7a49ee804b6280b6895f21c33b02ed8e01f6296350a67840f591d6a540d37e96

General

Target

8afc556fe140562dd935372ebef6b31b.exe
Size

3.9MB
MD5

8afc556fe140562dd935372ebef6b31b
SHA1

beea218fe81d1afdeafb3de2bd1b5f4873f73bce
SHA256

7a49ee804b6280b6895f21c33b02ed8e01f6296350a67840f591d6a540d37e96
SHA512

e11befde24a241e640e8b1276c11990e30cbada013a89cde927667670527e028423b8380e8434d4f5759f285134c6f562c178c2f796c0a4c3c815d7141518fc0
SSDEEP

98304:Byow00q/5cakcibiqhMbMgOn7n0bcakcibiqh9zEdfTbl9PRcakcibiqhMbMgOn1:cow0LdlirybMgOnkdlirnzE9TPPRdlix

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2664	8afc556fe140562dd935372ebef6b31b.exe

Executes dropped EXE 1 IoCs

pid	Process
2664	8afc556fe140562dd935372ebef6b31b.exe

Loads dropped DLL 1 IoCs

pid	Process
2596	8afc556fe140562dd935372ebef6b31b.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2596-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0008000000012262-11.dat	upx
behavioral1/files/0x0008000000012262-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2768	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	8afc556fe140562dd935372ebef6b31b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	8afc556fe140562dd935372ebef6b31b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	8afc556fe140562dd935372ebef6b31b.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	8afc556fe140562dd935372ebef6b31b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2596	8afc556fe140562dd935372ebef6b31b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2596	8afc556fe140562dd935372ebef6b31b.exe
2664	8afc556fe140562dd935372ebef6b31b.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2664	2596	8afc556fe140562dd935372ebef6b31b.exe	29
PID 2596 wrote to memory of 2664	2596	8afc556fe140562dd935372ebef6b31b.exe	29
PID 2596 wrote to memory of 2664	2596	8afc556fe140562dd935372ebef6b31b.exe	29
PID 2596 wrote to memory of 2664	2596	8afc556fe140562dd935372ebef6b31b.exe	29
PID 2664 wrote to memory of 2768	2664	8afc556fe140562dd935372ebef6b31b.exe	30
PID 2664 wrote to memory of 2768	2664	8afc556fe140562dd935372ebef6b31b.exe	30
PID 2664 wrote to memory of 2768	2664	8afc556fe140562dd935372ebef6b31b.exe	30
PID 2664 wrote to memory of 2768	2664	8afc556fe140562dd935372ebef6b31b.exe	30
PID 2664 wrote to memory of 2784	2664	8afc556fe140562dd935372ebef6b31b.exe	32
PID 2664 wrote to memory of 2784	2664	8afc556fe140562dd935372ebef6b31b.exe	32
PID 2664 wrote to memory of 2784	2664	8afc556fe140562dd935372ebef6b31b.exe	32
PID 2664 wrote to memory of 2784	2664	8afc556fe140562dd935372ebef6b31b.exe	32
PID 2784 wrote to memory of 2820	2784	cmd.exe	33
PID 2784 wrote to memory of 2820	2784	cmd.exe	33
PID 2784 wrote to memory of 2820	2784	cmd.exe	33
PID 2784 wrote to memory of 2820	2784	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe
"C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe
  C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe" /TN Nnb8kaFf43a4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN Nnb8kaFf43a4 > C:\Users\Admin\AppData\Local\Temp\aQwk0.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN Nnb8kaFf43a4
      4⤵
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe

Filesize
1.2MB

MD5
e22a2903f84e2911f5d15618a598e720

SHA1
ce71537064604574e4b63c811bdda618c30ba885

SHA256
c7817692254e28f133d6ec8a178b0124205f44526e9a85d1667d9fa66224399c

SHA512
785e01d6b98eb10db5050c164d9963f101b934284370264ac7302266262e173459782582453bbdae2f4eea0df0cb6eb21ffe9877f1481c631e66c770849d6796

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQwk0.xml

Filesize
1KB

MD5
60730feb8cae9c5346f619bc1fe934c5

SHA1
5a9efd6b49b9e12f9d937725d424424d0195e736

SHA256
03ad37b28c377ad32cdc526d65841a0b5cb947f5f0cef9e0102513f76f647383

SHA512
1751ee671af6394118493103668524b5fa33eb2194874932764bf17960d65d0d449c1f97ed8d6774faa093ab8bc8a6fec4c01aba0c42adab0aed134187d9a26e

Download Submit
\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe

Filesize
1.1MB

MD5
f0edd81bc20bd41ddc56097ac91b74af

SHA1
271c8de71705f3dc6ab9a17b5d035fc6b2261589

SHA256
3b1f925bf0f54d1ead2b5b65df49e9486baa3d10b00400a2b0ef9831867d9d6b

SHA512
88b2491c4d2ad3a24029ac81ba4dd38e593011299beccf83ff3854348d30c26c16b205f0e22c9931c498cf01a531d092c9329dc6bb7ed7212a406b46a0d85725

Download Submit
memory/2596-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2596-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2596-17-0x0000000023610000-0x000000002386C000-memory.dmp

Filesize
2.4MB

Download
memory/2596-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2596-2-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2596-53-0x0000000023610000-0x000000002386C000-memory.dmp

Filesize
2.4MB

Download
memory/2664-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2664-22-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/2664-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2664-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2664-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads