115f862c94fec5c76959b3d40c795bc1763007b0de7722217a19810327d9fb0b

General

Target

a3cb70d441817e3dd222da18ad28522d.exe
Size

302KB
MD5

a3cb70d441817e3dd222da18ad28522d
SHA1

ebfb3052225ac30afceddfaf057c2ffd320a3f21
SHA256

115f862c94fec5c76959b3d40c795bc1763007b0de7722217a19810327d9fb0b
SHA512

77d311904a2864c3b4cb5aa97ee27b12552f60534665d271f56d96fca1b0550960752689ff166598c954c095457d312ca4afe0e147c082132494678568fd3444
SSDEEP

6144:PT8DVUx2k3wKSjvePAVviw4yY5y6PPJ8IbP9mQ:PI6Ak3wzvqpxeeP9m

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2072	a3cb70d441817e3dd222da18ad28522d.exe

Executes dropped EXE 1 IoCs

pid	Process
2072	a3cb70d441817e3dd222da18ad28522d.exe

Loads dropped DLL 1 IoCs

pid	Process
2900	a3cb70d441817e3dd222da18ad28522d.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2900-0-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
behavioral1/files/0x000a000000012243-15.dat	upx
behavioral1/files/0x000a000000012243-13.dat	upx
behavioral1/files/0x000a000000012243-11.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a3cb70d441817e3dd222da18ad28522d.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	a3cb70d441817e3dd222da18ad28522d.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	a3cb70d441817e3dd222da18ad28522d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a3cb70d441817e3dd222da18ad28522d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2900	a3cb70d441817e3dd222da18ad28522d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2900	a3cb70d441817e3dd222da18ad28522d.exe
2072	a3cb70d441817e3dd222da18ad28522d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2072	2900	a3cb70d441817e3dd222da18ad28522d.exe	18
PID 2900 wrote to memory of 2072	2900	a3cb70d441817e3dd222da18ad28522d.exe	18
PID 2900 wrote to memory of 2072	2900	a3cb70d441817e3dd222da18ad28522d.exe	18
PID 2900 wrote to memory of 2072	2900	a3cb70d441817e3dd222da18ad28522d.exe	18

C:\Users\Admin\AppData\Local\Temp\a3cb70d441817e3dd222da18ad28522d.exe
"C:\Users\Admin\AppData\Local\Temp\a3cb70d441817e3dd222da18ad28522d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\a3cb70d441817e3dd222da18ad28522d.exe
  C:\Users\Admin\AppData\Local\Temp\a3cb70d441817e3dd222da18ad28522d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a3cb70d441817e3dd222da18ad28522d.exe

Filesize
62KB

MD5
bc37ab20f9e72f81848b9900518ee85e

SHA1
54eac6b6794ea384eaf21f85a126ab6f02e76204

SHA256
8bb68ce9b2664b6bfd5c5ce075c49c79ed6ab11514d47552c8a55f29cd0cfd62

SHA512
8ce7f989a3a5b70892b447b23e4c86a255d52f2d2a0b9ff069371e212d262daa20f1a074d330dd4da4c0801ff9dcccafad263aa4e9ef9341cafe530c20d58658

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3cb70d441817e3dd222da18ad28522d.exe

Filesize
198KB

MD5
38a5fe6a41dbfd7cd6db0697902752ff

SHA1
d2589ddba0db5a4d432610d23a8ecca334b17588

SHA256
46a3fa2a7298ec5c9dc4dafdf0e0bd2ea80496b2b510358c2f8fd73175a2492c

SHA512
07c37ceabcc42e0d99e91b1a607795f235ef95d95dbc0bb2a796d7a0b0c35ed0e91f3f960a57023df15fb4fa82ca798a25a6aa16856226ba9468171e88984bc6

Download Submit
\Users\Admin\AppData\Local\Temp\a3cb70d441817e3dd222da18ad28522d.exe

Filesize
231KB

MD5
07d062a3321600515ae9e9730bdb2ace

SHA1
659d84cb55e09e80fe2b0cfb0fe52c443b93609a

SHA256
2f3c0e89fc8bc6e3abdd8bf475ec602633928a18232445fb8f837d7c1ef00271

SHA512
a2088572c444e012c5dfeb3e1d07cbcadbf4cabad58fefe43d42d8b8107e7b265766453627f26354df783d7f15cfda87a01ddb5ae96bde9fd3c86c0ad9d7ef7d

Download Submit
memory/2072-17-0x0000000000180000-0x00000000001B1000-memory.dmp

Filesize
196KB

Download
memory/2072-20-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2072-42-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2900-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2900-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2900-1-0x0000000000340000-0x0000000000371000-memory.dmp

Filesize
196KB

Download
memory/2900-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing