e10af0c9046f726797aaa27f13de5c9068f7aaa73468490b91ad11fdcd4028ca

General

Target

dedd51c9fabee7ff2dcc43d2279ada19.exe
Size

1.5MB
MD5

dedd51c9fabee7ff2dcc43d2279ada19
SHA1

94c22dc9c49a1737a7c01847e5da4ed864151067
SHA256

e10af0c9046f726797aaa27f13de5c9068f7aaa73468490b91ad11fdcd4028ca
SHA512

e89c9ad247078066d96073c3262e2f93a0f071472d1ecf06b54cb0084a6353d57a420f7dd34cd6542c40b7e2ab67b1194645f4238441810c9bf34f67ddc97c63
SSDEEP

24576:rs2Fs/lC51sZsm6bdcjukL2N3I5hC2TH5tY9NlqMcjukL2Y:rPFsty1sZsfdcakLWqhC2TH5t8NlqMcl

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2672	dedd51c9fabee7ff2dcc43d2279ada19.exe

Executes dropped EXE 1 IoCs

pid	Process
2672	dedd51c9fabee7ff2dcc43d2279ada19.exe

Loads dropped DLL 1 IoCs

pid	Process
2612	dedd51c9fabee7ff2dcc43d2279ada19.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2612-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000016c14-11.dat	upx
behavioral1/files/0x000a000000016c14-13.dat	upx
behavioral1/files/0x000a000000016c14-15.dat	upx
behavioral1/memory/2672-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3004	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	dedd51c9fabee7ff2dcc43d2279ada19.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	dedd51c9fabee7ff2dcc43d2279ada19.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	dedd51c9fabee7ff2dcc43d2279ada19.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	dedd51c9fabee7ff2dcc43d2279ada19.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2612	dedd51c9fabee7ff2dcc43d2279ada19.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2612	dedd51c9fabee7ff2dcc43d2279ada19.exe
2672	dedd51c9fabee7ff2dcc43d2279ada19.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2672	2612	dedd51c9fabee7ff2dcc43d2279ada19.exe	29
PID 2612 wrote to memory of 2672	2612	dedd51c9fabee7ff2dcc43d2279ada19.exe	29
PID 2612 wrote to memory of 2672	2612	dedd51c9fabee7ff2dcc43d2279ada19.exe	29
PID 2612 wrote to memory of 2672	2612	dedd51c9fabee7ff2dcc43d2279ada19.exe	29
PID 2672 wrote to memory of 3004	2672	dedd51c9fabee7ff2dcc43d2279ada19.exe	30
PID 2672 wrote to memory of 3004	2672	dedd51c9fabee7ff2dcc43d2279ada19.exe	30
PID 2672 wrote to memory of 3004	2672	dedd51c9fabee7ff2dcc43d2279ada19.exe	30
PID 2672 wrote to memory of 3004	2672	dedd51c9fabee7ff2dcc43d2279ada19.exe	30
PID 2672 wrote to memory of 2536	2672	dedd51c9fabee7ff2dcc43d2279ada19.exe	32
PID 2672 wrote to memory of 2536	2672	dedd51c9fabee7ff2dcc43d2279ada19.exe	32
PID 2672 wrote to memory of 2536	2672	dedd51c9fabee7ff2dcc43d2279ada19.exe	32
PID 2672 wrote to memory of 2536	2672	dedd51c9fabee7ff2dcc43d2279ada19.exe	32
PID 2536 wrote to memory of 2648	2536	cmd.exe	35
PID 2536 wrote to memory of 2648	2536	cmd.exe	35
PID 2536 wrote to memory of 2648	2536	cmd.exe	35
PID 2536 wrote to memory of 2648	2536	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\dedd51c9fabee7ff2dcc43d2279ada19.exe
"C:\Users\Admin\AppData\Local\Temp\dedd51c9fabee7ff2dcc43d2279ada19.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\dedd51c9fabee7ff2dcc43d2279ada19.exe
  C:\Users\Admin\AppData\Local\Temp\dedd51c9fabee7ff2dcc43d2279ada19.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\dedd51c9fabee7ff2dcc43d2279ada19.exe" /TN WAgLRKqP8c0d /F
    3⤵
    - Creates scheduled task(s)
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN WAgLRKqP8c0d > C:\Users\Admin\AppData\Local\Temp\Mdm58cVJD.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN WAgLRKqP8c0d
      4⤵
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mdm58cVJD.xml

Filesize
1KB

MD5
04a65782e08072a6a420d41186883524

SHA1
d11e4e0b3f167f97e84c3ae84305259944540c9e

SHA256
f3ff8c98d68e89c035e98111dba9265aa1aea310f2a6a2518ba678370e39c7cb

SHA512
70d433bdcc50042626e0754a70faedbd44bebce9d3a0ed96268c438baafb79e452cbbcc84bc1fb18126bad0fe4232b1a6437b15d96d8dfb035b9d6fee8e067e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dedd51c9fabee7ff2dcc43d2279ada19.exe

Filesize
160KB

MD5
6b5bccae5fec35f63f4a073d10e62b68

SHA1
432c56a46d4c442e074218bbbc5f4792c443b0a6

SHA256
63e39e23f890fd3683e11db720c5f4a1791dab87f8849533f8d9b8e4cd20c3c3

SHA512
216d206961b1afc90b49f9ff101001c9ff07334bcb22b2ef6c4b615fdf80d01b40bdfab28cce9cc872246f700a93ff100bcc80a5c8463789585cf2dbcc3084b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dedd51c9fabee7ff2dcc43d2279ada19.exe

Filesize
328KB

MD5
c4b72824f1393ce6892d783d4a69a708

SHA1
7023c7d36c7eb85279776a8a335af5ff0833ccda

SHA256
c8a993d796d0e2cb013970709a202d910b7cc83ddfcad1f5e6f7ba6e2bb02299

SHA512
8b4f6b6752a650e82b267c78719b2372df97306c94a84c9f0e3ea9c2dbf75730bc1c5a14c1b6401d572a5ccc0a79f7316ef60c2ee2d19b48e0ba446bfc6f9b98

Download Submit
\Users\Admin\AppData\Local\Temp\dedd51c9fabee7ff2dcc43d2279ada19.exe

Filesize
415KB

MD5
519b0e910235cfa0b3b8b93ce0f8d0ce

SHA1
4cd944418713c2d846b81f194576c42e5e92f481

SHA256
4bc7e48636fa411744da67e0e858798f9657870eff4206f5ed053482425c92b1

SHA512
105e93b3f61a713444a2018938634a2312a15e800e418f8cc341df05070f992ec4df90c934e377b0de4671b8fb7551d8195f0b0529e316eb246b4cb31566b8b9

Download Submit
memory/2612-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2612-17-0x00000000230D0000-0x000000002332C000-memory.dmp

Filesize
2.4MB

Download
memory/2612-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2612-5-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2612-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2672-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2672-20-0x00000000002A0000-0x000000000031E000-memory.dmp

Filesize
504KB

Download
memory/2672-26-0x00000000001B0000-0x000000000021B000-memory.dmp

Filesize
428KB

Download
memory/2672-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2672-32-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads