cef9622b86e450dc489852b8a68e768fc7a105552988ecd4a131975ac647549e

General

Target

dac363894267c5d4fc1dcd2c183aa3db.exe
Size

11.0MB
MD5

dac363894267c5d4fc1dcd2c183aa3db
SHA1

636f3ce05856035a03c3661c966cae6d36a587f1
SHA256

cef9622b86e450dc489852b8a68e768fc7a105552988ecd4a131975ac647549e
SHA512

e9c4ac38b0f209e620206d8aac67d083482466fefba31235a39143aa7626e5e0b266c8f86d5202f72482292d063ff8a2ac5e7efabd06fb20059ae3c5d3bd2019
SSDEEP

98304:fDllpr78EOfllI35mCckFR+vicS43s0KgDLYws35mCckFR+vicS43:fDllprw1fli33FR+6c9owM33FR+6c

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2668	dac363894267c5d4fc1dcd2c183aa3db.exe

Executes dropped EXE 1 IoCs

pid	Process
2668	dac363894267c5d4fc1dcd2c183aa3db.exe

Loads dropped DLL 1 IoCs

pid	Process
1972	dac363894267c5d4fc1dcd2c183aa3db.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-0-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x0009000000012280-11.dat	upx
behavioral1/memory/2668-17-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x0009000000012280-14.dat	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	dac363894267c5d4fc1dcd2c183aa3db.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	dac363894267c5d4fc1dcd2c183aa3db.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1972	dac363894267c5d4fc1dcd2c183aa3db.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1972	dac363894267c5d4fc1dcd2c183aa3db.exe
2668	dac363894267c5d4fc1dcd2c183aa3db.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2668	1972	dac363894267c5d4fc1dcd2c183aa3db.exe	28
PID 1972 wrote to memory of 2668	1972	dac363894267c5d4fc1dcd2c183aa3db.exe	28
PID 1972 wrote to memory of 2668	1972	dac363894267c5d4fc1dcd2c183aa3db.exe	28
PID 1972 wrote to memory of 2668	1972	dac363894267c5d4fc1dcd2c183aa3db.exe	28

C:\Users\Admin\AppData\Local\Temp\dac363894267c5d4fc1dcd2c183aa3db.exe
"C:\Users\Admin\AppData\Local\Temp\dac363894267c5d4fc1dcd2c183aa3db.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\dac363894267c5d4fc1dcd2c183aa3db.exe
  C:\Users\Admin\AppData\Local\Temp\dac363894267c5d4fc1dcd2c183aa3db.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dac363894267c5d4fc1dcd2c183aa3db.exe

Filesize
92KB

MD5
b99e9194dfcb5eae9327283bcd778af2

SHA1
8867ed46b325db74e2708ae489e4a9d7fe3d6962

SHA256
ca68f5c4f47886931d780ce13c81415baa0071a332d462af97172fb12869caed

SHA512
11dc5fbcfb6ef2d71fad3e71d018bf4cd06367ace7d8cce3e16cf817db0b953ea1691dac44652caafaadae575aa6d63d05208ade5432317d462171536b586445

Download Submit
\Users\Admin\AppData\Local\Temp\dac363894267c5d4fc1dcd2c183aa3db.exe

Filesize
115KB

MD5
3f020b19d78ea6fec073c6abfe41bf09

SHA1
290edebca89e7f27b23a1b861d4ae56c079fbaaf

SHA256
f046606bb8f523f08090b4d4bef849d36d7fbe2c7cecb0c088ec8a70138d3497

SHA512
82e864162b93e0dba2f0decb58d5b76345ef41a6561b3b78ba2ab09bf5615d3765592d4cb08bce871c6c58de0f43fae6e2f7d988a47d9e275c57201d1eb9e80e

Download Submit
memory/1972-2-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/1972-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1972-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/1972-16-0x0000000004C40000-0x00000000055DE000-memory.dmp

Filesize
9.6MB

Download
memory/1972-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1972-25-0x0000000004C40000-0x00000000055DE000-memory.dmp

Filesize
9.6MB

Download
memory/2668-17-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2668-19-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2668-26-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing