cc943fc41c3dce5851a7805b44bf7fc251ca0b8733cbbce58857e1bc4f23cbed

General

Target

c61db8d4629c37e91a53012b8a862e1b.exe
Size

6.0MB
MD5

c61db8d4629c37e91a53012b8a862e1b
SHA1

4c96bd8ac242bcca8cb0d638186ead80b95b61ed
SHA256

cc943fc41c3dce5851a7805b44bf7fc251ca0b8733cbbce58857e1bc4f23cbed
SHA512

e005c82ddb1e8fbe878e46be3ebb538d73ec073c86531d045a9a0c06a7a65fdd5976cc80eaa37be6ed74bba2d573dc3ae36c71de494bf75b4df4e25e69d83660
SSDEEP

98304:HFCAB4cakhXKihPmcak0l2Tq+JIrlcakhXKihPmcaka1OHMhU5MWLRyXutcakhXL:HFCAB4dQOd9gf2dQOdpm9ly2dQOd9gfv

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1764	c61db8d4629c37e91a53012b8a862e1b.exe

Executes dropped EXE 1 IoCs

pid	Process
1764	c61db8d4629c37e91a53012b8a862e1b.exe

Loads dropped DLL 1 IoCs

pid	Process
2472	c61db8d4629c37e91a53012b8a862e1b.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2472-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012253-11.dat	upx
behavioral1/memory/2472-15-0x0000000023AC0000-0x0000000023D1C000-memory.dmp	upx
behavioral1/files/0x000a000000012253-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2104	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c61db8d4629c37e91a53012b8a862e1b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c61db8d4629c37e91a53012b8a862e1b.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c61db8d4629c37e91a53012b8a862e1b.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c61db8d4629c37e91a53012b8a862e1b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2472	c61db8d4629c37e91a53012b8a862e1b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2472	c61db8d4629c37e91a53012b8a862e1b.exe
1764	c61db8d4629c37e91a53012b8a862e1b.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 1764	2472	c61db8d4629c37e91a53012b8a862e1b.exe	29
PID 2472 wrote to memory of 1764	2472	c61db8d4629c37e91a53012b8a862e1b.exe	29
PID 2472 wrote to memory of 1764	2472	c61db8d4629c37e91a53012b8a862e1b.exe	29
PID 2472 wrote to memory of 1764	2472	c61db8d4629c37e91a53012b8a862e1b.exe	29
PID 1764 wrote to memory of 2104	1764	c61db8d4629c37e91a53012b8a862e1b.exe	30
PID 1764 wrote to memory of 2104	1764	c61db8d4629c37e91a53012b8a862e1b.exe	30
PID 1764 wrote to memory of 2104	1764	c61db8d4629c37e91a53012b8a862e1b.exe	30
PID 1764 wrote to memory of 2104	1764	c61db8d4629c37e91a53012b8a862e1b.exe	30
PID 1764 wrote to memory of 2604	1764	c61db8d4629c37e91a53012b8a862e1b.exe	32
PID 1764 wrote to memory of 2604	1764	c61db8d4629c37e91a53012b8a862e1b.exe	32
PID 1764 wrote to memory of 2604	1764	c61db8d4629c37e91a53012b8a862e1b.exe	32
PID 1764 wrote to memory of 2604	1764	c61db8d4629c37e91a53012b8a862e1b.exe	32
PID 2604 wrote to memory of 916	2604	cmd.exe	34
PID 2604 wrote to memory of 916	2604	cmd.exe	34
PID 2604 wrote to memory of 916	2604	cmd.exe	34
PID 2604 wrote to memory of 916	2604	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c61db8d4629c37e91a53012b8a862e1b.exe
"C:\Users\Admin\AppData\Local\Temp\c61db8d4629c37e91a53012b8a862e1b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\c61db8d4629c37e91a53012b8a862e1b.exe
  C:\Users\Admin\AppData\Local\Temp\c61db8d4629c37e91a53012b8a862e1b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c61db8d4629c37e91a53012b8a862e1b.exe" /TN MXmKXYLpa01b /F
    3⤵
    - Creates scheduled task(s)
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MXmKXYLpa01b > C:\Users\Admin\AppData\Local\Temp\HMrJwe.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN MXmKXYLpa01b
      4⤵
      PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c61db8d4629c37e91a53012b8a862e1b.exe

Filesize
4.6MB

MD5
d016f10522b40035d93c8ca580be5c26

SHA1
db4639f750eb804a0eeb64a1a62cf358971bfc2d

SHA256
7f73e6c06ebe73212c9947e73a9fba30c0d642569d34a13e1d3e5000c4e90f02

SHA512
4684ce959ac1f15e8f7c5dd6708674ba7cab8482b0243a2b86401ba75d76cc8b119b1572840978a9b14b1e1bc1b4909ca386c3ffc176194a46e34496fcab7b32

Download Submit
\Users\Admin\AppData\Local\Temp\c61db8d4629c37e91a53012b8a862e1b.exe

Filesize
2.8MB

MD5
b21d6cc1bc5d6e95b7e8827ebad9e932

SHA1
70efae95c9c38e8b63742a4f59655a4951b522c2

SHA256
05b25f17be3564e549ac5204e000739223d056a798f817c56d46e786cacde3e1

SHA512
85c289ec5fafeb2cd28769b7233936d12ac9fffc5aaf8c1201e16d4bcf5a208da0bbc6fb124f47e7b6cd742ddc9598a4e53c313a1b1e487df6884089dae63e73

Download Submit
memory/1764-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1764-31-0x0000000000330000-0x000000000039B000-memory.dmp

Filesize
428KB

Download
memory/1764-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1764-21-0x00000000002B0000-0x000000000032E000-memory.dmp

Filesize
504KB

Download
memory/1764-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2472-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2472-15-0x0000000023AC0000-0x0000000023D1C000-memory.dmp

Filesize
2.4MB

Download
memory/2472-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2472-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2472-2-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads