66ea53fab2631088e033e9381fabba5da8db42f60e889e4d4c05a5e4443dd731

General

Target

a6e768f1ec391e4620d2721f767dd279.exe
Size

3.2MB
MD5

a6e768f1ec391e4620d2721f767dd279
SHA1

166685e53cbc790d23ca7ae7a3c7755e0c087e3f
SHA256

66ea53fab2631088e033e9381fabba5da8db42f60e889e4d4c05a5e4443dd731
SHA512

244d3badf856faa9262a3e2bfcdc07b13ad9f4fba5660340471741c8e542c1977a6caff25c355a98d73fa98bebe256b3e887791b58c63fd9417311e6a7453a9f
SSDEEP

98304:oIAjfxIJcakcDpO5I+v1xVnGfgMdDShcakcPcy0ArAcakcDpO5I+v1xVnGfgMdDt:JAjfxIJdltO5I+vEBudlPcNArAdltO50

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2420	a6e768f1ec391e4620d2721f767dd279.exe

Executes dropped EXE 1 IoCs

pid	Process
2420	a6e768f1ec391e4620d2721f767dd279.exe

Loads dropped DLL 1 IoCs

pid	Process
2244	a6e768f1ec391e4620d2721f767dd279.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2244-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/memory/2244-13-0x00000000236A0000-0x00000000238FC000-memory.dmp	upx
behavioral1/files/0x000a0000000139b6-11.dat	upx
behavioral1/files/0x000a0000000139b6-16.dat	upx
behavioral1/memory/2420-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2700	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a6e768f1ec391e4620d2721f767dd279.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a6e768f1ec391e4620d2721f767dd279.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	a6e768f1ec391e4620d2721f767dd279.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	a6e768f1ec391e4620d2721f767dd279.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2244	a6e768f1ec391e4620d2721f767dd279.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2244	a6e768f1ec391e4620d2721f767dd279.exe
2420	a6e768f1ec391e4620d2721f767dd279.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2420	2244	a6e768f1ec391e4620d2721f767dd279.exe	31
PID 2244 wrote to memory of 2420	2244	a6e768f1ec391e4620d2721f767dd279.exe	31
PID 2244 wrote to memory of 2420	2244	a6e768f1ec391e4620d2721f767dd279.exe	31
PID 2244 wrote to memory of 2420	2244	a6e768f1ec391e4620d2721f767dd279.exe	31
PID 2420 wrote to memory of 2700	2420	a6e768f1ec391e4620d2721f767dd279.exe	29
PID 2420 wrote to memory of 2700	2420	a6e768f1ec391e4620d2721f767dd279.exe	29
PID 2420 wrote to memory of 2700	2420	a6e768f1ec391e4620d2721f767dd279.exe	29
PID 2420 wrote to memory of 2700	2420	a6e768f1ec391e4620d2721f767dd279.exe	29
PID 2420 wrote to memory of 2760	2420	a6e768f1ec391e4620d2721f767dd279.exe	34
PID 2420 wrote to memory of 2760	2420	a6e768f1ec391e4620d2721f767dd279.exe	34
PID 2420 wrote to memory of 2760	2420	a6e768f1ec391e4620d2721f767dd279.exe	34
PID 2420 wrote to memory of 2760	2420	a6e768f1ec391e4620d2721f767dd279.exe	34
PID 2760 wrote to memory of 2876	2760	cmd.exe	33
PID 2760 wrote to memory of 2876	2760	cmd.exe	33
PID 2760 wrote to memory of 2876	2760	cmd.exe	33
PID 2760 wrote to memory of 2876	2760	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\a6e768f1ec391e4620d2721f767dd279.exe
"C:\Users\Admin\AppData\Local\Temp\a6e768f1ec391e4620d2721f767dd279.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\a6e768f1ec391e4620d2721f767dd279.exe
  C:\Users\Admin\AppData\Local\Temp\a6e768f1ec391e4620d2721f767dd279.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN qm2lmOfce5f6 > C:\Users\Admin\AppData\Local\Temp\4oPZdf0.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2760

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\a6e768f1ec391e4620d2721f767dd279.exe" /TN qm2lmOfce5f6 /F
1⤵
- Creates scheduled task(s)
PID:2700

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN qm2lmOfce5f6
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4oPZdf0.xml

Filesize
1KB

MD5
c0ae3136569d69a63d07fc2290374c0c

SHA1
defc01e46ece54c442b435ec9e35377d0dbf01c1

SHA256
76d12fd75649ec1caa621fcc8f38c40e770d09d6f7194c2cbfeb570af9f8651a

SHA512
d497f761449bd4f08a3af31664d0893e03510a787a8464fc742f5b7572ac10b0cd33fce7671fd64ecad5bdf11179e13885928d3589ab839aaf842f512845641b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6e768f1ec391e4620d2721f767dd279.exe

Filesize
611KB

MD5
b281fe8186acfd16bd3b26f84e952efa

SHA1
17063806fcc6f21e0681e759c661f2b211779c07

SHA256
d5dac67952eaeb37d30f1bb54c99b7977abfadf0f0ee91e4cb7bcb051073cd5a

SHA512
46fb0a001c8347ceb40d5daad71e7543bee015e32db21ff50c7726e3c28c058095f0a74230525fc2ba876267d0ac412cc946edb1feff3872bd8fb78fa51c5b73

Download Submit
\Users\Admin\AppData\Local\Temp\a6e768f1ec391e4620d2721f767dd279.exe

Filesize
769KB

MD5
165af10cc601e70ab035afe1692e3991

SHA1
3d8c7bcfb97fef3c891d15db0f5bf72997b4e557

SHA256
0c3b84c5b6bb6e064e047d4a5a51ec1f25395b50be9685d73e8d326b0329d433

SHA512
9171cc5f57f5593388b8bdded29f67c2e72c49cca57a50d80e5fc0d8fe3006373269951d7a7b61388fa6307da25560f74d8b309d433792c43e28d2255ccff847

Download Submit
memory/2244-17-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2244-13-0x00000000236A0000-0x00000000238FC000-memory.dmp

Filesize
2.4MB

Download
memory/2244-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2244-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2244-3-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2420-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2420-20-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2420-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2420-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2420-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads