383ebd9a31e3f1874901c32fbfb2310bce1d2e3d924f2b238e145ac9da608ff8

General

Target

c940abd49dd66ca56a2e730559693402.exe
Size

1003KB
MD5

c940abd49dd66ca56a2e730559693402
SHA1

ef485356936ed0693522ae5c9538c39fed789fc6
SHA256

383ebd9a31e3f1874901c32fbfb2310bce1d2e3d924f2b238e145ac9da608ff8
SHA512

52e012484fc835f0112475ec4295a0faa1faf4198f16fb4b145f5c6446d84d108e90d3c595cc80808ec9f3c233829ac10dac2b2fde2663605e02dfa408e9733f
SSDEEP

24576:m+3Edqfw8Rqzj9GeVuLLwNa0erkZdEx3Knx6Y6:m+3EdqI8R2j9GeVCLwNBerkZdEx3Kns

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3048	c940abd49dd66ca56a2e730559693402.exe

Executes dropped EXE 1 IoCs

pid	Process
3048	c940abd49dd66ca56a2e730559693402.exe

Loads dropped DLL 1 IoCs

pid	Process
2784	c940abd49dd66ca56a2e730559693402.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2784-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/memory/3048-19-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000013a71-17.dat	upx
behavioral1/files/0x000a000000013a71-13.dat	upx
behavioral1/files/0x000a000000013a71-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2564	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c940abd49dd66ca56a2e730559693402.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c940abd49dd66ca56a2e730559693402.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c940abd49dd66ca56a2e730559693402.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c940abd49dd66ca56a2e730559693402.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2784	c940abd49dd66ca56a2e730559693402.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2784	c940abd49dd66ca56a2e730559693402.exe
3048	c940abd49dd66ca56a2e730559693402.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3048	2784	c940abd49dd66ca56a2e730559693402.exe	24
PID 2784 wrote to memory of 3048	2784	c940abd49dd66ca56a2e730559693402.exe	24
PID 2784 wrote to memory of 3048	2784	c940abd49dd66ca56a2e730559693402.exe	24
PID 2784 wrote to memory of 3048	2784	c940abd49dd66ca56a2e730559693402.exe	24
PID 3048 wrote to memory of 2564	3048	c940abd49dd66ca56a2e730559693402.exe	19
PID 3048 wrote to memory of 2564	3048	c940abd49dd66ca56a2e730559693402.exe	19
PID 3048 wrote to memory of 2564	3048	c940abd49dd66ca56a2e730559693402.exe	19
PID 3048 wrote to memory of 2564	3048	c940abd49dd66ca56a2e730559693402.exe	19
PID 3048 wrote to memory of 2668	3048	c940abd49dd66ca56a2e730559693402.exe	23
PID 3048 wrote to memory of 2668	3048	c940abd49dd66ca56a2e730559693402.exe	23
PID 3048 wrote to memory of 2668	3048	c940abd49dd66ca56a2e730559693402.exe	23
PID 3048 wrote to memory of 2668	3048	c940abd49dd66ca56a2e730559693402.exe	23
PID 2668 wrote to memory of 2876	2668	cmd.exe	22
PID 2668 wrote to memory of 2876	2668	cmd.exe	22
PID 2668 wrote to memory of 2876	2668	cmd.exe	22
PID 2668 wrote to memory of 2876	2668	cmd.exe	22

C:\Users\Admin\AppData\Local\Temp\c940abd49dd66ca56a2e730559693402.exe
"C:\Users\Admin\AppData\Local\Temp\c940abd49dd66ca56a2e730559693402.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\c940abd49dd66ca56a2e730559693402.exe
  C:\Users\Admin\AppData\Local\Temp\c940abd49dd66ca56a2e730559693402.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3048

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c940abd49dd66ca56a2e730559693402.exe" /TN 6ek6uOO9da42 /F
1⤵
- Creates scheduled task(s)
PID:2564

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN 6ek6uOO9da42
1⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN 6ek6uOO9da42 > C:\Users\Admin\AppData\Local\Temp\alb3lo.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\alb3lo.xml

Filesize
1KB

MD5
47e8b47deb570720ba484a2a583e8edd

SHA1
7a43176ca608af04b80a12e34a361b6e3119cb48

SHA256
29925c9dfa754e10028904a43712d1e7ad3f3aaa36226369d5ed4f78e27d3092

SHA512
d5b486f5f138eb6c9f51d3931a0badde6165780e97572c55d11319448f6d97346dd1cb0cdd19080e584ffc7409743f60a32de59cd914087652605623cc0fa6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c940abd49dd66ca56a2e730559693402.exe

Filesize
89KB

MD5
e6db0e19b2005ef5337a503a09ffc0ff

SHA1
1e1bcef48d32218b5d45f1129940e11541ece0ae

SHA256
3dfd88fc0e11751109459915f6b8fb68af80f5a27da7443ebaa970674b183490

SHA512
f073b0dee954b9365364102beda0685e39a685f593b8223d5fbe6ca0442634a1f516c1d49b81ad28eeece6cf4d503937191dfd9764fb0f91027c1985e5b0b2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\c940abd49dd66ca56a2e730559693402.exe

Filesize
240KB

MD5
44aee63d39cd2951690d860df303d766

SHA1
926ebc28b9bc38c2cd1f702d552a65fc6de04631

SHA256
df1947ae7a79da59211ac9b16c262250c6a01540d2d8bde1d297ac779bb08ef7

SHA512
9b4bca925be02d7348830a3f7f29e24b955e198e896d80a863bf84832d921a626ae82e5d386eb95f072fea0160d1333e7e28c00ebed2608b441973f1dd63fd32

Download Submit
\Users\Admin\AppData\Local\Temp\c940abd49dd66ca56a2e730559693402.exe

Filesize
93KB

MD5
e7e38ab6ebd7251bf305616e33376d3a

SHA1
11edd8ee2a918f6d994ae3076b621317b8b7274a

SHA256
35c5f0dbe8e3ffff1fbc66cf37fa0318823a4ad33b313782c9d73cd1df6752d8

SHA512
f5d50e99e00c4dbd219f1337626dadfa2c8d75dad68fa82467a17fd6b8c614b5541ff973d79071d2b87ff8f5d1db4a5874bf768181b8334bfefd12fe4322779b

Download Submit
memory/2784-16-0x0000000022F20000-0x000000002317C000-memory.dmp

Filesize
2.4MB

Download
memory/2784-3-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2784-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2784-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2784-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2784-45-0x0000000022F20000-0x000000002317C000-memory.dmp

Filesize
2.4MB

Download
memory/3048-21-0x0000000022DA0000-0x0000000022E1E000-memory.dmp

Filesize
504KB

Download
memory/3048-31-0x0000000000280000-0x00000000002EB000-memory.dmp

Filesize
428KB

Download
memory/3048-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3048-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3048-46-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads