1cfd00b0d4b4ea345feb82811ed6c085a7d95f96b3a2f4f3db8f739220b92a75

General

Target

d503056ec6e08ce00b34e08e1db5d3a1.exe
Size

7.8MB
MD5

d503056ec6e08ce00b34e08e1db5d3a1
SHA1

a7d763c982b120e0603a45907e34885cfd1246bf
SHA256

1cfd00b0d4b4ea345feb82811ed6c085a7d95f96b3a2f4f3db8f739220b92a75
SHA512

1c1deafcac07b182de546b27a7886ee1eb22d50f78b67b2031b42ed66b33bc00e6f14f798c4763d5dc3431c28d6b6590d3fba4bbd2a5c3b26a008cd34dccb0af
SSDEEP

196608:ohRbdlirsJ+2dlirf0LdlirsJ+2dliru7PmmdlirsJ+2dlirf0LdlirsJ+2dlir:ohRXqSR7PmEqS

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	d503056ec6e08ce00b34e08e1db5d3a1.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	d503056ec6e08ce00b34e08e1db5d3a1.exe

Loads dropped DLL 1 IoCs

pid	Process
2132	d503056ec6e08ce00b34e08e1db5d3a1.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2132-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012255-17.dat	upx
behavioral1/memory/2132-16-0x0000000023EB0000-0x000000002410C000-memory.dmp	upx
behavioral1/memory/2692-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012255-14.dat	upx
behavioral1/files/0x000a000000012255-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2272	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	d503056ec6e08ce00b34e08e1db5d3a1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	d503056ec6e08ce00b34e08e1db5d3a1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	d503056ec6e08ce00b34e08e1db5d3a1.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	d503056ec6e08ce00b34e08e1db5d3a1.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2132	d503056ec6e08ce00b34e08e1db5d3a1.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2132	d503056ec6e08ce00b34e08e1db5d3a1.exe
2692	d503056ec6e08ce00b34e08e1db5d3a1.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2692	2132	d503056ec6e08ce00b34e08e1db5d3a1.exe	29
PID 2132 wrote to memory of 2692	2132	d503056ec6e08ce00b34e08e1db5d3a1.exe	29
PID 2132 wrote to memory of 2692	2132	d503056ec6e08ce00b34e08e1db5d3a1.exe	29
PID 2132 wrote to memory of 2692	2132	d503056ec6e08ce00b34e08e1db5d3a1.exe	29
PID 2692 wrote to memory of 2272	2692	d503056ec6e08ce00b34e08e1db5d3a1.exe	30
PID 2692 wrote to memory of 2272	2692	d503056ec6e08ce00b34e08e1db5d3a1.exe	30
PID 2692 wrote to memory of 2272	2692	d503056ec6e08ce00b34e08e1db5d3a1.exe	30
PID 2692 wrote to memory of 2272	2692	d503056ec6e08ce00b34e08e1db5d3a1.exe	30
PID 2692 wrote to memory of 2904	2692	d503056ec6e08ce00b34e08e1db5d3a1.exe	34
PID 2692 wrote to memory of 2904	2692	d503056ec6e08ce00b34e08e1db5d3a1.exe	34
PID 2692 wrote to memory of 2904	2692	d503056ec6e08ce00b34e08e1db5d3a1.exe	34
PID 2692 wrote to memory of 2904	2692	d503056ec6e08ce00b34e08e1db5d3a1.exe	34
PID 2904 wrote to memory of 2076	2904	cmd.exe	36
PID 2904 wrote to memory of 2076	2904	cmd.exe	36
PID 2904 wrote to memory of 2076	2904	cmd.exe	36
PID 2904 wrote to memory of 2076	2904	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\d503056ec6e08ce00b34e08e1db5d3a1.exe
"C:\Users\Admin\AppData\Local\Temp\d503056ec6e08ce00b34e08e1db5d3a1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\d503056ec6e08ce00b34e08e1db5d3a1.exe
  C:\Users\Admin\AppData\Local\Temp\d503056ec6e08ce00b34e08e1db5d3a1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d503056ec6e08ce00b34e08e1db5d3a1.exe" /TN WAgLRKqP8c0d /F
    3⤵
    - Creates scheduled task(s)
    PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN WAgLRKqP8c0d > C:\Users\Admin\AppData\Local\Temp\Q1XNVrW8.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN WAgLRKqP8c0d
      4⤵
      PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Q1XNVrW8.xml

Filesize
1KB

MD5
b5230bba860e79fc535fc5fcae8ace20

SHA1
72af7a553c102496cdca86473205d124b7063b62

SHA256
b64d2d60906b1fa4457ce117631f936486aaf56528513974650c3cc1d27a98bd

SHA512
2b078938447ff2cf1c0b87d7a3800e539ea3a92b16a1f9e43aee71e1c2d191ebde9971ed2d5f6ebabfe648df0b7e53a0e8a20417593dc87c3ce2027ae4aff75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d503056ec6e08ce00b34e08e1db5d3a1.exe

Filesize
250KB

MD5
a83cb59097b972c1d34d395b0bf2e863

SHA1
d438f3289940f12d0f6d006c740b9266b3e86378

SHA256
aa4d0456b58015610d6d671f4f75afc05a653e0f4504ed108b700dd31701b6df

SHA512
52552f67b0f285e5e924f9c8b60811428ca946c68745566e2eaee331b6f8e380257fd915997b96ed509f7c366301d5d3030638060b67804a624ed866656d3731

Download Submit
C:\Users\Admin\AppData\Local\Temp\d503056ec6e08ce00b34e08e1db5d3a1.exe

Filesize
327KB

MD5
1bc1755f7ed6c321d1e4fcf43647c009

SHA1
2d48f0027111efb76b8142d1b1c8303c0efe4591

SHA256
f504ce8bf0a5297458f76c23aa5632077cc25f097583ae449e941418dfebb74d

SHA512
e1b941dc2e7f3cb5400b4e6c99872b7f257e7f61a3bf246376a9d5379fb87e33abc8c49f22834c0bf6c9dac1bc7f25be034ca3769e0f743640628e0c9bb0ba85

Download Submit
\Users\Admin\AppData\Local\Temp\d503056ec6e08ce00b34e08e1db5d3a1.exe

Filesize
334KB

MD5
008e064d4872d3af305ae5490f76f946

SHA1
e810634ccf8d89b0de0a776986672b4e9e934866

SHA256
b3be30bb8c0932d61f916819a3586c87f855dbe31e879861a685d9fc590a74f1

SHA512
d339e8d71cfcb611d8aab5df487266d58bc90ce6a223325dcd9d8efe3c2757029ad537b0ed324ffe46dc4d6350d17a2b260554284e7b2510ec728cc983ad42fa

Download Submit
memory/2132-16-0x0000000023EB0000-0x000000002410C000-memory.dmp

Filesize
2.4MB

Download
memory/2132-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2132-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2132-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2132-32-0x0000000023EB0000-0x000000002410C000-memory.dmp

Filesize
2.4MB

Download
memory/2132-2-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2692-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2692-20-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2692-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2692-30-0x0000000000220000-0x000000000028B000-memory.dmp

Filesize
428KB

Download
memory/2692-33-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads