d4d681de3122bc3ae016425a6f3b7bbaa7d9ef062be5791b5aa81e1e15df6726

General

Target

8c599b6de696dd586df71920d59bfd9a.exe
Size

133KB
MD5

8c599b6de696dd586df71920d59bfd9a
SHA1

78275b35418978e7cea2336da120a4694ce5b17a
SHA256

d4d681de3122bc3ae016425a6f3b7bbaa7d9ef062be5791b5aa81e1e15df6726
SHA512

1264049af38b72000cd863765561a52aad9e7f28c99189d2a237491be203720ac5550ee18193a788855219e4328305661c8afa3e9f14295466b6d1b89f89a2d3
SSDEEP

3072:t1jkb/6LRGryZu2ZXLHLuOqoDErgjqxvH+Q:Tjkb/ORGryhNL7O5eQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1448	8c599b6de696dd586df71920d59bfd9a.exe

Executes dropped EXE 1 IoCs

pid	Process
1448	8c599b6de696dd586df71920d59bfd9a.exe

Loads dropped DLL 1 IoCs

pid	Process
2496	8c599b6de696dd586df71920d59bfd9a.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001224c-11.dat	upx
behavioral1/memory/2496-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000a00000001224c-14.dat	upx
behavioral1/files/0x000a00000001224c-13.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	8c599b6de696dd586df71920d59bfd9a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	8c599b6de696dd586df71920d59bfd9a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	8c599b6de696dd586df71920d59bfd9a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	8c599b6de696dd586df71920d59bfd9a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2496	8c599b6de696dd586df71920d59bfd9a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2496	8c599b6de696dd586df71920d59bfd9a.exe
1448	8c599b6de696dd586df71920d59bfd9a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 1448	2496	8c599b6de696dd586df71920d59bfd9a.exe	16
PID 2496 wrote to memory of 1448	2496	8c599b6de696dd586df71920d59bfd9a.exe	16
PID 2496 wrote to memory of 1448	2496	8c599b6de696dd586df71920d59bfd9a.exe	16
PID 2496 wrote to memory of 1448	2496	8c599b6de696dd586df71920d59bfd9a.exe	16

C:\Users\Admin\AppData\Local\Temp\8c599b6de696dd586df71920d59bfd9a.exe
"C:\Users\Admin\AppData\Local\Temp\8c599b6de696dd586df71920d59bfd9a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\8c599b6de696dd586df71920d59bfd9a.exe
  C:\Users\Admin\AppData\Local\Temp\8c599b6de696dd586df71920d59bfd9a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8c599b6de696dd586df71920d59bfd9a.exe

Filesize
133KB

MD5
5ab29788e261cbcad8e736e79d3716e4

SHA1
b6a62e235795046eeed37ea0c27aa89ae7fef3b8

SHA256
e3f1253a1c90f73350f4b72a1625c5d47f5aaec7bfd5971fb0d428950f28dcd6

SHA512
0b9842a3e4ca4e61a7ac062cc64dd66c30f107ab851007254f34744955e4b0905fbbe7c5ea296cd19ef42d81d477b00a983ab358cade87bde99b73b2946f9645

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c599b6de696dd586df71920d59bfd9a.exe

Filesize
1KB

MD5
fdd8e31e5495577fbeb8f03088806bc7

SHA1
c7cb99b81ac25af01ab281ee9d2138608390e404

SHA256
822ddeb14d584aa661e4397a96ccaff581aa257abd5029a7b860e676a82365d9

SHA512
07681967cb8201020b02e8cfbc9803f0fa52eb3b76b70a6f5d6959bee1f07d304ee719cb8ba9f8645f1657a358741ae250470495cd72531d7264c4b434dfb953

Download Submit
\Users\Admin\AppData\Local\Temp\8c599b6de696dd586df71920d59bfd9a.exe

Filesize
36KB

MD5
b05864829a205af40eaf3b02979cad58

SHA1
3732e24ba369f6a0fea7de84ab3ba5044297bb22

SHA256
42ce459ce6f3d85f19992527e0117eae06ee2cc52a969fa1d8fd7d7785815c7e

SHA512
24d0b37a94d2e700ce0b0d4f2847d3feb5d4d6556b289190bc4455cf2b1a360e3c83fef1f6ed3e91fd3e5b395d49062fa99c110b589c6555abc2547245a3879c

Download Submit
memory/1448-16-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/1448-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1448-43-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2496-3-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2496-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2496-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2496-18-0x0000000000250000-0x00000000002D6000-memory.dmp

Filesize
536KB

Download
memory/2496-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2496-42-0x0000000000250000-0x00000000002D6000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing