062e9d05e9d854c6b57cb0a988653562844e807f19485193dcedc5eec4750e77

General

Target

f647a51d6ed29ced363e98e1b8db0451.exe
Size

1.6MB
MD5

f647a51d6ed29ced363e98e1b8db0451
SHA1

60569c42eb9d7628591689003417c0996f86a9cb
SHA256

062e9d05e9d854c6b57cb0a988653562844e807f19485193dcedc5eec4750e77
SHA512

158de32dfdae85c00b961033f41af5e37aad3bc1ef2340fd39d37f14adf434bf679d6cb81187650e7ed407e088a339fbc2bf7e85031f6aacb152cbdca2237472
SSDEEP

49152:kaPBGEHIlQZjULgcakLz0mDU8UBtQccakLz0O:kapGEHIlQZ+gcakcmDutQccakcO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2696	f647a51d6ed29ced363e98e1b8db0451.exe

Executes dropped EXE 1 IoCs

pid	Process
2696	f647a51d6ed29ced363e98e1b8db0451.exe

Loads dropped DLL 1 IoCs

pid	Process
2220	f647a51d6ed29ced363e98e1b8db0451.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0007000000012281-17.dat	upx
behavioral1/memory/2220-16-0x0000000023190000-0x00000000233EC000-memory.dmp	upx
behavioral1/files/0x0007000000012281-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2800	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	f647a51d6ed29ced363e98e1b8db0451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	f647a51d6ed29ced363e98e1b8db0451.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	f647a51d6ed29ced363e98e1b8db0451.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	f647a51d6ed29ced363e98e1b8db0451.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2220	f647a51d6ed29ced363e98e1b8db0451.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2220	f647a51d6ed29ced363e98e1b8db0451.exe
2696	f647a51d6ed29ced363e98e1b8db0451.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2696	2220	f647a51d6ed29ced363e98e1b8db0451.exe	31
PID 2220 wrote to memory of 2696	2220	f647a51d6ed29ced363e98e1b8db0451.exe	31
PID 2220 wrote to memory of 2696	2220	f647a51d6ed29ced363e98e1b8db0451.exe	31
PID 2220 wrote to memory of 2696	2220	f647a51d6ed29ced363e98e1b8db0451.exe	31
PID 2696 wrote to memory of 2800	2696	f647a51d6ed29ced363e98e1b8db0451.exe	29
PID 2696 wrote to memory of 2800	2696	f647a51d6ed29ced363e98e1b8db0451.exe	29
PID 2696 wrote to memory of 2800	2696	f647a51d6ed29ced363e98e1b8db0451.exe	29
PID 2696 wrote to memory of 2800	2696	f647a51d6ed29ced363e98e1b8db0451.exe	29
PID 2696 wrote to memory of 2444	2696	f647a51d6ed29ced363e98e1b8db0451.exe	32
PID 2696 wrote to memory of 2444	2696	f647a51d6ed29ced363e98e1b8db0451.exe	32
PID 2696 wrote to memory of 2444	2696	f647a51d6ed29ced363e98e1b8db0451.exe	32
PID 2696 wrote to memory of 2444	2696	f647a51d6ed29ced363e98e1b8db0451.exe	32
PID 2444 wrote to memory of 2808	2444	cmd.exe	34
PID 2444 wrote to memory of 2808	2444	cmd.exe	34
PID 2444 wrote to memory of 2808	2444	cmd.exe	34
PID 2444 wrote to memory of 2808	2444	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\f647a51d6ed29ced363e98e1b8db0451.exe
"C:\Users\Admin\AppData\Local\Temp\f647a51d6ed29ced363e98e1b8db0451.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\f647a51d6ed29ced363e98e1b8db0451.exe
  C:\Users\Admin\AppData\Local\Temp\f647a51d6ed29ced363e98e1b8db0451.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MXmKXYLpa01b > C:\Users\Admin\AppData\Local\Temp\Zz8sx.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN MXmKXYLpa01b
      4⤵
      PID:2808

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\f647a51d6ed29ced363e98e1b8db0451.exe" /TN MXmKXYLpa01b /F
1⤵
- Creates scheduled task(s)
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Zz8sx.xml

Filesize
1KB

MD5
5962cc8454977f6c1f878174386d31e9

SHA1
acfbd150efb15a33e0a5664e6ff9ec3c7f937f9c

SHA256
4425c7d1067527a728f4058592adc99efb1e35c139747097c580fe1ff97f9d19

SHA512
ce4fa508ab5ed28cbd7c9bc8c237f86885e62a663ecfd64b4e6e379533d357d149d5634c7ca49d524e4eb7a4c85f10deb02b3bcc9da64bf705451b2e925b867f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f647a51d6ed29ced363e98e1b8db0451.exe

Filesize
1.1MB

MD5
e905a56e30fcf87b7ef7217aeaa7dab5

SHA1
8c71b71fe3c41ea2c5ee972f9e6e373369d3569c

SHA256
714c804a79aedeb3db31eaf6788eeee11e5200efbef981d4ccc24827cae08d2f

SHA512
e2e18251fb98234ea0b6a2fe80a5eefba23284e249aaed8ede649bf229d92e7edc7fe49f50e3c68688567cde5f07488babb2afdb5807ac80ffece18c0156c438

Download Submit
\Users\Admin\AppData\Local\Temp\f647a51d6ed29ced363e98e1b8db0451.exe

Filesize
165KB

MD5
bff8f94d17ad26131c5b375818757561

SHA1
39b55e279b16085c1390871424e6864cd3c6a7bd

SHA256
4ce8d7b79f03d9d96b3e6dea67985ddab3d7ee3755fc0b9944831108602a02e5

SHA512
6b65cf72c1edbd5423b8c2c75ab846cda3445c111a26c65c052f4239873a6434fb8a79abb160afbe49b8e6ac938c30ea1a6ac2f04ef5810aee22363e2028839e

Download Submit
memory/2220-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2220-16-0x0000000023190000-0x00000000233EC000-memory.dmp

Filesize
2.4MB

Download
memory/2220-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2220-2-0x0000000000280000-0x00000000002FE000-memory.dmp

Filesize
504KB

Download
memory/2220-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2220-54-0x0000000023190000-0x00000000233EC000-memory.dmp

Filesize
2.4MB

Download
memory/2696-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2696-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2696-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2696-22-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2696-55-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads