782b1177814a54b907d0f986e2a9ee7dac14dd68d1f77c883977a64ecb1201f2

General

Target

c81f5f49f4f5c6fee63f32ce61e98af0.exe
Size

266KB
MD5

c81f5f49f4f5c6fee63f32ce61e98af0
SHA1

e62f2709b3dcd69699aa263958ffe1fab5832570
SHA256

782b1177814a54b907d0f986e2a9ee7dac14dd68d1f77c883977a64ecb1201f2
SHA512

6885e78171902887ee0824ac2115550ab1550078ee93e6615e1ed3217240ab21e498faf635cac7ba4187f7499474c47ab017a353432f83ca6e4ce4e7a963164b
SSDEEP

6144:3LLZu6v2k25QC9BZcL5pz4EIh1hlbhkbau8o/di/nkScOrN0Q:71u6vBY81pOltkbau8pkDOh1

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1464	c81f5f49f4f5c6fee63f32ce61e98af0.exe

Executes dropped EXE 1 IoCs

pid	Process
1464	c81f5f49f4f5c6fee63f32ce61e98af0.exe

Loads dropped DLL 1 IoCs

pid	Process
1996	c81f5f49f4f5c6fee63f32ce61e98af0.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1996-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000e000000012247-11.dat	upx
behavioral1/memory/1996-13-0x0000000000190000-0x0000000000216000-memory.dmp	upx
behavioral1/files/0x000e000000012247-16.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c81f5f49f4f5c6fee63f32ce61e98af0.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c81f5f49f4f5c6fee63f32ce61e98af0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c81f5f49f4f5c6fee63f32ce61e98af0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c81f5f49f4f5c6fee63f32ce61e98af0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1996	c81f5f49f4f5c6fee63f32ce61e98af0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1996	c81f5f49f4f5c6fee63f32ce61e98af0.exe
1464	c81f5f49f4f5c6fee63f32ce61e98af0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1464	1996	c81f5f49f4f5c6fee63f32ce61e98af0.exe	29
PID 1996 wrote to memory of 1464	1996	c81f5f49f4f5c6fee63f32ce61e98af0.exe	29
PID 1996 wrote to memory of 1464	1996	c81f5f49f4f5c6fee63f32ce61e98af0.exe	29
PID 1996 wrote to memory of 1464	1996	c81f5f49f4f5c6fee63f32ce61e98af0.exe	29

C:\Users\Admin\AppData\Local\Temp\c81f5f49f4f5c6fee63f32ce61e98af0.exe
"C:\Users\Admin\AppData\Local\Temp\c81f5f49f4f5c6fee63f32ce61e98af0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\c81f5f49f4f5c6fee63f32ce61e98af0.exe
  C:\Users\Admin\AppData\Local\Temp\c81f5f49f4f5c6fee63f32ce61e98af0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c81f5f49f4f5c6fee63f32ce61e98af0.exe

Filesize
266KB

MD5
36da35e6eb31fe6178a85d2a466402a2

SHA1
4758db3e85c3f5e5f0d4622782f684451518642d

SHA256
0ec464b6b360ac27977c5de5753acc0b31fc31ff5fd0cbb7ad3760667b093a0b

SHA512
eb92c5326cdd865e583b7bb2a1e592aa7b16a331d8b12f07f55e7b83a2ed2afb6adf7d8fe50e0c802c7a2ad84e72389f2a0dceaad9f6ea66c410df906fda33a0

Download Submit
\Users\Admin\AppData\Local\Temp\c81f5f49f4f5c6fee63f32ce61e98af0.exe

Filesize
64KB

MD5
b98817e98f8b8d0f43d0dea939fd51f4

SHA1
2473a0540add2660eca76a3a03ff0de2582dff53

SHA256
ead3cf3c38aea195265261f0094794ed23a0beb969bfce4813c04c680c40778b

SHA512
47e46f3b11b34419fcbcdf9a237b5b8a84eb3869d3e7593a1624076ab1f2a10e0519a7502000ffe12ad9639166c6ea4c137a685e4df8cc514f535e2be5c41ad7

Download Submit
memory/1464-17-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/1464-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1464-42-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1996-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1996-2-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/1996-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1996-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1996-13-0x0000000000190000-0x0000000000216000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing