fdf6c1f977a0a1dae2c87c168f83e23fe11b76c0fd718f9f7a0c9b92315809e7

General

Target

e5a066dd231935dbd1ab964f1b4b8600.exe
Size

3.9MB
MD5

e5a066dd231935dbd1ab964f1b4b8600
SHA1

e28225f54eb5050b45d6b6679285252001499574
SHA256

fdf6c1f977a0a1dae2c87c168f83e23fe11b76c0fd718f9f7a0c9b92315809e7
SHA512

8a735164b3fd97a14e0759d03abbca087693ecae34d43b6aa6224b7cb12cefcd0b1599152d32846db5b4f229e997efab3a6e89357159389c2e36f0f7203e9052
SSDEEP

98304:niwGVlD2i7D3xkOxYwpKgpCD4zWm0OWJqbD2i7D3xkOxYwpKuAAnjEu8eOID2i7+:ZGVlh7FkNqKgpCHm0Ebh7FkNqKUQu8eI

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2712	e5a066dd231935dbd1ab964f1b4b8600.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	e5a066dd231935dbd1ab964f1b4b8600.exe

Loads dropped DLL 1 IoCs

pid	Process
3028	e5a066dd231935dbd1ab964f1b4b8600.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3028-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0008000000012284-11.dat	upx
behavioral1/memory/3028-16-0x00000000236D0000-0x000000002392C000-memory.dmp	upx
behavioral1/files/0x0008000000012284-17.dat	upx
behavioral1/files/0x0008000000012284-14.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2692	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	e5a066dd231935dbd1ab964f1b4b8600.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	e5a066dd231935dbd1ab964f1b4b8600.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	e5a066dd231935dbd1ab964f1b4b8600.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	e5a066dd231935dbd1ab964f1b4b8600.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3028	e5a066dd231935dbd1ab964f1b4b8600.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3028	e5a066dd231935dbd1ab964f1b4b8600.exe
2712	e5a066dd231935dbd1ab964f1b4b8600.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2712	3028	e5a066dd231935dbd1ab964f1b4b8600.exe	29
PID 3028 wrote to memory of 2712	3028	e5a066dd231935dbd1ab964f1b4b8600.exe	29
PID 3028 wrote to memory of 2712	3028	e5a066dd231935dbd1ab964f1b4b8600.exe	29
PID 3028 wrote to memory of 2712	3028	e5a066dd231935dbd1ab964f1b4b8600.exe	29
PID 2712 wrote to memory of 2692	2712	e5a066dd231935dbd1ab964f1b4b8600.exe	30
PID 2712 wrote to memory of 2692	2712	e5a066dd231935dbd1ab964f1b4b8600.exe	30
PID 2712 wrote to memory of 2692	2712	e5a066dd231935dbd1ab964f1b4b8600.exe	30
PID 2712 wrote to memory of 2692	2712	e5a066dd231935dbd1ab964f1b4b8600.exe	30
PID 2712 wrote to memory of 2452	2712	e5a066dd231935dbd1ab964f1b4b8600.exe	34
PID 2712 wrote to memory of 2452	2712	e5a066dd231935dbd1ab964f1b4b8600.exe	34
PID 2712 wrote to memory of 2452	2712	e5a066dd231935dbd1ab964f1b4b8600.exe	34
PID 2712 wrote to memory of 2452	2712	e5a066dd231935dbd1ab964f1b4b8600.exe	34
PID 2452 wrote to memory of 2772	2452	cmd.exe	33
PID 2452 wrote to memory of 2772	2452	cmd.exe	33
PID 2452 wrote to memory of 2772	2452	cmd.exe	33
PID 2452 wrote to memory of 2772	2452	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\e5a066dd231935dbd1ab964f1b4b8600.exe
"C:\Users\Admin\AppData\Local\Temp\e5a066dd231935dbd1ab964f1b4b8600.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\e5a066dd231935dbd1ab964f1b4b8600.exe
  C:\Users\Admin\AppData\Local\Temp\e5a066dd231935dbd1ab964f1b4b8600.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\e5a066dd231935dbd1ab964f1b4b8600.exe" /TN Nnb8kaFf43a4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN Nnb8kaFf43a4 > C:\Users\Admin\AppData\Local\Temp\n8fZDUuf.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2452

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN Nnb8kaFf43a4
1⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e5a066dd231935dbd1ab964f1b4b8600.exe

Filesize
415KB

MD5
73d5354d77a93fee154c81731e2e1c9b

SHA1
216af5dc2fe3f22f82ee3244655a93862ed5552c

SHA256
56391d88df9c2a4fcd38f453db6d3b299c0ce37879af9621d4661e1e2384472f

SHA512
127cb905b7be92a80b9f6227caa350507aa56c3066abaf589b5d0416ffd54d6bf0de074bef512cdd5170b18d04759cb428cc4808e7f5067378871002b229e7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5a066dd231935dbd1ab964f1b4b8600.exe

Filesize
332KB

MD5
96b97886d75748f37fdc67441d1e1c2a

SHA1
a54723bc61608ea804f8fd727519bd01d51eef66

SHA256
369a9f47989a6f9a96aa7d42d1f6805fe9ebab49f53dc6f0bc5174576b6555c2

SHA512
563a01d8fa23355db56e63847be3f7d45ddb778302ffba10810dfc561d493f27a58bfb7a6453e60428384fab6fc4bf4154f1f4a1657179c36b1642e03fca7324

Download Submit
C:\Users\Admin\AppData\Local\Temp\n8fZDUuf.xml

Filesize
1KB

MD5
7dd298ba992e3cf1a6f05bf0b4275538

SHA1
62e0770763ca35bd9bd23366072148f684055754

SHA256
8be749459af5a5554e00956d099bd6dc6f7cabf26e35bdb9a9c7f12159d290d7

SHA512
5398e06bf15a13bddbb1b81b25cb6ec17c62595a88cee5a34a84f929a8b52683e2c8ea0f49c47b502dc9b92be69e85a9b7bea4b8702c0cccd6e66b15037fe1cd

Download Submit
\Users\Admin\AppData\Local\Temp\e5a066dd231935dbd1ab964f1b4b8600.exe

Filesize
644KB

MD5
7c1679306017316fb0389641e2b8212d

SHA1
187e74eb7c8108f30d7a5adfa56ea19e8e3ee33a

SHA256
0be28e56abcc3bd27f03a0113e69ef86b9a510068c289006ea708b3591344fbb

SHA512
f57fbca552190deee049c0c99263f50d196c7f17a43676579d6c286c45199e9c06cffbe74627222298fa6927dce34f6ef7316f38b80ad4fc409c52ec200b6d2c

Download Submit
memory/2712-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2712-21-0x0000000000380000-0x00000000003FE000-memory.dmp

Filesize
504KB

Download
memory/2712-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2712-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2712-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3028-16-0x00000000236D0000-0x000000002392C000-memory.dmp

Filesize
2.4MB

Download
memory/3028-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3028-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3028-6-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/3028-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads