b01ff48f46de12777c7e3bdba68591f781d3fa3ba927f8f437a631bbb40b8d37

General

Target

d7a5c95ba622121c03aff01b4a8361ee.exe
Size

3.9MB
MD5

d7a5c95ba622121c03aff01b4a8361ee
SHA1

6d9e7cc51a0a670d338d95361edd6548229f15a5
SHA256

b01ff48f46de12777c7e3bdba68591f781d3fa3ba927f8f437a631bbb40b8d37
SHA512

5ccc7e0fa7226e5c68eefdf855a860070a7065c06877de620ea9506a15610be9d7b8a06f36f9a7d33dfb30bed3bb92cf27a23dd30441f6cdd729895f28ae7e0b
SSDEEP

98304:izkm+SNYvcakcibiqhw5vB5HycakcibiqhRGx+P3JkVS1lOCfXqjcakcibiqhw5H:+rN4dlirSdydliry+PqbCPqjdlirSdy+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2712	d7a5c95ba622121c03aff01b4a8361ee.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	d7a5c95ba622121c03aff01b4a8361ee.exe

Loads dropped DLL 1 IoCs

pid	Process
2492	d7a5c95ba622121c03aff01b4a8361ee.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2492-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0008000000012270-11.dat	upx
behavioral1/files/0x0008000000012270-17.dat	upx
behavioral1/memory/2492-16-0x0000000023720000-0x000000002397C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1968	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	d7a5c95ba622121c03aff01b4a8361ee.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	d7a5c95ba622121c03aff01b4a8361ee.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	d7a5c95ba622121c03aff01b4a8361ee.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	d7a5c95ba622121c03aff01b4a8361ee.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2492	d7a5c95ba622121c03aff01b4a8361ee.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2492	d7a5c95ba622121c03aff01b4a8361ee.exe
2712	d7a5c95ba622121c03aff01b4a8361ee.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2712	2492	d7a5c95ba622121c03aff01b4a8361ee.exe	29
PID 2492 wrote to memory of 2712	2492	d7a5c95ba622121c03aff01b4a8361ee.exe	29
PID 2492 wrote to memory of 2712	2492	d7a5c95ba622121c03aff01b4a8361ee.exe	29
PID 2492 wrote to memory of 2712	2492	d7a5c95ba622121c03aff01b4a8361ee.exe	29
PID 2712 wrote to memory of 1968	2712	d7a5c95ba622121c03aff01b4a8361ee.exe	30
PID 2712 wrote to memory of 1968	2712	d7a5c95ba622121c03aff01b4a8361ee.exe	30
PID 2712 wrote to memory of 1968	2712	d7a5c95ba622121c03aff01b4a8361ee.exe	30
PID 2712 wrote to memory of 1968	2712	d7a5c95ba622121c03aff01b4a8361ee.exe	30
PID 2712 wrote to memory of 2796	2712	d7a5c95ba622121c03aff01b4a8361ee.exe	33
PID 2712 wrote to memory of 2796	2712	d7a5c95ba622121c03aff01b4a8361ee.exe	33
PID 2712 wrote to memory of 2796	2712	d7a5c95ba622121c03aff01b4a8361ee.exe	33
PID 2712 wrote to memory of 2796	2712	d7a5c95ba622121c03aff01b4a8361ee.exe	33
PID 2796 wrote to memory of 2896	2796	cmd.exe	34
PID 2796 wrote to memory of 2896	2796	cmd.exe	34
PID 2796 wrote to memory of 2896	2796	cmd.exe	34
PID 2796 wrote to memory of 2896	2796	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\d7a5c95ba622121c03aff01b4a8361ee.exe
"C:\Users\Admin\AppData\Local\Temp\d7a5c95ba622121c03aff01b4a8361ee.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\d7a5c95ba622121c03aff01b4a8361ee.exe
  C:\Users\Admin\AppData\Local\Temp\d7a5c95ba622121c03aff01b4a8361ee.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d7a5c95ba622121c03aff01b4a8361ee.exe" /TN x1iLRz9v069a /F
    3⤵
    - Creates scheduled task(s)
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN x1iLRz9v069a > C:\Users\Admin\AppData\Local\Temp\mjg83f.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN x1iLRz9v069a
      4⤵
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d7a5c95ba622121c03aff01b4a8361ee.exe

Filesize
126KB

MD5
768fd33a1eb620cc640f51092f8026b1

SHA1
856463f17c8ec140409a918a20b1379675d16d76

SHA256
361bf6c1cf37a07a3528bc5c2809a5eba9b083dced2a30fda05dbb0bfb54b59b

SHA512
ce078e39c3096d2b8a58d02d2b2b4e483e06bc65557c8b1cd57db72865fa64b8f84b7fad2efbabf812cbd673144f2fd6bd72708dbabdff65953d380cec3170a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjg83f.xml

Filesize
1KB

MD5
83bcebc899e29f2d08c295daf744ad2f

SHA1
94880b3662ebb644530d98bcc0d0281c338c2e07

SHA256
85e838c7d5b5b0006f4b1e7d0350dfdf8d6da3cc70c4b31914a9498c634d6fa6

SHA512
290c8ce32b7583b5f9e5944d442d06b93487cc59b8b2080a14cbb5d15c380a741be7cedd391c785218f93d77ad79e8c72bad403c90f43a459b4bbc43afbbe64c

Download Submit
\Users\Admin\AppData\Local\Temp\d7a5c95ba622121c03aff01b4a8361ee.exe

Filesize
150KB

MD5
4f05b7c1c1df104bf9d178f53e7ec6f9

SHA1
f13d5432897130714d5090a4e1e6d9e949b82106

SHA256
51892df3aa6f3bfe8de180da83598a4fffb1075541749ea58d28897c99fed6bc

SHA512
c0c68e441c353941ca8a5a27492661b3e89ef03525780d45a4e672736b55887bf0716785b07e2a614249c713b32fb019951f7ed210ef586be3b47a3b15e3cddf

Download Submit
memory/2492-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2492-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2492-3-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/2492-16-0x0000000023720000-0x000000002397C000-memory.dmp

Filesize
2.4MB

Download
memory/2492-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2712-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2712-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2712-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2712-21-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2712-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads