993b2310602349f7a87839065ec05a4de0a79a1042369b154e3ee36064e95aa8

General

Target

a86bc4b652204ae67921450b18070151.exe
Size

1.5MB
MD5

a86bc4b652204ae67921450b18070151
SHA1

8b8b7f62db07f12f7bf4d89ccda5bfb04c3d4acd
SHA256

993b2310602349f7a87839065ec05a4de0a79a1042369b154e3ee36064e95aa8
SHA512

6538f66488ba6f0b0c2e1d35e8a3933362c07e9e8451c5c37f98b3e1caed77c9b2f8efbc3768dc19884053157282b65b1fff8b4e8c3495906399ccad307c08c9
SSDEEP

24576:jrn0Cn0feqGFXMcjukL2f0wt5frvsMZ500VUbQbcjukL2Y:jrn0Cn0WqGRMcakLs0+QMZuwUUcakLj

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1940	a86bc4b652204ae67921450b18070151.exe

Executes dropped EXE 1 IoCs

pid	Process
1940	a86bc4b652204ae67921450b18070151.exe

Loads dropped DLL 1 IoCs

pid	Process
2368	a86bc4b652204ae67921450b18070151.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2368-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000014abe-11.dat	upx
behavioral1/files/0x0009000000014abe-13.dat	upx
behavioral1/files/0x0009000000014abe-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2556	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a86bc4b652204ae67921450b18070151.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a86bc4b652204ae67921450b18070151.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	a86bc4b652204ae67921450b18070151.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	a86bc4b652204ae67921450b18070151.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2368	a86bc4b652204ae67921450b18070151.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2368	a86bc4b652204ae67921450b18070151.exe
1940	a86bc4b652204ae67921450b18070151.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1940	2368	a86bc4b652204ae67921450b18070151.exe	29
PID 2368 wrote to memory of 1940	2368	a86bc4b652204ae67921450b18070151.exe	29
PID 2368 wrote to memory of 1940	2368	a86bc4b652204ae67921450b18070151.exe	29
PID 2368 wrote to memory of 1940	2368	a86bc4b652204ae67921450b18070151.exe	29
PID 1940 wrote to memory of 2556	1940	a86bc4b652204ae67921450b18070151.exe	31
PID 1940 wrote to memory of 2556	1940	a86bc4b652204ae67921450b18070151.exe	31
PID 1940 wrote to memory of 2556	1940	a86bc4b652204ae67921450b18070151.exe	31
PID 1940 wrote to memory of 2556	1940	a86bc4b652204ae67921450b18070151.exe	31
PID 1940 wrote to memory of 2652	1940	a86bc4b652204ae67921450b18070151.exe	34
PID 1940 wrote to memory of 2652	1940	a86bc4b652204ae67921450b18070151.exe	34
PID 1940 wrote to memory of 2652	1940	a86bc4b652204ae67921450b18070151.exe	34
PID 1940 wrote to memory of 2652	1940	a86bc4b652204ae67921450b18070151.exe	34
PID 2652 wrote to memory of 2868	2652	cmd.exe	33
PID 2652 wrote to memory of 2868	2652	cmd.exe	33
PID 2652 wrote to memory of 2868	2652	cmd.exe	33
PID 2652 wrote to memory of 2868	2652	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\a86bc4b652204ae67921450b18070151.exe
"C:\Users\Admin\AppData\Local\Temp\a86bc4b652204ae67921450b18070151.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\a86bc4b652204ae67921450b18070151.exe
  C:\Users\Admin\AppData\Local\Temp\a86bc4b652204ae67921450b18070151.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\a86bc4b652204ae67921450b18070151.exe" /TN 6ek6uOO9da42 /F
    3⤵
    - Creates scheduled task(s)
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 6ek6uOO9da42 > C:\Users\Admin\AppData\Local\Temp\bfKp1y.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN 6ek6uOO9da42
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a86bc4b652204ae67921450b18070151.exe

Filesize
884KB

MD5
2422a4b5dfe38c6a3b6cbba2b0b2219b

SHA1
2dbfacb68a9f4a0bb05e184c7f2e78489630f85f

SHA256
37c8105d6daa04072dcd202c560c6e8e4c816ae41968a560b754f863841c3628

SHA512
13d1cc1c142d003727c52550a10959605d3387226438624a76874cca6180db1d85224938674957a4a3ad3e5a5ab97e586c5698497468ad58d70a9ec617fb78fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a86bc4b652204ae67921450b18070151.exe

Filesize
546KB

MD5
1fe89843c8ab63b13d94aab80371f2a7

SHA1
eb6688952b90c58ca835e92802b2b2274cc763d4

SHA256
f4890bb3cf51820b158faf9732868d510c82e92e43092cddf02de7c8bdc75444

SHA512
8ba4b3ce6ad48035ceeb020ab1e6e5dfd57b60bd14460e094fb02de3226c75cc308fc599f080c3a0698633e2ee3599b03d09f298df90ab2042638215f3c07ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfKp1y.xml

Filesize
1KB

MD5
bc4a4aad47720d771dd92da5580bfc10

SHA1
df6c20e5b4a240865fa530cd1fe19d3ff8a75dc8

SHA256
4add9ce762c07e9194f013dd9dd2251ed986c52aab65b99c674b90ca623d8b38

SHA512
34157552ed523f39888ba7d6f08f29cf574b4096fcb2eb30e501d4c42977bcde946b598c417d2a6742eca5ec43c39853c92fbccaf2d04b2bffb668eb40cf5014

Download Submit
\Users\Admin\AppData\Local\Temp\a86bc4b652204ae67921450b18070151.exe

Filesize
720KB

MD5
005255f2e48927f891eaa5621e792658

SHA1
e99da54f4eb455799858e11b8c8fb88b589fa5c1

SHA256
87700969798028e81dc49ddc70fb7dda8deac4df3eb9596ec6677b78cc7c08a8

SHA512
1dd5fea723a24b1ba5e517836b8d27c157a6ba09cee8ed2f2224682017c8a421615bc5e2fa7a8f754be70f278bbfe70b84bcb9c5ec9025b540639a4561f416fa

Download Submit
memory/1940-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1940-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1940-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1940-21-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/1940-45-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2368-17-0x0000000023040000-0x000000002329C000-memory.dmp

Filesize
2.4MB

Download
memory/2368-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2368-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2368-9-0x00000000001B0000-0x000000000022E000-memory.dmp

Filesize
504KB

Download
memory/2368-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads