30d150ce8bc4f6d9173f3e766c2a2b45c3e2d763d498ae08dec001f05d110c3c

General

Target

af42dc3d0f6480e17a15383a45ffd0bd.exe
Size

6.4MB
MD5

af42dc3d0f6480e17a15383a45ffd0bd
SHA1

47b58f691604ce6e63dbcd4845153733f6e0aaac
SHA256

30d150ce8bc4f6d9173f3e766c2a2b45c3e2d763d498ae08dec001f05d110c3c
SHA512

dd58db6959904c7d20c32d29b7b7586eb5c894bd083fbbab56cc11afa39db2ccb19539232517bc29125e6587a45130dbdde9a94f8b7ecb3fb7c348e4940ce9b9
SSDEEP

196608:+RZ+dltO5I+vEBudlvBlJ7kdltO5I+vEBudl/LGiRdltO5I+vEBudlvBlJ7kdltT:+RZ2yI+vuiJUyI+vuAGCyI+vuiJUyI+g

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1128	af42dc3d0f6480e17a15383a45ffd0bd.exe

Executes dropped EXE 1 IoCs

pid	Process
1128	af42dc3d0f6480e17a15383a45ffd0bd.exe

Loads dropped DLL 1 IoCs

pid	Process
1336	af42dc3d0f6480e17a15383a45ffd0bd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1336-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000c000000012242-11.dat	upx
behavioral1/files/0x000c000000012242-15.dat	upx
behavioral1/files/0x000c000000012242-14.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2744	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	af42dc3d0f6480e17a15383a45ffd0bd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	af42dc3d0f6480e17a15383a45ffd0bd.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	af42dc3d0f6480e17a15383a45ffd0bd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	af42dc3d0f6480e17a15383a45ffd0bd.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1336	af42dc3d0f6480e17a15383a45ffd0bd.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1336	af42dc3d0f6480e17a15383a45ffd0bd.exe
1128	af42dc3d0f6480e17a15383a45ffd0bd.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1128	1336	af42dc3d0f6480e17a15383a45ffd0bd.exe	29
PID 1336 wrote to memory of 1128	1336	af42dc3d0f6480e17a15383a45ffd0bd.exe	29
PID 1336 wrote to memory of 1128	1336	af42dc3d0f6480e17a15383a45ffd0bd.exe	29
PID 1336 wrote to memory of 1128	1336	af42dc3d0f6480e17a15383a45ffd0bd.exe	29
PID 1128 wrote to memory of 2744	1128	af42dc3d0f6480e17a15383a45ffd0bd.exe	31
PID 1128 wrote to memory of 2744	1128	af42dc3d0f6480e17a15383a45ffd0bd.exe	31
PID 1128 wrote to memory of 2744	1128	af42dc3d0f6480e17a15383a45ffd0bd.exe	31
PID 1128 wrote to memory of 2744	1128	af42dc3d0f6480e17a15383a45ffd0bd.exe	31
PID 1128 wrote to memory of 2796	1128	af42dc3d0f6480e17a15383a45ffd0bd.exe	34
PID 1128 wrote to memory of 2796	1128	af42dc3d0f6480e17a15383a45ffd0bd.exe	34
PID 1128 wrote to memory of 2796	1128	af42dc3d0f6480e17a15383a45ffd0bd.exe	34
PID 1128 wrote to memory of 2796	1128	af42dc3d0f6480e17a15383a45ffd0bd.exe	34
PID 2796 wrote to memory of 2964	2796	cmd.exe	32
PID 2796 wrote to memory of 2964	2796	cmd.exe	32
PID 2796 wrote to memory of 2964	2796	cmd.exe	32
PID 2796 wrote to memory of 2964	2796	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\af42dc3d0f6480e17a15383a45ffd0bd.exe
"C:\Users\Admin\AppData\Local\Temp\af42dc3d0f6480e17a15383a45ffd0bd.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\af42dc3d0f6480e17a15383a45ffd0bd.exe
  C:\Users\Admin\AppData\Local\Temp\af42dc3d0f6480e17a15383a45ffd0bd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\af42dc3d0f6480e17a15383a45ffd0bd.exe" /TN QxutJGth3fd4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN QxutJGth3fd4 > C:\Users\Admin\AppData\Local\Temp\ScrDiVKUl.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN QxutJGth3fd4
1⤵
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\af42dc3d0f6480e17a15383a45ffd0bd.exe

Filesize
794KB

MD5
1629e26e25270b47df849a9dbd05b98b

SHA1
a510c137d98bf4961482029293d9f3eb0cf98a99

SHA256
53732457cd3e61734739f14e76e47be56f0dd4823b86642c6798ff65586db001

SHA512
ba8bf27924bc59c6566f7d2c291da10dce7241bb1abeeb5f4980b6c18595b48ef4a22c1db1ae79cea5ecb938a10e7f07761526b56cc89a741663d89e6273615d

Download Submit
C:\Users\Admin\AppData\Local\Temp\af42dc3d0f6480e17a15383a45ffd0bd.exe

Filesize
1.1MB

MD5
b8672e33a8ec66f655cde6bab8300909

SHA1
e7707abfbeab9ec26a911f773efc9e6185606e62

SHA256
b67316a6fdff00f84e29f98ab1d85b4b25ddb3f6afb549ed2a91ada2011ef0bd

SHA512
b05a3e2535f0ba885d9cdf55ddbe35c56389b44f4ea42d6ab7e5bc8685d6b5f589637f5f8796e946949b38b08840fbf7f43c65c79aca5052f109a6dc33b51e72

Download Submit
\Users\Admin\AppData\Local\Temp\af42dc3d0f6480e17a15383a45ffd0bd.exe

Filesize
819KB

MD5
712392d8d3b00e890482851fcadb79f4

SHA1
64afa975156250500ac6a9453e8a4952c85eae1f

SHA256
954c5c7fe8e7ba60af269c6d9d98fbc306ee3b03168524b27b71c6b4acce3529

SHA512
36de04045f3fd9d29576f5928ea7405572fef1c65b0632a8fd93f877115e2231a5735dc734531646a1d0cf911384c2cd10c6ac7b095f5ed7037ee61e526f5a5c

Download Submit
memory/1128-22-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/1128-27-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/1128-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1128-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1128-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1336-17-0x0000000023BC0000-0x0000000023E1C000-memory.dmp

Filesize
2.4MB

Download
memory/1336-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1336-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1336-6-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/1336-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1336-53-0x0000000023BC0000-0x0000000023E1C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads