8aef7ed3e4156bb96fbaeb55f0ac1c9f81aa28b4eb4935c3c77a8295f287ba5c

General

Target

e050e815a396f289e10eb4f4a06d9302.exe
Size

3.9MB
MD5

e050e815a396f289e10eb4f4a06d9302
SHA1

d30155a872fced6297b12f3eb1c2933015abc171
SHA256

8aef7ed3e4156bb96fbaeb55f0ac1c9f81aa28b4eb4935c3c77a8295f287ba5c
SHA512

95dd7ca219e84290bfcf9beba8c250cedfd52d7a29ce31445eeab10a6562f528a0fa4c8f8b58ae2263bb7071b3580902681f35ec5805d1c36e4272268d6a79e1
SSDEEP

98304:tqF6VhOAd0cz/D2i7D3xkOxYwpK9CQx64gRAtD2i7D3xkOxYwpKnYsNwPD2i7D3d:tk6scz/h7FkNqKnE4gRMh7FkNqKMh7Fb

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2768	e050e815a396f289e10eb4f4a06d9302.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	e050e815a396f289e10eb4f4a06d9302.exe

Loads dropped DLL 1 IoCs

pid	Process
2644	e050e815a396f289e10eb4f4a06d9302.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2644-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0008000000012255-11.dat	upx
behavioral1/files/0x0008000000012255-15.dat	upx
behavioral1/files/0x0008000000012255-14.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2560	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	e050e815a396f289e10eb4f4a06d9302.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	e050e815a396f289e10eb4f4a06d9302.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	e050e815a396f289e10eb4f4a06d9302.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	e050e815a396f289e10eb4f4a06d9302.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2644	e050e815a396f289e10eb4f4a06d9302.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2644	e050e815a396f289e10eb4f4a06d9302.exe
2768	e050e815a396f289e10eb4f4a06d9302.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2768	2644	e050e815a396f289e10eb4f4a06d9302.exe	29
PID 2644 wrote to memory of 2768	2644	e050e815a396f289e10eb4f4a06d9302.exe	29
PID 2644 wrote to memory of 2768	2644	e050e815a396f289e10eb4f4a06d9302.exe	29
PID 2644 wrote to memory of 2768	2644	e050e815a396f289e10eb4f4a06d9302.exe	29
PID 2768 wrote to memory of 2560	2768	e050e815a396f289e10eb4f4a06d9302.exe	31
PID 2768 wrote to memory of 2560	2768	e050e815a396f289e10eb4f4a06d9302.exe	31
PID 2768 wrote to memory of 2560	2768	e050e815a396f289e10eb4f4a06d9302.exe	31
PID 2768 wrote to memory of 2560	2768	e050e815a396f289e10eb4f4a06d9302.exe	31
PID 2768 wrote to memory of 2996	2768	e050e815a396f289e10eb4f4a06d9302.exe	33
PID 2768 wrote to memory of 2996	2768	e050e815a396f289e10eb4f4a06d9302.exe	33
PID 2768 wrote to memory of 2996	2768	e050e815a396f289e10eb4f4a06d9302.exe	33
PID 2768 wrote to memory of 2996	2768	e050e815a396f289e10eb4f4a06d9302.exe	33
PID 2996 wrote to memory of 2368	2996	cmd.exe	35
PID 2996 wrote to memory of 2368	2996	cmd.exe	35
PID 2996 wrote to memory of 2368	2996	cmd.exe	35
PID 2996 wrote to memory of 2368	2996	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\e050e815a396f289e10eb4f4a06d9302.exe
"C:\Users\Admin\AppData\Local\Temp\e050e815a396f289e10eb4f4a06d9302.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\e050e815a396f289e10eb4f4a06d9302.exe
  C:\Users\Admin\AppData\Local\Temp\e050e815a396f289e10eb4f4a06d9302.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\e050e815a396f289e10eb4f4a06d9302.exe" /TN x1iLRz9v069a /F
    3⤵
    - Creates scheduled task(s)
    PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN x1iLRz9v069a > C:\Users\Admin\AppData\Local\Temp\TxUZS2.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN x1iLRz9v069a
      4⤵
      PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TxUZS2.xml

Filesize
1KB

MD5
aee3f6f36bbcf2d90aa2434ef25bf7e3

SHA1
9b90f31abeef85e8d2f03f77121454a0c00504e3

SHA256
97bfeeaf46d224ac8e2c37e46a9a3cb0f675db4db17072e390d2cac7ca75b80f

SHA512
50e4f8e1b233eb1eeac745167c6b1ad2e9a6918e0ca69b204b58ec57afddd7ce4ecf4466e9ecd1c07deffe1c76a9fff272f5d1a73268e3102a2285e149ba71de

Download Submit
C:\Users\Admin\AppData\Local\Temp\e050e815a396f289e10eb4f4a06d9302.exe

Filesize
690KB

MD5
de2217c29ff4a8c13c450defc84abb26

SHA1
48bca041eae616070912506a03ebb69fa1d63b5a

SHA256
f3267436c2ae313c424096c32c6496a042d7745b6ab77ce1a8d6db19f9507132

SHA512
c336bdd567d69837fb04d4c7b9f642832c389181dbb8f6483f044a725fc78357f4d035b5825cf4c57dc979ab2031b47ce48360b18237c5a7df483bc717f73823

Download Submit
C:\Users\Admin\AppData\Local\Temp\e050e815a396f289e10eb4f4a06d9302.exe

Filesize
601KB

MD5
665a729523b1d6c940840d8513f2dbfe

SHA1
25ab51e09575b98f07080c3b317ac597e4f552ec

SHA256
06bbc52da99d85fabbdf009c26257d111c06f01914b18a9c8ad3a231161018fb

SHA512
65a48729af962ec4abf88c5f12fb43f3843c7ad8d2075245864c60c6eda9b526eb64e9cd4ca375863e09a14bdb1ca47c23b05f7561d4cc3c0280d1b8d10271c3

Download Submit
\Users\Admin\AppData\Local\Temp\e050e815a396f289e10eb4f4a06d9302.exe

Filesize
684KB

MD5
1e4bbdc740b11e190af78cbb60738d73

SHA1
be3cb7ac5f630b0bd6baab27ef86ad2f906ff384

SHA256
8e0ee0019915827800eb9301540e419dcc99a6bc034f8ab1994335d17d8988a5

SHA512
45c6dc215d8deaa05716a86c9fd8f6cf002ae036eac8ad239282ccda4bf74e83564417011f3d4f4b93f9fba7fd46540f9c35933d363acf12b2a847c82c7f5d41

Download Submit
memory/2644-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2644-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2644-7-0x00000000001B0000-0x000000000022E000-memory.dmp

Filesize
504KB

Download
memory/2644-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2644-54-0x00000000236C0000-0x000000002391C000-memory.dmp

Filesize
2.4MB

Download
memory/2644-18-0x00000000236C0000-0x000000002391C000-memory.dmp

Filesize
2.4MB

Download
memory/2768-21-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2768-31-0x0000000000310000-0x000000000037B000-memory.dmp

Filesize
428KB

Download
memory/2768-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2768-55-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2768-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads