d6951b1b3a71ac17dbf4a7bd2a5fe018ba8da175a1c6402ac88c62bc06417104

General

Target

a3e4a1c951badde43b046836b646e95a.exe
Size

3.0MB
MD5

a3e4a1c951badde43b046836b646e95a
SHA1

a9efed6e97276e4c96998b31aedd917058a3e7e6
SHA256

d6951b1b3a71ac17dbf4a7bd2a5fe018ba8da175a1c6402ac88c62bc06417104
SHA512

642d44748f3b872a7178da6357ba7889613b7ba749565f666da2967f21d929352debcd8126ce14edd74fde95859a10b2d1f56a65cba4a2ce5309f61bbf6044ad
SSDEEP

49152:PC+YyDncle1TAciqvJ9OqdUcakLoY4fIKSW6TItcakLfby4NrPxUSf6qcakLoY4S:PCbyDnse1TAciqbOqdUcakH4fInW6Mc6

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2980	a3e4a1c951badde43b046836b646e95a.exe

Executes dropped EXE 1 IoCs

pid	Process
2980	a3e4a1c951badde43b046836b646e95a.exe

Loads dropped DLL 1 IoCs

pid	Process
2688	a3e4a1c951badde43b046836b646e95a.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2688-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a00000001224d-16.dat	upx
behavioral1/files/0x000a00000001224d-14.dat	upx
behavioral1/files/0x000a00000001224d-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2820	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	a3e4a1c951badde43b046836b646e95a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	a3e4a1c951badde43b046836b646e95a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a3e4a1c951badde43b046836b646e95a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a3e4a1c951badde43b046836b646e95a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2688	a3e4a1c951badde43b046836b646e95a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2688	a3e4a1c951badde43b046836b646e95a.exe
2980	a3e4a1c951badde43b046836b646e95a.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2980	2688	a3e4a1c951badde43b046836b646e95a.exe	29
PID 2688 wrote to memory of 2980	2688	a3e4a1c951badde43b046836b646e95a.exe	29
PID 2688 wrote to memory of 2980	2688	a3e4a1c951badde43b046836b646e95a.exe	29
PID 2688 wrote to memory of 2980	2688	a3e4a1c951badde43b046836b646e95a.exe	29
PID 2980 wrote to memory of 2820	2980	a3e4a1c951badde43b046836b646e95a.exe	31
PID 2980 wrote to memory of 2820	2980	a3e4a1c951badde43b046836b646e95a.exe	31
PID 2980 wrote to memory of 2820	2980	a3e4a1c951badde43b046836b646e95a.exe	31
PID 2980 wrote to memory of 2820	2980	a3e4a1c951badde43b046836b646e95a.exe	31
PID 2980 wrote to memory of 2884	2980	a3e4a1c951badde43b046836b646e95a.exe	34
PID 2980 wrote to memory of 2884	2980	a3e4a1c951badde43b046836b646e95a.exe	34
PID 2980 wrote to memory of 2884	2980	a3e4a1c951badde43b046836b646e95a.exe	34
PID 2980 wrote to memory of 2884	2980	a3e4a1c951badde43b046836b646e95a.exe	34
PID 2884 wrote to memory of 2748	2884	cmd.exe	32
PID 2884 wrote to memory of 2748	2884	cmd.exe	32
PID 2884 wrote to memory of 2748	2884	cmd.exe	32
PID 2884 wrote to memory of 2748	2884	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\a3e4a1c951badde43b046836b646e95a.exe
"C:\Users\Admin\AppData\Local\Temp\a3e4a1c951badde43b046836b646e95a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\a3e4a1c951badde43b046836b646e95a.exe
  C:\Users\Admin\AppData\Local\Temp\a3e4a1c951badde43b046836b646e95a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\a3e4a1c951badde43b046836b646e95a.exe" /TN QxutJGth3fd4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN QxutJGth3fd4 > C:\Users\Admin\AppData\Local\Temp\7wJpR.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2884

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN QxutJGth3fd4
1⤵
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7wJpR.xml

Filesize
1KB

MD5
72e23d12ee1764a23ed8eb5fe27a93f3

SHA1
f6628140b6e1bce4344040b0b996e1eeeba82cdb

SHA256
ed015ea612c623336a32e23d6c6c3c6e5216586ff9d9a2a07777ea0e25cc7a7c

SHA512
bd069c1a21b21f807bbef1437c8a41a45fd8de123a664c24d3fc991413da7862aa1dae48494e2d7e30cb06ab575975a6bdf432c9fa0f3132ef01c68dfa075d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3e4a1c951badde43b046836b646e95a.exe

Filesize
1.8MB

MD5
d29ad08532b7be64c3791598a2b6548b

SHA1
1ee9ec210ce194e55242b1a62a1866244272c01a

SHA256
45b290979a4cce9d7c8f6091df355aa5b59af0a1b4546ff2a2f19f2dc2b28f6c

SHA512
258cc8713eb3791524b60c6fa7986ab744c198162566805f4d8c7a81c0b582d020cba802a0d6ea884fa5c00a489da401198368195f198b74b669b7abe558a0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3e4a1c951badde43b046836b646e95a.exe

Filesize
1.1MB

MD5
ea97e58785101909538ce441aa10ceaf

SHA1
623e6af3a3ae78d76442ba3f20af0da7c515d0d2

SHA256
28ae3bc8fa6492486533d2891d143c08356a1611859f9b82f602d24fc5ed7642

SHA512
2a7f24a6d5b68c4a2d5b8a45268e9f43f82719226461f4a339a820978a84422f4bfd7c639be3f54dec177f62740bdab4efe58c0113d84aa8a3ad149af6a9eab3

Download Submit
\Users\Admin\AppData\Local\Temp\a3e4a1c951badde43b046836b646e95a.exe

Filesize
2.7MB

MD5
827d24d3e3b99657a830100274f7b780

SHA1
c82410815944a94646c86886bd4b12ee8823dea9

SHA256
c6866166a2256103698acced48a5085db12e2ecd86535ead1d5b0743a858bedc

SHA512
790204e542f3b120bc98bca6e4a861cbd4d067af1cc1c52144ae3b2d9c89561c1272fe00427620fc926c802fd8312c4df8e3d7e38e30fc45930313ae96e6cdc7

Download Submit
memory/2688-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-8-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2688-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2980-20-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2980-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2980-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2980-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2980-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads