d1ff8a04cdcb69c870e53975305bbd0e93fb480c26894b63b2defba7b90ccced

General

Target

c0c3c6c7a92ab346272fa420403fa9d6.exe
Size

1003KB
MD5

c0c3c6c7a92ab346272fa420403fa9d6
SHA1

0288c8e28b6aed3d90fc9093a5323f1a568246a8
SHA256

d1ff8a04cdcb69c870e53975305bbd0e93fb480c26894b63b2defba7b90ccced
SHA512

9bdfabb5b0b4f51752fb76b5109b82dc7e906edf487e56929b77ee04e627341fbc71e3a0c2b71bb55ac1e46cee13e51a79c31ba9739582bf478fc847101355ae
SSDEEP

24576:O1fcndcSUW4I1nhiWDnJl1fVqjAqIT6wo6RIa:O10ndc7ClhiWDnJl1fIjAqW6OH

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2104	c0c3c6c7a92ab346272fa420403fa9d6.exe

Executes dropped EXE 1 IoCs

pid	Process
2104	c0c3c6c7a92ab346272fa420403fa9d6.exe

Loads dropped DLL 1 IoCs

pid	Process
2224	c0c3c6c7a92ab346272fa420403fa9d6.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2224-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0008000000012267-11.dat	upx
behavioral1/files/0x0008000000012267-17.dat	upx
behavioral1/memory/2104-19-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2712	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c0c3c6c7a92ab346272fa420403fa9d6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c0c3c6c7a92ab346272fa420403fa9d6.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c0c3c6c7a92ab346272fa420403fa9d6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c0c3c6c7a92ab346272fa420403fa9d6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2224	c0c3c6c7a92ab346272fa420403fa9d6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2224	c0c3c6c7a92ab346272fa420403fa9d6.exe
2104	c0c3c6c7a92ab346272fa420403fa9d6.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2104	2224	c0c3c6c7a92ab346272fa420403fa9d6.exe	29
PID 2224 wrote to memory of 2104	2224	c0c3c6c7a92ab346272fa420403fa9d6.exe	29
PID 2224 wrote to memory of 2104	2224	c0c3c6c7a92ab346272fa420403fa9d6.exe	29
PID 2224 wrote to memory of 2104	2224	c0c3c6c7a92ab346272fa420403fa9d6.exe	29
PID 2104 wrote to memory of 2712	2104	c0c3c6c7a92ab346272fa420403fa9d6.exe	30
PID 2104 wrote to memory of 2712	2104	c0c3c6c7a92ab346272fa420403fa9d6.exe	30
PID 2104 wrote to memory of 2712	2104	c0c3c6c7a92ab346272fa420403fa9d6.exe	30
PID 2104 wrote to memory of 2712	2104	c0c3c6c7a92ab346272fa420403fa9d6.exe	30
PID 2104 wrote to memory of 2948	2104	c0c3c6c7a92ab346272fa420403fa9d6.exe	32
PID 2104 wrote to memory of 2948	2104	c0c3c6c7a92ab346272fa420403fa9d6.exe	32
PID 2104 wrote to memory of 2948	2104	c0c3c6c7a92ab346272fa420403fa9d6.exe	32
PID 2104 wrote to memory of 2948	2104	c0c3c6c7a92ab346272fa420403fa9d6.exe	32
PID 2948 wrote to memory of 2704	2948	cmd.exe	34
PID 2948 wrote to memory of 2704	2948	cmd.exe	34
PID 2948 wrote to memory of 2704	2948	cmd.exe	34
PID 2948 wrote to memory of 2704	2948	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c0c3c6c7a92ab346272fa420403fa9d6.exe
"C:\Users\Admin\AppData\Local\Temp\c0c3c6c7a92ab346272fa420403fa9d6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\c0c3c6c7a92ab346272fa420403fa9d6.exe
  C:\Users\Admin\AppData\Local\Temp\c0c3c6c7a92ab346272fa420403fa9d6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c0c3c6c7a92ab346272fa420403fa9d6.exe" /TN x1iLRz9v069a /F
    3⤵
    - Creates scheduled task(s)
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN x1iLRz9v069a > C:\Users\Admin\AppData\Local\Temp\UzBh3.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN x1iLRz9v069a
      4⤵
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UzBh3.xml

Filesize
1KB

MD5
6c78f15b06cc39a3390fc08780219ebf

SHA1
2bbc7f034ad048cfa22538cea172edaf0405a68f

SHA256
bcf44fa0611bad45c7c810ea0c15d6559416e8d279e84ef4389c178438b2a610

SHA512
22dc64e60afa105ca6c0dac15883c1790f801a11cd65a5beb0aff37d3426fa51c0313434b62f89959ed84cf0abc76a3a5f8745c806a9c5bc326ad88e1fc91609

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0c3c6c7a92ab346272fa420403fa9d6.exe

Filesize
804KB

MD5
b5ddc021f0c7544e69936553277b758a

SHA1
94bc98d6423432cc0fee863dedb92bcdafd64d7d

SHA256
9acb383ffce50fef4ee1a45f980c4f2da2d4c83ea169296b84cd9ff6adab81e7

SHA512
0dab8b4200ad834f776a6884605823e9f93e09e7e6c9d7b92ac5539a5ab1793515f789bcfca39281aedbd0c520a4c9a7d110e788bbdc250acf61837f5d299250

Download Submit
\Users\Admin\AppData\Local\Temp\c0c3c6c7a92ab346272fa420403fa9d6.exe

Filesize
452KB

MD5
535fbd95a6a16544072ecf06cec6b8b2

SHA1
b7c137a569d90d6561f2a451d48d25b311bbaff2

SHA256
27e6a3f0e2e4568537593bddf8c22c226aaa063da0d57424091e29e27d5853c9

SHA512
f5c2d613428af21f8a72adbb20db7b56e17a5c1b08ffcbfd2ef1499507ad8c4524776bc43d4cfa847a8534952372f9d7b09305e7caebcfb431777fbccda94a8f

Download Submit
memory/2104-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2104-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2104-21-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/2104-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2104-55-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2224-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2224-16-0x0000000022EC0000-0x000000002311C000-memory.dmp

Filesize
2.4MB

Download
memory/2224-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2224-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2224-3-0x00000000001F0000-0x000000000026E000-memory.dmp

Filesize
504KB

Download
memory/2224-54-0x0000000022EC0000-0x000000002311C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads