65152c5a50caab683fa5284d35ee2ac60d1f5f7a69677f98ee9e66b8bddb8a68

General

Target

cddd92e4ab0e6ddf5e81cea5a40b92a3.exe
Size

1.5MB
MD5

cddd92e4ab0e6ddf5e81cea5a40b92a3
SHA1

7159149dc09e90d875d2b48b6da89b5899ed0e51
SHA256

65152c5a50caab683fa5284d35ee2ac60d1f5f7a69677f98ee9e66b8bddb8a68
SHA512

c41ddb091b46aa8ca22f2eebecdb751f784d5b64ce9e7a38aecc35b8b6c5add877324bffca02540b219f96951fdc6fa5e144b84e89533a2b916b156ed705c9cf
SSDEEP

24576:AXt0ONB6Ule/RJsNvb7wEKIkcjukL2r1R4c0buHXTnuesv5scjukL2Y:E2ONB6Ule/RJ2b7wE4cakL21R4c0a3TM

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe

Loads dropped DLL 1 IoCs

pid	Process
1720	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1720-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000012280-11.dat	upx
behavioral1/files/0x0009000000012280-17.dat	upx
behavioral1/memory/1720-16-0x0000000022FA0000-0x00000000231FC000-memory.dmp	upx
behavioral1/memory/2692-19-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2592	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1720	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1720	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe
2692	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2692	1720	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe	29
PID 1720 wrote to memory of 2692	1720	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe	29
PID 1720 wrote to memory of 2692	1720	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe	29
PID 1720 wrote to memory of 2692	1720	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe	29
PID 2692 wrote to memory of 2592	2692	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe	30
PID 2692 wrote to memory of 2592	2692	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe	30
PID 2692 wrote to memory of 2592	2692	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe	30
PID 2692 wrote to memory of 2592	2692	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe	30
PID 2692 wrote to memory of 2816	2692	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe	32
PID 2692 wrote to memory of 2816	2692	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe	32
PID 2692 wrote to memory of 2816	2692	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe	32
PID 2692 wrote to memory of 2816	2692	cddd92e4ab0e6ddf5e81cea5a40b92a3.exe	32
PID 2816 wrote to memory of 2768	2816	cmd.exe	34
PID 2816 wrote to memory of 2768	2816	cmd.exe	34
PID 2816 wrote to memory of 2768	2816	cmd.exe	34
PID 2816 wrote to memory of 2768	2816	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\cddd92e4ab0e6ddf5e81cea5a40b92a3.exe
"C:\Users\Admin\AppData\Local\Temp\cddd92e4ab0e6ddf5e81cea5a40b92a3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\cddd92e4ab0e6ddf5e81cea5a40b92a3.exe
  C:\Users\Admin\AppData\Local\Temp\cddd92e4ab0e6ddf5e81cea5a40b92a3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\cddd92e4ab0e6ddf5e81cea5a40b92a3.exe" /TN MXmKXYLpa01b /F
    3⤵
    - Creates scheduled task(s)
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MXmKXYLpa01b > C:\Users\Admin\AppData\Local\Temp\w0AKjC.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN MXmKXYLpa01b
      4⤵
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cddd92e4ab0e6ddf5e81cea5a40b92a3.exe

Filesize
761KB

MD5
5b88447e818ce0a8706779f6ebb260a0

SHA1
cbcb649f54b0614b4b32ba7666157efed8824625

SHA256
88832602af888e992ea7a3a26c49744325bae1a1a2c0fe49d2961b50d3c52b3a

SHA512
cc7565b463b3637268cdd040e8dcbe0a454aa7b19ad25285fed9a4fa5441a1ad0a3d3e738963075d42a89646d4e5db547891f32e4c1e96f237d6b8fd2756432b

Download Submit
C:\Users\Admin\AppData\Local\Temp\w0AKjC.xml

Filesize
1KB

MD5
eaa0f39502b262d06712410514184f18

SHA1
eab2e8d63bb0c7f044e844c9295232bd9ee5c415

SHA256
65a6650713fbc5acb4d6859068d9d23cce6b7f59111ddee64bed31dcc143eb62

SHA512
7e138413ca6042c0a34c609d0efd4da0da4513f3e370c5eb95764b78bd367eb113d92d6ad3b87f524278c8191ee580b5b8dc773d04c6f37c46c76702f1e4573f

Download Submit
\Users\Admin\AppData\Local\Temp\cddd92e4ab0e6ddf5e81cea5a40b92a3.exe

Filesize
564KB

MD5
858b7942d814a523fff50df8960fa44e

SHA1
42bf07446dae7691557862e28a91c6baaa89f95b

SHA256
61f2de16f25889f25c85930f2b9770e3847e14734d76c33cf3710c226a830a31

SHA512
bce141c3f43be8908e0d75c895170babccae2442c2036a0540a5be75d8a755acac46f84e8d8495dea9d7dc6c1431059db908d58b8a8d568a29558f8ed421595e

Download Submit
memory/1720-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1720-2-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/1720-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1720-16-0x0000000022FA0000-0x00000000231FC000-memory.dmp

Filesize
2.4MB

Download
memory/1720-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2692-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2692-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2692-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2692-21-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2692-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads