353451de88f4fccd6138f8bf3c87533fc8b508320e97947c91a2a1e76d330518

General

Target

e90446bc0b3b6439ed60ae09d59967ae.exe
Size

2.0MB
MD5

e90446bc0b3b6439ed60ae09d59967ae
SHA1

a295ad6314b3a7e348940baabaa4d6cea1502a87
SHA256

353451de88f4fccd6138f8bf3c87533fc8b508320e97947c91a2a1e76d330518
SHA512

3040c98037c6f75c7eeed8d5db6419c7cb51487a920ed56de7bb6ca74f0d53088431078b924d967a4c9fafcff62a5680211a77c738f5fbb49f8ee9cee71ce7a4
SSDEEP

49152:tzcHOji+SJkMyF1fau20JY6l+T5C5HJhLmzrkau20JY6l+:tzeCY2MO1fau/ulTw5HrLmzrkau/ul

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2416	e90446bc0b3b6439ed60ae09d59967ae.exe

Executes dropped EXE 1 IoCs

pid	Process
2416	e90446bc0b3b6439ed60ae09d59967ae.exe

Loads dropped DLL 1 IoCs

pid	Process
1516	e90446bc0b3b6439ed60ae09d59967ae.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1516-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000012262-11.dat	upx
behavioral1/memory/1516-16-0x0000000023300000-0x000000002355C000-memory.dmp	upx
behavioral1/files/0x0009000000012262-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2740	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	e90446bc0b3b6439ed60ae09d59967ae.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	e90446bc0b3b6439ed60ae09d59967ae.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	e90446bc0b3b6439ed60ae09d59967ae.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	e90446bc0b3b6439ed60ae09d59967ae.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1516	e90446bc0b3b6439ed60ae09d59967ae.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1516	e90446bc0b3b6439ed60ae09d59967ae.exe
2416	e90446bc0b3b6439ed60ae09d59967ae.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 2416	1516	e90446bc0b3b6439ed60ae09d59967ae.exe	29
PID 1516 wrote to memory of 2416	1516	e90446bc0b3b6439ed60ae09d59967ae.exe	29
PID 1516 wrote to memory of 2416	1516	e90446bc0b3b6439ed60ae09d59967ae.exe	29
PID 1516 wrote to memory of 2416	1516	e90446bc0b3b6439ed60ae09d59967ae.exe	29
PID 2416 wrote to memory of 2740	2416	e90446bc0b3b6439ed60ae09d59967ae.exe	30
PID 2416 wrote to memory of 2740	2416	e90446bc0b3b6439ed60ae09d59967ae.exe	30
PID 2416 wrote to memory of 2740	2416	e90446bc0b3b6439ed60ae09d59967ae.exe	30
PID 2416 wrote to memory of 2740	2416	e90446bc0b3b6439ed60ae09d59967ae.exe	30
PID 2416 wrote to memory of 2264	2416	e90446bc0b3b6439ed60ae09d59967ae.exe	34
PID 2416 wrote to memory of 2264	2416	e90446bc0b3b6439ed60ae09d59967ae.exe	34
PID 2416 wrote to memory of 2264	2416	e90446bc0b3b6439ed60ae09d59967ae.exe	34
PID 2416 wrote to memory of 2264	2416	e90446bc0b3b6439ed60ae09d59967ae.exe	34
PID 2264 wrote to memory of 596	2264	cmd.exe	36
PID 2264 wrote to memory of 596	2264	cmd.exe	36
PID 2264 wrote to memory of 596	2264	cmd.exe	36
PID 2264 wrote to memory of 596	2264	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\e90446bc0b3b6439ed60ae09d59967ae.exe
"C:\Users\Admin\AppData\Local\Temp\e90446bc0b3b6439ed60ae09d59967ae.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\e90446bc0b3b6439ed60ae09d59967ae.exe
  C:\Users\Admin\AppData\Local\Temp\e90446bc0b3b6439ed60ae09d59967ae.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\e90446bc0b3b6439ed60ae09d59967ae.exe" /TN WAgLRKqP8c0d /F
    3⤵
    - Creates scheduled task(s)
    PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN WAgLRKqP8c0d > C:\Users\Admin\AppData\Local\Temp\KK8dYDkTI.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN WAgLRKqP8c0d
      4⤵
      PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KK8dYDkTI.xml

Filesize
1KB

MD5
3d4b7b55a39de124494a5f49382e7488

SHA1
fca4773cc49a37036d2abf23efe5f6198268b079

SHA256
93c414ff6ef6ab5a614c44ba54c09716c1406af78728d68fb8f6cd3e9361acf3

SHA512
eae00685d0cdd28c08ac53f80982fcd507688f61f6ecbffe12dbc66a89bcf03de1d0cee3b43f89141ba97b45444027674e9038b8a6b45bb09a32bf89122331b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\e90446bc0b3b6439ed60ae09d59967ae.exe

Filesize
2.0MB

MD5
0f56a127e53e723bab12a39ab36be90a

SHA1
384d4fc1ee3dda1dc61f3d0f0bc3fe65fc0b8055

SHA256
64f1d7661ce5812b7898b4c5118615e8a4a5c3c03af3f4eb1806927c2e9ce790

SHA512
a65378eae87b4d42c16a98b1764894f65cb2e3e1f160fc837ac9f7398350f4e638516a9d36248aec82d236e90c89f6d2d96bd7f5010114bd7c488bec0a06bb29

Download Submit
\Users\Admin\AppData\Local\Temp\e90446bc0b3b6439ed60ae09d59967ae.exe

Filesize
80KB

MD5
618a57e2cba33c0e719026d2b5c008ab

SHA1
6aa9efa4bd8c20c95d61cc7490290f7d256b840c

SHA256
6a0aead0335e65e64ca00901b7b4cf8e074942bbfe8086ab17fee7af02e635bc

SHA512
1dc02743a14d107a33b8993ff97c4766df7900a6a90546fb16f3d0c6a30a8fa5f4254da9b9cda837eb2a608d1a1e42575c4e714bb2b60ef25ba5b28d38927f2b

Download Submit
memory/1516-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1516-16-0x0000000023300000-0x000000002355C000-memory.dmp

Filesize
2.4MB

Download
memory/1516-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1516-3-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/1516-32-0x0000000023300000-0x000000002355C000-memory.dmp

Filesize
2.4MB

Download
memory/1516-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2416-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2416-21-0x0000000000320000-0x000000000039E000-memory.dmp

Filesize
504KB

Download
memory/2416-28-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2416-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2416-33-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads