bee8d8ba5efced2952f3e476903d0a18e0e9c9971fdffc7b0cda8b29dddbf68f

General

Target

a547df569c9342f466ad3397c687e12a.exe
Size

19.9MB
MD5

a547df569c9342f466ad3397c687e12a
SHA1

789f50f05f0b49203a80f576b60885b535f510a5
SHA256

bee8d8ba5efced2952f3e476903d0a18e0e9c9971fdffc7b0cda8b29dddbf68f
SHA512

4f39befd506f07dfb7a73bb6a7be75826e71e1d9e0fde714e3cb980eb98bd48088c5be5faa7891a83d4793e2f363b67568a759d8bb42433d3664b134190b17c0
SSDEEP

196608:zPoAywkcmVcKQrqcmVc2rBh9mR1cmVcKQrqcmVc:Do1wkcm+Zrqcm+ch0R1cm+Zrqcm+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2728	a547df569c9342f466ad3397c687e12a.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	a547df569c9342f466ad3397c687e12a.exe

Loads dropped DLL 1 IoCs

pid	Process
1308	a547df569c9342f466ad3397c687e12a.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1308-0-0x0000000000400000-0x0000000000CE1000-memory.dmp	upx
behavioral1/memory/2728-17-0x0000000000400000-0x0000000000CE1000-memory.dmp	upx
behavioral1/files/0x000b000000012185-16.dat	upx
behavioral1/files/0x000b000000012185-14.dat	upx
behavioral1/files/0x000b000000012185-11.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	a547df569c9342f466ad3397c687e12a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a547df569c9342f466ad3397c687e12a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a547df569c9342f466ad3397c687e12a.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	a547df569c9342f466ad3397c687e12a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1308	a547df569c9342f466ad3397c687e12a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1308	a547df569c9342f466ad3397c687e12a.exe
2728	a547df569c9342f466ad3397c687e12a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2728	1308	a547df569c9342f466ad3397c687e12a.exe	29
PID 1308 wrote to memory of 2728	1308	a547df569c9342f466ad3397c687e12a.exe	29
PID 1308 wrote to memory of 2728	1308	a547df569c9342f466ad3397c687e12a.exe	29
PID 1308 wrote to memory of 2728	1308	a547df569c9342f466ad3397c687e12a.exe	29

C:\Users\Admin\AppData\Local\Temp\a547df569c9342f466ad3397c687e12a.exe
"C:\Users\Admin\AppData\Local\Temp\a547df569c9342f466ad3397c687e12a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\a547df569c9342f466ad3397c687e12a.exe
  C:\Users\Admin\AppData\Local\Temp\a547df569c9342f466ad3397c687e12a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a547df569c9342f466ad3397c687e12a.exe

Filesize
4.8MB

MD5
427c02f4fc842fcbb1bcebd518ef0da7

SHA1
7bb28943f93d080a4d5e1ca6f61339ff0e7fcb97

SHA256
8329b206ff56ea44a889d39b6cb2849e5811cb2b91c61bdc1077e04481e7d180

SHA512
46274a1ec246220075a48396f4cbd66d55ef4e9c7704fddef07995fe923508eaac5fee8410007402fc95cb0abe4cbe69d056ff30559d77508ae0c325444e241a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a547df569c9342f466ad3397c687e12a.exe

Filesize
1.5MB

MD5
95128c19dfa1e759abf07a6a38f38d3f

SHA1
8b1eb87d40174a3ea60f1b2eb02ecaebd882fa3a

SHA256
428655bee63643baaea5da3c8ae5a84adf5e0c230d13c7a45cf409852e6ac510

SHA512
deff8b4b383d552baf33a738f2fa711d34df3cfe18222aa67695e627223cdc0c2c90700b9b96693d2263e8fedcd8ff45614c92a78554add374425a8c2ff27975

Download Submit
\Users\Admin\AppData\Local\Temp\a547df569c9342f466ad3397c687e12a.exe

Filesize
8.9MB

MD5
731b001021c785edcf71da650492c197

SHA1
20b00fb458aa7d0046732bbd60b50a2ecdc063c4

SHA256
0296eef9386af5b5c063a45a9b4031481a157a74f6de89ffd6ed752b72e3521b

SHA512
794fbbb6ec2d64afcdc0ee9362f7a11be52b4f78e782ec2e5ba9a68c9bdf1dd8592ba50854aac01511bc457c81d4feea2b581a9f229fb643c373e9754f7e2db3

Download Submit
memory/1308-1-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/1308-0-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download
memory/1308-3-0x0000000001FE0000-0x000000000220E000-memory.dmp

Filesize
2.2MB

Download
memory/1308-15-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2728-17-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download
memory/2728-18-0x0000000001EE0000-0x000000000210E000-memory.dmp

Filesize
2.2MB

Download
memory/2728-42-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download

Analysis

Sharing