0e9c5a164da6954cff222b8dab1fdcd4135ca6f48dc7a86a3f42ea3045920f1b

General

Target

a5d9c9aaab95d00e37cd5f12fced12ea.exe
Size

3.2MB
MD5

a5d9c9aaab95d00e37cd5f12fced12ea
SHA1

0e8a70acc04714b5fb15d01ae47ff13a9226cac3
SHA256

0e9c5a164da6954cff222b8dab1fdcd4135ca6f48dc7a86a3f42ea3045920f1b
SHA512

708e4a98c91193e2d37a1e3822e49011b27f6c7baea8edd37256a14b88f33e8cff72e2dcaaf8265879302464c06f5289e11d1e74a69daf855723d8969f2a4a80
SSDEEP

98304:r5Lycakc8qEN73MVknF9TcakcIX7ahMTN3cakc8qEN73MVknF9TcakcO:Vedl8JdMVqdlIXqMJdl8JdMVqdlO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2832	a5d9c9aaab95d00e37cd5f12fced12ea.exe

Executes dropped EXE 1 IoCs

pid	Process
2832	a5d9c9aaab95d00e37cd5f12fced12ea.exe

Loads dropped DLL 1 IoCs

pid	Process
3028	a5d9c9aaab95d00e37cd5f12fced12ea.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3028-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012185-11.dat	upx
behavioral1/memory/2832-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2852	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a5d9c9aaab95d00e37cd5f12fced12ea.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a5d9c9aaab95d00e37cd5f12fced12ea.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	a5d9c9aaab95d00e37cd5f12fced12ea.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	a5d9c9aaab95d00e37cd5f12fced12ea.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3028	a5d9c9aaab95d00e37cd5f12fced12ea.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3028	a5d9c9aaab95d00e37cd5f12fced12ea.exe
2832	a5d9c9aaab95d00e37cd5f12fced12ea.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2832	3028	a5d9c9aaab95d00e37cd5f12fced12ea.exe	29
PID 3028 wrote to memory of 2832	3028	a5d9c9aaab95d00e37cd5f12fced12ea.exe	29
PID 3028 wrote to memory of 2832	3028	a5d9c9aaab95d00e37cd5f12fced12ea.exe	29
PID 3028 wrote to memory of 2832	3028	a5d9c9aaab95d00e37cd5f12fced12ea.exe	29
PID 2832 wrote to memory of 2852	2832	a5d9c9aaab95d00e37cd5f12fced12ea.exe	30
PID 2832 wrote to memory of 2852	2832	a5d9c9aaab95d00e37cd5f12fced12ea.exe	30
PID 2832 wrote to memory of 2852	2832	a5d9c9aaab95d00e37cd5f12fced12ea.exe	30
PID 2832 wrote to memory of 2852	2832	a5d9c9aaab95d00e37cd5f12fced12ea.exe	30
PID 2832 wrote to memory of 2744	2832	a5d9c9aaab95d00e37cd5f12fced12ea.exe	32
PID 2832 wrote to memory of 2744	2832	a5d9c9aaab95d00e37cd5f12fced12ea.exe	32
PID 2832 wrote to memory of 2744	2832	a5d9c9aaab95d00e37cd5f12fced12ea.exe	32
PID 2832 wrote to memory of 2744	2832	a5d9c9aaab95d00e37cd5f12fced12ea.exe	32
PID 2744 wrote to memory of 2592	2744	cmd.exe	34
PID 2744 wrote to memory of 2592	2744	cmd.exe	34
PID 2744 wrote to memory of 2592	2744	cmd.exe	34
PID 2744 wrote to memory of 2592	2744	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\a5d9c9aaab95d00e37cd5f12fced12ea.exe
"C:\Users\Admin\AppData\Local\Temp\a5d9c9aaab95d00e37cd5f12fced12ea.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\a5d9c9aaab95d00e37cd5f12fced12ea.exe
  C:\Users\Admin\AppData\Local\Temp\a5d9c9aaab95d00e37cd5f12fced12ea.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\a5d9c9aaab95d00e37cd5f12fced12ea.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\OlLuK8Bo.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OlLuK8Bo.xml

Filesize
1KB

MD5
c97674d7d023c601ce98bb8b1cfd52b0

SHA1
e152ea160d019fb797b7945ad0afb67fa44606df

SHA256
06d3c2f7495316cef33f75d0e1930722b37ad603b145b81e721e1fb0242d3787

SHA512
3f56fc8b21921aa85a73e16312382ffd9fa95ac5c304605e92d30f1a9db1f650af9b37cbd5ec347a4e085a284b5fda2a94555ba56c407f16913c8e1e3911e0e1

Download Submit
\Users\Admin\AppData\Local\Temp\a5d9c9aaab95d00e37cd5f12fced12ea.exe

Filesize
3.2MB

MD5
f5f41e3d32a03729e1cde7b255b2dc51

SHA1
4795deffc910fcd22598865b1abf63670c128a0a

SHA256
f4478ae1619cfe45ddb8abf23b25e7bbd46c5a9ae3efd953a70fa66e4d5c87b6

SHA512
25fd56573a6fb3b75079aac299a22ee216b277eb9619f46dd3ca3a60616aad6fa27ed4d8923ba82b4b5d6081ef54f7b4b022393a271c02fe1219875334219192

Download Submit
memory/2832-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2832-19-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2832-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2832-27-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/2832-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3028-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3028-3-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/3028-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3028-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads