	3036	85adf8728a5c0a353c13c90bcc41cf71.exe	29
PID 3036 wrote to memory of 2460	3036	85adf8728a5c0a353c13c90bcc41cf71.exe	29
PID 2460 wrote to memory of 2812	2460	85adf8728a5c0a353c13c90bcc41cf71.exe	30
PID 2460 wrote to memory of 2812	2460	85adf8728a5c0a353c13c90bcc41cf71.exe	30
PID 2460 wrote to memory of 2812	2460	85adf8728a5c0a353c13c90bcc41cf71.exe	30
PID 2460 wrote to memory of 2812	2460	85adf8728a5c0a353c13c90bcc41cf71.exe	30
PID 2460 wrote to memory of 2696	2460	85adf8728a5c0a353c13c90bcc41cf71.exe	32
PID 2460 wrote to memory of 2696	2460	85adf8728a5c0a353c13c90bcc41cf71.exe	32
PID 2460 wrote to memory of 2696	2460	85adf8728a5c0a353c13c90bcc41cf71.exe	32
PID 2460 wrote to memory of 2696	2460	85adf8728a5c0a353c13c90bcc41cf71.exe	32
PID 2696 wrote to memory of 2168	2696	cmd.exe	34
PID 2696 wrote to memory of 2168	2696	cmd.exe	34
PID 2696 wrote to memory of 2168	2696	cmd.exe	34
PID 2696 wrote to memory of 2168	2696	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\85adf8728a5c0a353c13c90bcc41cf71.exe
"C:\Users\Admin\AppData\Local\Temp\85adf8728a5c0a353c13c90bcc41cf71.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\85adf8728a5c0a353c13c90bcc41cf71.exe
  C:\Users\Admin\AppData\Local\Temp\85adf8728a5c0a353c13c90bcc41cf71.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\85adf8728a5c0a353c13c90bcc41cf71.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\PpyUcm3N.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\85adf8728a5c0a353c13c90bcc41cf71.exe

Filesize
1.5MB

MD5
a017b2fd1c4fffa072d1cd14f6f33b76

SHA1
f5b4b88a3f2655f1c9272ebf12d70d59e87e7722

SHA256
b44bdd0fd758a79c665faa0d69dd6423b96a771f8c628ed52eb0b14696b8ab3f

SHA512
787a8a4d04dbd763d63c73e682e6659c84fbc2ebaf07986f21457f88f7ae19412864b087c20a81f0510024ec6cca2bbe274ef29c36622df57fb682f83bde9436

Download Submit
C:\Users\Admin\AppData\Local\Temp\PpyUcm3N.xml

Filesize
1KB

MD5
eea82aeff42021c8a4ea41db3c675376

SHA1
6f152e9036f85c14c499a693968ca4b555a477be

SHA256
f16bda9e195f90b0914f27dd40dde2555761fc3f3371e52e64b4fb04e18e5062

SHA512
1be814ebfa26e706be91e78a57a905f2acbd5d7ce3fb8029be7ff4089bceedb0d71b91c54c3aa59e103bae2382471021fd071ef3fd6bf8ea9cfdacc1b54b33b3

Download Submit
memory/2460-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2460-24-0x0000000000260000-0x00000000002DE000-memory.dmp

Filesize
504KB

Download
memory/2460-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2460-27-0x00000000002E0000-0x000000000034B000-memory.dmp

Filesize
428KB

Download
memory/2460-52-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3036-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3036-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3036-2-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/3036-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads