fbd135073762e52897d66832a7e57babf93e6b2edf9128e7a82ff9ede0f3a79e

General

Target

b8b7534bb14badf8e6cd28d3900a72de.exe
Size

2.0MB
MD5

b8b7534bb14badf8e6cd28d3900a72de
SHA1

39440f72dbf999b146159a0f50ec327afc6a26c3
SHA256

fbd135073762e52897d66832a7e57babf93e6b2edf9128e7a82ff9ede0f3a79e
SHA512

58dc13a3827c8a2b34ebae12c3bce4d99ef0ee58441fb415d1d46dc3df58c380a989d4b642dc61b550129da6e31fce1864f59202496f6e1237b34f4d4634879f
SSDEEP

49152:YbVCxoKtv/TZtupu1WuGfB7it4NaLRXB8MRBfY7bupu1WuGfB7it:Yb8xoUTZtupIWuGfB7W44LL8MRS7bup0

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2264	b8b7534bb14badf8e6cd28d3900a72de.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	b8b7534bb14badf8e6cd28d3900a72de.exe

Loads dropped DLL 1 IoCs

pid	Process
2860	b8b7534bb14badf8e6cd28d3900a72de.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2860-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x00330000000155a0-11.dat	upx
behavioral1/files/0x00330000000155a0-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1656	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b8b7534bb14badf8e6cd28d3900a72de.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	b8b7534bb14badf8e6cd28d3900a72de.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	b8b7534bb14badf8e6cd28d3900a72de.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b8b7534bb14badf8e6cd28d3900a72de.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2860	b8b7534bb14badf8e6cd28d3900a72de.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2860	b8b7534bb14badf8e6cd28d3900a72de.exe
2264	b8b7534bb14badf8e6cd28d3900a72de.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2264	2860	b8b7534bb14badf8e6cd28d3900a72de.exe	31
PID 2860 wrote to memory of 2264	2860	b8b7534bb14badf8e6cd28d3900a72de.exe	31
PID 2860 wrote to memory of 2264	2860	b8b7534bb14badf8e6cd28d3900a72de.exe	31
PID 2860 wrote to memory of 2264	2860	b8b7534bb14badf8e6cd28d3900a72de.exe	31
PID 2264 wrote to memory of 1656	2264	b8b7534bb14badf8e6cd28d3900a72de.exe	32
PID 2264 wrote to memory of 1656	2264	b8b7534bb14badf8e6cd28d3900a72de.exe	32
PID 2264 wrote to memory of 1656	2264	b8b7534bb14badf8e6cd28d3900a72de.exe	32
PID 2264 wrote to memory of 1656	2264	b8b7534bb14badf8e6cd28d3900a72de.exe	32
PID 2264 wrote to memory of 2612	2264	b8b7534bb14badf8e6cd28d3900a72de.exe	34
PID 2264 wrote to memory of 2612	2264	b8b7534bb14badf8e6cd28d3900a72de.exe	34
PID 2264 wrote to memory of 2612	2264	b8b7534bb14badf8e6cd28d3900a72de.exe	34
PID 2264 wrote to memory of 2612	2264	b8b7534bb14badf8e6cd28d3900a72de.exe	34
PID 2612 wrote to memory of 2688	2612	cmd.exe	36
PID 2612 wrote to memory of 2688	2612	cmd.exe	36
PID 2612 wrote to memory of 2688	2612	cmd.exe	36
PID 2612 wrote to memory of 2688	2612	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\b8b7534bb14badf8e6cd28d3900a72de.exe
"C:\Users\Admin\AppData\Local\Temp\b8b7534bb14badf8e6cd28d3900a72de.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\b8b7534bb14badf8e6cd28d3900a72de.exe
  C:\Users\Admin\AppData\Local\Temp\b8b7534bb14badf8e6cd28d3900a72de.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b8b7534bb14badf8e6cd28d3900a72de.exe" /TN WAgLRKqP8c0d /F
    3⤵
    - Creates scheduled task(s)
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN WAgLRKqP8c0d > C:\Users\Admin\AppData\Local\Temp\TTD9weLBY.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN WAgLRKqP8c0d
      4⤵
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TTD9weLBY.xml

Filesize
1KB

MD5
322f9dbd27c3dfadd7a13486abdbb68a

SHA1
b9b29714f98e3075cc0d34d610bf13650b2222bd

SHA256
b97c2ce6b33b5791447c9b44feea981e8a7e08d415cf0458b0556b7ff631802a

SHA512
98aae35d8e45b51de612fe94107eaf20a49075dbd54344527a25dff246bda57b571ad28969eca51045672ebaf5efc2c43b33e879ef4352956252384a317f77cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8b7534bb14badf8e6cd28d3900a72de.exe

Filesize
1.3MB

MD5
db9c6421cda23ba9fd0e2359cd05e1c3

SHA1
87c62bcd20f3eba6c2418ca5cd3defcd5b0b9400

SHA256
fd5bb3da2a3b0557cb58a72257294b4ff94cc032b90fc6e79542990d09822dcf

SHA512
10648e15091921579f6a6fcf7f200dabd26fb33e621ac66e385f16134c6299c67c0aa2818eb77b3cd272d2b45d33ac76eb8a41937af4f988fefb1d3c94d970a1

Download Submit
\Users\Admin\AppData\Local\Temp\b8b7534bb14badf8e6cd28d3900a72de.exe

Filesize
805KB

MD5
6183e271130486bd5f72be8d5d8e69cd

SHA1
046415b38b01f6c9353a158228506a610a40ed91

SHA256
021d1708ccf0548056f9e9fee55f0e3bbfaf562eda038b831c7f9df5b8ef93ab

SHA512
e3c3cb09844460b42455d6b58a02d93a0472ecb2464469506c69b41f44b47518e2668baf57f4af16dd505fb3c9dbfbeb7dd39d632fb810ada1de65dbd27c98ff

Download Submit
memory/2264-18-0x00000000016D0000-0x000000000174E000-memory.dmp

Filesize
504KB

Download
memory/2264-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2264-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2264-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2264-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2860-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2860-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2860-2-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2860-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads