e545ca0f2045a7ecdd5fe7a6b888fed29c19aa53eddeb4d874a33e59cbbd502c

General

Target

a68802a9717cb157a1596f07d9f8e8dc.exe
Size

3.9MB
MD5

a68802a9717cb157a1596f07d9f8e8dc
SHA1

e149a3e8585769b42814a892cae844dd6803bc6e
SHA256

e545ca0f2045a7ecdd5fe7a6b888fed29c19aa53eddeb4d874a33e59cbbd502c
SHA512

5b78cb5b061a985d28e13418d69263a603852ac74f6f68bf2abcda97c7f10ce07f10704604bd236cc83c44434f8371f4402e07a135559b22ed35865d2550dfad
SSDEEP

98304:a3tiSyUk0m0XVcakcibiqhRIAjhZiFUo8c7OgCnpmcakcibiqhXFEe2CXhtcakcw:adirUHXVdlirPFjhKUo8tgCcdlirR7Do

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3008	a68802a9717cb157a1596f07d9f8e8dc.exe

Executes dropped EXE 1 IoCs

pid	Process
3008	a68802a9717cb157a1596f07d9f8e8dc.exe

Loads dropped DLL 1 IoCs

pid	Process
2204	a68802a9717cb157a1596f07d9f8e8dc.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000013a71-11.dat	upx
behavioral1/files/0x000a000000013a71-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2548	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a68802a9717cb157a1596f07d9f8e8dc.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	a68802a9717cb157a1596f07d9f8e8dc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	a68802a9717cb157a1596f07d9f8e8dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a68802a9717cb157a1596f07d9f8e8dc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2204	a68802a9717cb157a1596f07d9f8e8dc.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2204	a68802a9717cb157a1596f07d9f8e8dc.exe
3008	a68802a9717cb157a1596f07d9f8e8dc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 3008	2204	a68802a9717cb157a1596f07d9f8e8dc.exe	23
PID 2204 wrote to memory of 3008	2204	a68802a9717cb157a1596f07d9f8e8dc.exe	23
PID 2204 wrote to memory of 3008	2204	a68802a9717cb157a1596f07d9f8e8dc.exe	23
PID 2204 wrote to memory of 3008	2204	a68802a9717cb157a1596f07d9f8e8dc.exe	23
PID 3008 wrote to memory of 2548	3008	a68802a9717cb157a1596f07d9f8e8dc.exe	30
PID 3008 wrote to memory of 2548	3008	a68802a9717cb157a1596f07d9f8e8dc.exe	30
PID 3008 wrote to memory of 2548	3008	a68802a9717cb157a1596f07d9f8e8dc.exe	30
PID 3008 wrote to memory of 2548	3008	a68802a9717cb157a1596f07d9f8e8dc.exe	30
PID 3008 wrote to memory of 2564	3008	a68802a9717cb157a1596f07d9f8e8dc.exe	33
PID 3008 wrote to memory of 2564	3008	a68802a9717cb157a1596f07d9f8e8dc.exe	33
PID 3008 wrote to memory of 2564	3008	a68802a9717cb157a1596f07d9f8e8dc.exe	33
PID 3008 wrote to memory of 2564	3008	a68802a9717cb157a1596f07d9f8e8dc.exe	33
PID 2564 wrote to memory of 2656	2564	cmd.exe	31
PID 2564 wrote to memory of 2656	2564	cmd.exe	31
PID 2564 wrote to memory of 2656	2564	cmd.exe	31
PID 2564 wrote to memory of 2656	2564	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\a68802a9717cb157a1596f07d9f8e8dc.exe
"C:\Users\Admin\AppData\Local\Temp\a68802a9717cb157a1596f07d9f8e8dc.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\a68802a9717cb157a1596f07d9f8e8dc.exe
  C:\Users\Admin\AppData\Local\Temp\a68802a9717cb157a1596f07d9f8e8dc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\a68802a9717cb157a1596f07d9f8e8dc.exe" /TN 6ek6uOO9da42 /F
    3⤵
    - Creates scheduled task(s)
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 6ek6uOO9da42 > C:\Users\Admin\AppData\Local\Temp\BY19S.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN 6ek6uOO9da42
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BY19S.xml

Filesize
1KB

MD5
89f11668e742109abdb3ca5db2ff8745

SHA1
ddd65b7e2b137162bfeae03f471b9308d68017f5

SHA256
e9d0721b7acfb7b7b52f16569c6dceb1ee6cfcd36b1f8036eca0bafa5cc977b1

SHA512
436636cddfd76651f1b1320f17ca6d21df0aaf1fca941ca1159a76cb6e0de5d854cf612a9f248496200ae573139f2287bcbf5b316ac7e0b38a9d7697ae589456

Download Submit
C:\Users\Admin\AppData\Local\Temp\a68802a9717cb157a1596f07d9f8e8dc.exe

Filesize
185KB

MD5
c8bd896c154e7661f9ebdb0abd87bfc2

SHA1
98c381856c5be791b53bb3764918aecb54373f02

SHA256
708d71c23b71738c4dcb353b16fdb6830ecb28e568d92cf1d9a6036599d55de1

SHA512
bc432cb55619380a297f48ff120191e37aaab7ed11915b155bee6e3acd9fe0943f4168c305ef211b676e5ca988f6236b4c0615f81f377aeee3ac14ad4045ef3b

Download Submit
\Users\Admin\AppData\Local\Temp\a68802a9717cb157a1596f07d9f8e8dc.exe

Filesize
49KB

MD5
73ead9d0d3623b48c82c8607256e4659

SHA1
84d04697b9a3cca6cea87ccfc5e601fbcfdb71a6

SHA256
c725e0a363109139542e33dd00a84ab845af506eb967426b7cdb1682ecc32d7f

SHA512
b39c9c618fc4c55a02989efd0963fe673d06296f8d35f8ccf9ff3531eb16a90ba7c8793c3579556d6060bf1be4b627437994e35483e439c464cf5f4486fc042a

Download Submit
memory/2204-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2204-17-0x0000000023620000-0x000000002387C000-memory.dmp

Filesize
2.4MB

Download
memory/2204-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2204-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2204-2-0x00000000016D0000-0x000000000174E000-memory.dmp

Filesize
504KB

Download
memory/2204-45-0x0000000023620000-0x000000002387C000-memory.dmp

Filesize
2.4MB

Download
memory/3008-21-0x0000000000380000-0x00000000003FE000-memory.dmp

Filesize
504KB

Download
memory/3008-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3008-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/3008-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3008-46-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads