1b6453ad887e4841c93d28037cf801493f16ab702a7019e4743449a5a31da955

General

Target

a818fa4846e5a1d2f74be5951c3fdcb7.exe
Size

1.6MB
MD5

a818fa4846e5a1d2f74be5951c3fdcb7
SHA1

c12242344d94c1486455d6a835004cdc51051857
SHA256

1b6453ad887e4841c93d28037cf801493f16ab702a7019e4743449a5a31da955
SHA512

1343fff9ce3f63da0ca719b52af5add878df6d202283fea5cb77499c10263a46474f9f5ea39a8f574899e60b1743b49f80dbdaf201fcebc7a8de95387a985a4e
SSDEEP

49152:0sEAfnuuMncakLz0XWzJy581Sa3cakLz0O:0sEAfnuuMncakcmzU581lcakcO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1804	a818fa4846e5a1d2f74be5951c3fdcb7.exe

Executes dropped EXE 1 IoCs

pid	Process
1804	a818fa4846e5a1d2f74be5951c3fdcb7.exe

Loads dropped DLL 1 IoCs

pid	Process
2140	a818fa4846e5a1d2f74be5951c3fdcb7.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d000000012251-15.dat	upx
behavioral1/files/0x000d000000012251-13.dat	upx
behavioral1/files/0x000d000000012251-11.dat	upx
behavioral1/memory/2140-6-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2844	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	a818fa4846e5a1d2f74be5951c3fdcb7.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	a818fa4846e5a1d2f74be5951c3fdcb7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a818fa4846e5a1d2f74be5951c3fdcb7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a818fa4846e5a1d2f74be5951c3fdcb7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2140	a818fa4846e5a1d2f74be5951c3fdcb7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2140	a818fa4846e5a1d2f74be5951c3fdcb7.exe
1804	a818fa4846e5a1d2f74be5951c3fdcb7.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1804	2140	a818fa4846e5a1d2f74be5951c3fdcb7.exe	20
PID 2140 wrote to memory of 1804	2140	a818fa4846e5a1d2f74be5951c3fdcb7.exe	20
PID 2140 wrote to memory of 1804	2140	a818fa4846e5a1d2f74be5951c3fdcb7.exe	20
PID 2140 wrote to memory of 1804	2140	a818fa4846e5a1d2f74be5951c3fdcb7.exe	20
PID 1804 wrote to memory of 2844	1804	a818fa4846e5a1d2f74be5951c3fdcb7.exe	15
PID 1804 wrote to memory of 2844	1804	a818fa4846e5a1d2f74be5951c3fdcb7.exe	15
PID 1804 wrote to memory of 2844	1804	a818fa4846e5a1d2f74be5951c3fdcb7.exe	15
PID 1804 wrote to memory of 2844	1804	a818fa4846e5a1d2f74be5951c3fdcb7.exe	15
PID 1804 wrote to memory of 2740	1804	a818fa4846e5a1d2f74be5951c3fdcb7.exe	19
PID 1804 wrote to memory of 2740	1804	a818fa4846e5a1d2f74be5951c3fdcb7.exe	19
PID 1804 wrote to memory of 2740	1804	a818fa4846e5a1d2f74be5951c3fdcb7.exe	19
PID 1804 wrote to memory of 2740	1804	a818fa4846e5a1d2f74be5951c3fdcb7.exe	19
PID 2740 wrote to memory of 2360	2740	cmd.exe	18
PID 2740 wrote to memory of 2360	2740	cmd.exe	18
PID 2740 wrote to memory of 2360	2740	cmd.exe	18
PID 2740 wrote to memory of 2360	2740	cmd.exe	18

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\a818fa4846e5a1d2f74be5951c3fdcb7.exe" /TN U5Z8sQiHf24d /F
1⤵
- Creates scheduled task(s)
PID:2844

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN U5Z8sQiHf24d
1⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\Ev6Pvj6.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Local\Temp\a818fa4846e5a1d2f74be5951c3fdcb7.exe
C:\Users\Admin\AppData\Local\Temp\a818fa4846e5a1d2f74be5951c3fdcb7.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\a818fa4846e5a1d2f74be5951c3fdcb7.exe
"C:\Users\Admin\AppData\Local\Temp\a818fa4846e5a1d2f74be5951c3fdcb7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a818fa4846e5a1d2f74be5951c3fdcb7.exe

Filesize
93KB

MD5
75e26d7197f72952101e2da865132c8f

SHA1
ad6f285d29096e42c74e3b7099ade064989974f3

SHA256
3b95d7d9e7ba0b4c33c0dffc0ee748fd982efedf29fe2e2b7941fe94b09d62f0

SHA512
69d265dae33edab738df016befdba145dcc6fa012c3a79f247c40b8827e242ed90d78c53535bc7987b9c1c670810e1e8d9467ae5751020cea96fafa301cbcbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a818fa4846e5a1d2f74be5951c3fdcb7.exe

Filesize
3KB

MD5
ead899c03272401c82f7256c7827c485

SHA1
2685fcd9e0c77c997dcb9fbb99b7676bbb5666d8

SHA256
0f546c9d2a3f822e88514060d11fb7d5395a7f6cc9e33828486e9f2978b248d6

SHA512
af1450f7474bb036bee6a8d2116e7a1d4f483bc5a21b29059341e0b7c063b42f443aa848bed4d73cb5948b937f73bb696b553cc50354daad065064fe13981013

Download Submit
\Users\Admin\AppData\Local\Temp\a818fa4846e5a1d2f74be5951c3fdcb7.exe

Filesize
897KB

MD5
2f8d35c8bb6372628827befd80892e86

SHA1
058e9d458c1f8a64c141e00a517391975f5ac568

SHA256
943d2a55f8eb4d10c9eae0331f925201545aa15815b66dd132c8b303cbd492f6

SHA512
8e203d878f91a7be572654705bc2e34ad27032542d0ffddb3eaa3ed5135f5a683d848a5c23d0051720412573ffdd57311835fa5f3a881e054b05653ec8580250

Download Submit
memory/1804-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1804-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1804-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1804-21-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/1804-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2140-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2140-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2140-8-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/2140-6-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads