21de9ff37199db3dd554fad03970e2352c66312e60cc4d05418da893a6bfbfcc

General

Target

8e21453e6c29301129b32446ece9e744.exe
Size

3.0MB
MD5

8e21453e6c29301129b32446ece9e744
SHA1

85421f58fde833a53b32d9c3f5acdbf6cb5ab17d
SHA256

21de9ff37199db3dd554fad03970e2352c66312e60cc4d05418da893a6bfbfcc
SHA512

abd6afb40dd53a3046be176516758cc848306962d013b43f26e152438fa3d1b060bffebcef6d6b50b1d764fa2b53c7d72cc2a380cfb4e1f476d69573abfc4c2d
SSDEEP

49152:gqvh2iqQ8p2cakLyzjcNDQreELepcakLKPNsn5xeQ2rJmzLcakLyzjcNDQreELeU:gqvh26A2cakijyDQreELscakulsn5xeW

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2952	8e21453e6c29301129b32446ece9e744.exe

Executes dropped EXE 1 IoCs

pid	Process
2952	8e21453e6c29301129b32446ece9e744.exe

Loads dropped DLL 1 IoCs

pid	Process
2924	8e21453e6c29301129b32446ece9e744.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2924-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b0000000122de-11.dat	upx
behavioral1/files/0x000b0000000122de-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2644	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	8e21453e6c29301129b32446ece9e744.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	8e21453e6c29301129b32446ece9e744.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	8e21453e6c29301129b32446ece9e744.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	8e21453e6c29301129b32446ece9e744.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2924	8e21453e6c29301129b32446ece9e744.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2924	8e21453e6c29301129b32446ece9e744.exe
2952	8e21453e6c29301129b32446ece9e744.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2952	2924	8e21453e6c29301129b32446ece9e744.exe	29
PID 2924 wrote to memory of 2952	2924	8e21453e6c29301129b32446ece9e744.exe	29
PID 2924 wrote to memory of 2952	2924	8e21453e6c29301129b32446ece9e744.exe	29
PID 2924 wrote to memory of 2952	2924	8e21453e6c29301129b32446ece9e744.exe	29
PID 2952 wrote to memory of 2644	2952	8e21453e6c29301129b32446ece9e744.exe	30
PID 2952 wrote to memory of 2644	2952	8e21453e6c29301129b32446ece9e744.exe	30
PID 2952 wrote to memory of 2644	2952	8e21453e6c29301129b32446ece9e744.exe	30
PID 2952 wrote to memory of 2644	2952	8e21453e6c29301129b32446ece9e744.exe	30
PID 2952 wrote to memory of 2692	2952	8e21453e6c29301129b32446ece9e744.exe	34
PID 2952 wrote to memory of 2692	2952	8e21453e6c29301129b32446ece9e744.exe	34
PID 2952 wrote to memory of 2692	2952	8e21453e6c29301129b32446ece9e744.exe	34
PID 2952 wrote to memory of 2692	2952	8e21453e6c29301129b32446ece9e744.exe	34
PID 2692 wrote to memory of 2564	2692	cmd.exe	33
PID 2692 wrote to memory of 2564	2692	cmd.exe	33
PID 2692 wrote to memory of 2564	2692	cmd.exe	33
PID 2692 wrote to memory of 2564	2692	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\8e21453e6c29301129b32446ece9e744.exe
"C:\Users\Admin\AppData\Local\Temp\8e21453e6c29301129b32446ece9e744.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\8e21453e6c29301129b32446ece9e744.exe
  C:\Users\Admin\AppData\Local\Temp\8e21453e6c29301129b32446ece9e744.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8e21453e6c29301129b32446ece9e744.exe" /TN qm2lmOfce5f6 /F
    3⤵
    - Creates scheduled task(s)
    PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN qm2lmOfce5f6 > C:\Users\Admin\AppData\Local\Temp\mkyyl3v77.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN qm2lmOfce5f6
1⤵
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8e21453e6c29301129b32446ece9e744.exe

Filesize
680KB

MD5
7313fb1f1519b831a2561be8c67d05b9

SHA1
308bba931483905f81827c9d7a565087d12fff68

SHA256
561147daa2260e8ff3b863f854f7d516e6b0806665d4059b7c09d0262c255ba0

SHA512
60607b6fc09214908f0f3ac45718878dc0b1d554cc4a1f7d2310fa674dc4fbeed9639f33183dd0227a614875ad0bfa686b27f6dd3400ad37d72a353071ba5e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkyyl3v77.xml

Filesize
1KB

MD5
8acb37757fdfb9f63e3dcc42e11e42fc

SHA1
0039972b975d72b21fbe32f61d515239f79417b3

SHA256
b427e7810a78e378483a00b90a4de97d92724819840f4af29f89f45d307f36cb

SHA512
620394d6836da8d4a2392b233c2999400bc3b0e898efac5f29389bfd9134ae6effda0da7176968ecce2e58f33323d6f6a9270469078f98283e9b9accca8c0b07

Download Submit
\Users\Admin\AppData\Local\Temp\8e21453e6c29301129b32446ece9e744.exe

Filesize
617KB

MD5
a436f92cfa5e72ee0588c0d7cb1c9fbb

SHA1
c6d67c40456f67e6096b7c7a01b939e44ff45e1e

SHA256
a152d900691777f86a9779c6dcad08f015a629402f86eeb6155b1482344dc4a0

SHA512
58aac07dcea0684e88ddd992211906478289fbfece04a92502079f1b46a5b4064707b50164edba936787e73ad478e74ebfb7192058b653fd7561304ae46e92d6

Download Submit
memory/2924-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2924-2-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2924-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2924-17-0x0000000023410000-0x000000002366C000-memory.dmp

Filesize
2.4MB

Download
memory/2924-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2952-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2952-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2952-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2952-21-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/2952-45-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads