4e6d5c6e1c83ee43cb6f48661ff2a3cd275aa7178e9f8bf505c1f51bd029e491

General

Target

a83a66b40fdc4c83d922567b0d5cc352.exe
Size

133KB
MD5

a83a66b40fdc4c83d922567b0d5cc352
SHA1

8fd57020d4877eabd909fc83eb38a6507b6e2e35
SHA256

4e6d5c6e1c83ee43cb6f48661ff2a3cd275aa7178e9f8bf505c1f51bd029e491
SHA512

1ad20e8831058d4bd3152861798a78a30881cccdff2dff558efdd1fc5f139dc5cdf79c4ac32c945436937c1c7806c6f8fb2dad23c730376414d4ab5a536a2036
SSDEEP

3072:PGiCcS1JwGqGziw0mkflWfjdK3WwVZ/teseUzQ:PGixS1JvF0SdCD/8sHzQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2416	a83a66b40fdc4c83d922567b0d5cc352.exe

Executes dropped EXE 1 IoCs

pid	Process
2416	a83a66b40fdc4c83d922567b0d5cc352.exe

Loads dropped DLL 1 IoCs

pid	Process
3060	a83a66b40fdc4c83d922567b0d5cc352.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3060-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000b00000001226e-11.dat	upx
behavioral1/files/0x000b00000001226e-16.dat	upx
behavioral1/memory/3060-14-0x0000000002D00000-0x0000000002D86000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a83a66b40fdc4c83d922567b0d5cc352.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a83a66b40fdc4c83d922567b0d5cc352.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	a83a66b40fdc4c83d922567b0d5cc352.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	a83a66b40fdc4c83d922567b0d5cc352.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3060	a83a66b40fdc4c83d922567b0d5cc352.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3060	a83a66b40fdc4c83d922567b0d5cc352.exe
2416	a83a66b40fdc4c83d922567b0d5cc352.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2416	3060	a83a66b40fdc4c83d922567b0d5cc352.exe	29
PID 3060 wrote to memory of 2416	3060	a83a66b40fdc4c83d922567b0d5cc352.exe	29
PID 3060 wrote to memory of 2416	3060	a83a66b40fdc4c83d922567b0d5cc352.exe	29
PID 3060 wrote to memory of 2416	3060	a83a66b40fdc4c83d922567b0d5cc352.exe	29

C:\Users\Admin\AppData\Local\Temp\a83a66b40fdc4c83d922567b0d5cc352.exe
"C:\Users\Admin\AppData\Local\Temp\a83a66b40fdc4c83d922567b0d5cc352.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\a83a66b40fdc4c83d922567b0d5cc352.exe
  C:\Users\Admin\AppData\Local\Temp\a83a66b40fdc4c83d922567b0d5cc352.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a83a66b40fdc4c83d922567b0d5cc352.exe

Filesize
15KB

MD5
227e6cec66804bce2f3b986633785d9c

SHA1
7ce96b41fe44cec77750d376c3a953207d409123

SHA256
a0411e503614e05aa9ca59c3ba6617b7d546827ed7ac5f15010d85a2c57e5c1c

SHA512
d4bd5091418aaab547e1db7f5f0fab8ad023c07f3e5f8fcd0f5d24db0502cf049d0db0813a97c4c68d7c3fa405bb2b45c4f6d0abd20c58f7028e761631964c67

Download Submit
\Users\Admin\AppData\Local\Temp\a83a66b40fdc4c83d922567b0d5cc352.exe

Filesize
73KB

MD5
b8fc668a9f9961bc8ef476d91d25189b

SHA1
93102c3a93edcd84083a94064569945b3b5dc843

SHA256
1cca5560d9b8e555eb2ea8e035dafb2ee7181660c91a7cd4f800b482c40f65d0

SHA512
9b17263c05b2743605e2db217804d9d1421a32251ddfd9a3d7284afa1880230861a214988116ef3f56c5238c72a8e7ad14d7fb0303ca6782f429d21606236fa4

Download Submit
memory/2416-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2416-21-0x00000000002F0000-0x0000000000311000-memory.dmp

Filesize
132KB

Download
memory/2416-43-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3060-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3060-4-0x00000000001F0000-0x0000000000211000-memory.dmp

Filesize
132KB

Download
memory/3060-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3060-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3060-14-0x0000000002D00000-0x0000000002D86000-memory.dmp

Filesize
536KB

Download
memory/3060-42-0x0000000002D00000-0x0000000002D86000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing