62ed3c03ac9d98da4d9641034ab4f9574a4c0d91e73475947072b421aa09b385

General

Target

ba1059b8d62b45a80c5dd751c410a6f3.exe
Size

2.0MB
MD5

ba1059b8d62b45a80c5dd751c410a6f3
SHA1

c7d7b4c2b64cd3b757992b2a4d54f957d8c36fad
SHA256

62ed3c03ac9d98da4d9641034ab4f9574a4c0d91e73475947072b421aa09b385
SHA512

c44a2c9b2347771e9bb3e117bc7704e171070072389c6ba6f3922f203e8865014f06c2fec90efa7651ce17b134fe9ce996e50d706b999e5f6732ebede05738c9
SSDEEP

49152:8RLnUNibk/JWzLhMyag+DXUTQVAU5jaNayWdb3GpVByag+DXUTQVAU:MAkbk/JWzLhMyag+rUMVAUANB6STBya1

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3056	ba1059b8d62b45a80c5dd751c410a6f3.exe

Executes dropped EXE 1 IoCs

pid	Process
3056	ba1059b8d62b45a80c5dd751c410a6f3.exe

Loads dropped DLL 1 IoCs

pid	Process
2548	ba1059b8d62b45a80c5dd751c410a6f3.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2548-1-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000012203-11.dat	upx
behavioral1/files/0x0009000000012203-17.dat	upx
behavioral1/memory/3056-19-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/memory/2548-16-0x00000000232D0000-0x000000002352C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2620	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	ba1059b8d62b45a80c5dd751c410a6f3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	ba1059b8d62b45a80c5dd751c410a6f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ba1059b8d62b45a80c5dd751c410a6f3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ba1059b8d62b45a80c5dd751c410a6f3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2548	ba1059b8d62b45a80c5dd751c410a6f3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2548	ba1059b8d62b45a80c5dd751c410a6f3.exe
3056	ba1059b8d62b45a80c5dd751c410a6f3.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3056	2548	ba1059b8d62b45a80c5dd751c410a6f3.exe	29
PID 2548 wrote to memory of 3056	2548	ba1059b8d62b45a80c5dd751c410a6f3.exe	29
PID 2548 wrote to memory of 3056	2548	ba1059b8d62b45a80c5dd751c410a6f3.exe	29
PID 2548 wrote to memory of 3056	2548	ba1059b8d62b45a80c5dd751c410a6f3.exe	29
PID 3056 wrote to memory of 2620	3056	ba1059b8d62b45a80c5dd751c410a6f3.exe	30
PID 3056 wrote to memory of 2620	3056	ba1059b8d62b45a80c5dd751c410a6f3.exe	30
PID 3056 wrote to memory of 2620	3056	ba1059b8d62b45a80c5dd751c410a6f3.exe	30
PID 3056 wrote to memory of 2620	3056	ba1059b8d62b45a80c5dd751c410a6f3.exe	30
PID 3056 wrote to memory of 2684	3056	ba1059b8d62b45a80c5dd751c410a6f3.exe	34
PID 3056 wrote to memory of 2684	3056	ba1059b8d62b45a80c5dd751c410a6f3.exe	34
PID 3056 wrote to memory of 2684	3056	ba1059b8d62b45a80c5dd751c410a6f3.exe	34
PID 3056 wrote to memory of 2684	3056	ba1059b8d62b45a80c5dd751c410a6f3.exe	34
PID 2684 wrote to memory of 2616	2684	cmd.exe	33
PID 2684 wrote to memory of 2616	2684	cmd.exe	33
PID 2684 wrote to memory of 2616	2684	cmd.exe	33
PID 2684 wrote to memory of 2616	2684	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\ba1059b8d62b45a80c5dd751c410a6f3.exe
"C:\Users\Admin\AppData\Local\Temp\ba1059b8d62b45a80c5dd751c410a6f3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\ba1059b8d62b45a80c5dd751c410a6f3.exe
  C:\Users\Admin\AppData\Local\Temp\ba1059b8d62b45a80c5dd751c410a6f3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\ba1059b8d62b45a80c5dd751c410a6f3.exe" /TN qm2lmOfce5f6 /F
    3⤵
    - Creates scheduled task(s)
    PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN qm2lmOfce5f6 > C:\Users\Admin\AppData\Local\Temp\vdgHr.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2684

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN qm2lmOfce5f6
1⤵
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ba1059b8d62b45a80c5dd751c410a6f3.exe

Filesize
266KB

MD5
bc7c06d20372c5db424526cf0b57769d

SHA1
2f5df33c5272628ba77282e09b7f38c62dcb18b9

SHA256
55a23ed4e41a406727ebe786914a5748f8e20a7bd32e99d3a6bd95a86d5c8a4a

SHA512
0a220b2979777e9240081ef468fadb1d64c384f2e44e4d32a764651b147662111d340816634091aa1ef1588c8fb0cf0f655dd725b2458dc3961cae6050e8f4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdgHr.xml

Filesize
1KB

MD5
dabb7be729d2d12b4dca83483e09d1e2

SHA1
eda0ca04ca7f3a23dc0bc1f010f629d85f2313e3

SHA256
cb5fa3be99bffe175a0e00fbd71abf3e9a59ae6b5ce9d0fc7bd0e817f95a620d

SHA512
f705713d63807cd3485ffd95e21400214e6b312c3a5030439337069e695e6456c44611fdd754a0dfda33f2bb9d57c17307c68430ead178a9f4822d56177e5a9a

Download Submit
\Users\Admin\AppData\Local\Temp\ba1059b8d62b45a80c5dd751c410a6f3.exe

Filesize
1024KB

MD5
20accd41a23db91fb9d1e85f38f1cfd6

SHA1
e13bd91aa2d6f1d7c1f2b0a092dbefcb8453fc82

SHA256
a94fa60e797d34f49e93d22efa153871b946ec3109c42b6d1e89f9fe261cd051

SHA512
3e5e3838543df5dde76e6dae5f04e98dbf27f975bbb1178bde82b1b0fcc95e24b686c224043101d3ca3d9b860bd96ca11f25612c74cffefd124695daa22438ba

Download Submit
memory/2548-16-0x00000000232D0000-0x000000002352C000-memory.dmp

Filesize
2.4MB

Download
memory/2548-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2548-1-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2548-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2548-3-0x00000000002E0000-0x000000000035E000-memory.dmp

Filesize
504KB

Download
memory/3056-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3056-20-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/3056-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/3056-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3056-45-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads