65ee62bdf6cb3613cc7a2f7071931ceb3fea20db6ed79c6f1c4ebf084ea6ee3b

General

Target

d45da87e194c73eb5e17150c5b95123d.exe
Size

133KB
MD5

d45da87e194c73eb5e17150c5b95123d
SHA1

7eb8c620e00f945bd3f84eabd6a7c07a329a1598
SHA256

65ee62bdf6cb3613cc7a2f7071931ceb3fea20db6ed79c6f1c4ebf084ea6ee3b
SHA512

4535e7eb20e49c5ee2c192f1d7742c4566e2280cc2d840b98951c0134eb24a880c1768a0a43ff4dc4dd78f9382d74a1b58888c359c991fee77561401823e8107
SSDEEP

3072:GUPkdsSYEqEg44WpGSqKHhZC+NB/hTj35jMlHoONgGsQ:GPs9EqE14WpGN6l/h/GlIssQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3016	d45da87e194c73eb5e17150c5b95123d.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	d45da87e194c73eb5e17150c5b95123d.exe

Loads dropped DLL 1 IoCs

pid	Process
2208	d45da87e194c73eb5e17150c5b95123d.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000013a71-14.dat	upx
behavioral1/files/0x000a000000013a71-11.dat	upx
behavioral1/memory/2208-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	d45da87e194c73eb5e17150c5b95123d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	d45da87e194c73eb5e17150c5b95123d.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	d45da87e194c73eb5e17150c5b95123d.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	d45da87e194c73eb5e17150c5b95123d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2208	d45da87e194c73eb5e17150c5b95123d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2208	d45da87e194c73eb5e17150c5b95123d.exe
3016	d45da87e194c73eb5e17150c5b95123d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 3016	2208	d45da87e194c73eb5e17150c5b95123d.exe	14
PID 2208 wrote to memory of 3016	2208	d45da87e194c73eb5e17150c5b95123d.exe	14
PID 2208 wrote to memory of 3016	2208	d45da87e194c73eb5e17150c5b95123d.exe	14
PID 2208 wrote to memory of 3016	2208	d45da87e194c73eb5e17150c5b95123d.exe	14

C:\Users\Admin\AppData\Local\Temp\d45da87e194c73eb5e17150c5b95123d.exe
C:\Users\Admin\AppData\Local\Temp\d45da87e194c73eb5e17150c5b95123d.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:3016

C:\Users\Admin\AppData\Local\Temp\d45da87e194c73eb5e17150c5b95123d.exe
"C:\Users\Admin\AppData\Local\Temp\d45da87e194c73eb5e17150c5b95123d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d45da87e194c73eb5e17150c5b95123d.exe

Filesize
93KB

MD5
10f7d2a3cc5aacf96a829386fb2ebc9a

SHA1
65bdd87bee72259998abc12267d693d0af39b801

SHA256
b807dfef6dd6a3404730c2c9563873609f3768e3949b74188cfbb629d1170c13

SHA512
4a1de86b82c7ac204907d2db3766978b9d1d5743e35f949e4689c4ffc47e120cd372da032b1a68c3b2cf3793d77ba52eb664ab8b683f44a1da7a0e52bb0ba313

Download Submit
\Users\Admin\AppData\Local\Temp\d45da87e194c73eb5e17150c5b95123d.exe

Filesize
133KB

MD5
e55dbeb49ca4f7de4a26d832721d4bf9

SHA1
24135b84231a3c5eb048ddda8c66620a797614e2

SHA256
a9ea05b340061ecbd55344a6ac61a943ced61a5eb1fdd339bdfef3079e8ee0bb

SHA512
cd9fc683a161db7add56b8218571e3a230e0ed9e12b2c3bce4761b02f45c6883058ce8563a0b3df05bc7c93d105935287849ea8fdcaa0a7d08f0f6a3452126c4

Download Submit
memory/2208-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2208-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2208-3-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2208-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3016-17-0x00000000000E0000-0x0000000000101000-memory.dmp

Filesize
132KB

Download
memory/3016-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3016-33-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing