2f8bbcd21805f0cb3e7b69ec9e5b4277885f403bf1d278ae6248965d2730ba79

General

Target

895c802177abbd362b58479798f1111c.exe
Size

1003KB
MD5

895c802177abbd362b58479798f1111c
SHA1

2f432ec61a18ee555cc933622b43a4bdea0bd6e2
SHA256

2f8bbcd21805f0cb3e7b69ec9e5b4277885f403bf1d278ae6248965d2730ba79
SHA512

5bd16060fb4ab6a383406120eef6b55693fcc369c586bff39c88d667b4ca027a7b3f10548319a2917bd1cc6002133810e36a95e476127042fd4a66942871b014
SSDEEP

24576:aBE3RgOv7NT+70QagZ9PHJEuMlSVj21RaBkoXlq:CnOzNT+70Q3Z9PHJEuMlSVj21RaBkoXl

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2124	895c802177abbd362b58479798f1111c.exe

Executes dropped EXE 1 IoCs

pid	Process
2124	895c802177abbd362b58479798f1111c.exe

Loads dropped DLL 1 IoCs

pid	Process
2364	895c802177abbd362b58479798f1111c.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a0000000135c2-11.dat	upx
behavioral1/files/0x000a0000000135c2-17.dat	upx
behavioral1/memory/2364-16-0x0000000022FE0000-0x000000002323C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2784	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	895c802177abbd362b58479798f1111c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	895c802177abbd362b58479798f1111c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	895c802177abbd362b58479798f1111c.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	895c802177abbd362b58479798f1111c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2364	895c802177abbd362b58479798f1111c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2364	895c802177abbd362b58479798f1111c.exe
2124	895c802177abbd362b58479798f1111c.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2124	2364	895c802177abbd362b58479798f1111c.exe	16
PID 2364 wrote to memory of 2124	2364	895c802177abbd362b58479798f1111c.exe	16
PID 2364 wrote to memory of 2124	2364	895c802177abbd362b58479798f1111c.exe	16
PID 2364 wrote to memory of 2124	2364	895c802177abbd362b58479798f1111c.exe	16
PID 2124 wrote to memory of 2784	2124	895c802177abbd362b58479798f1111c.exe	17
PID 2124 wrote to memory of 2784	2124	895c802177abbd362b58479798f1111c.exe	17
PID 2124 wrote to memory of 2784	2124	895c802177abbd362b58479798f1111c.exe	17
PID 2124 wrote to memory of 2784	2124	895c802177abbd362b58479798f1111c.exe	17
PID 2124 wrote to memory of 2704	2124	895c802177abbd362b58479798f1111c.exe	31
PID 2124 wrote to memory of 2704	2124	895c802177abbd362b58479798f1111c.exe	31
PID 2124 wrote to memory of 2704	2124	895c802177abbd362b58479798f1111c.exe	31
PID 2124 wrote to memory of 2704	2124	895c802177abbd362b58479798f1111c.exe	31
PID 2704 wrote to memory of 3000	2704	cmd.exe	32
PID 2704 wrote to memory of 3000	2704	cmd.exe	32
PID 2704 wrote to memory of 3000	2704	cmd.exe	32
PID 2704 wrote to memory of 3000	2704	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\895c802177abbd362b58479798f1111c.exe
C:\Users\Admin\AppData\Local\Temp\895c802177abbd362b58479798f1111c.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\895c802177abbd362b58479798f1111c.exe" /TN Nnb8kaFf43a4 /F
  2⤵
  - Creates scheduled task(s)
  PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c schtasks.exe /Query /XML /TN Nnb8kaFf43a4 > C:\Users\Admin\AppData\Local\Temp\smQB8.xml
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Query /XML /TN Nnb8kaFf43a4
    3⤵
    PID:3000

C:\Users\Admin\AppData\Local\Temp\895c802177abbd362b58479798f1111c.exe
"C:\Users\Admin\AppData\Local\Temp\895c802177abbd362b58479798f1111c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\895c802177abbd362b58479798f1111c.exe

Filesize
114KB

MD5
911d9be14191b7919b92d03a3cd192dc

SHA1
40f32ad646756ae2217962c289c0e7628e0099c1

SHA256
247eeefa4d6060e01861a965c6f27e0770a078e5703bf5316ada039f1d5275dc

SHA512
508d32d0887aa8ecc36f0750b579ce74b2c9fd43952d341035ed85636b941a079f979768856bfa4146c7a94d4534173f0cf7c40cb04b018747b941c256e2a503

Download Submit
C:\Users\Admin\AppData\Local\Temp\smQB8.xml

Filesize
1KB

MD5
daa10bd4df2dd412f7418b1b98dbe035

SHA1
1b366294731520f2e1a03d52647d4ca2b7b53d23

SHA256
e457b38fac4d2e255eca8fe43b0d996309d2b4d667f997e2557bfb354e97ecc0

SHA512
dee1d7ea16c7af0385a330a47b8eadead5ff5a5c36903d8bb09882bc28c4d190a1ad2a844d3542aae2189ceacf787fb3bdf58df5527cd6fc0497c1243432e370

Download Submit
\Users\Admin\AppData\Local\Temp\895c802177abbd362b58479798f1111c.exe

Filesize
163KB

MD5
97becabe9da560b69da9c78553be470b

SHA1
4a4506c1298868b1e30df9ea8c655a72c245beaf

SHA256
84931cf011f375b48efc10ded6b1169aa025077ba709ac62b41d7c0c2337d58d

SHA512
507fa42bf4885179ccff0aa97be65e021340ebc8a246158fbbad5404c2d403bedc95f23fcfad377ea645fbadca32aeeabaa45226fda5cfbd8d0dd2e2ed0b78c0

Download Submit
memory/2124-31-0x00000000002F0000-0x000000000035B000-memory.dmp

Filesize
428KB

Download
memory/2124-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2124-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2124-22-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2124-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2364-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2364-4-0x00000000001C0000-0x000000000023E000-memory.dmp

Filesize
504KB

Download
memory/2364-16-0x0000000022FE0000-0x000000002323C000-memory.dmp

Filesize
2.4MB

Download
memory/2364-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2364-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads