3a1c58919f5a64f0149e4a165d90c4b98713534581f6e81f98977e0d033eda1c

General

Target

edfa001f31e14d05c4c8c3559d5bde88.exe
Size

3.9MB
MD5

edfa001f31e14d05c4c8c3559d5bde88
SHA1

5a4e8c0528fa3d1b304a38e88ca6b8ce41975f41
SHA256

3a1c58919f5a64f0149e4a165d90c4b98713534581f6e81f98977e0d033eda1c
SHA512

b7c7661cc657712ccd6230f8d288c140ff5c7eea85c0fdfa25fb2cf173a7e88b10e5c0d44c183572b94c9c79e18752fbcb041002a8209cff0053831bdd3534a3
SSDEEP

98304:MB+r/S/CptDqD2i7D3xkOxYwpKI02v4w1zWD2i7D3xkOxYwpK6g9i1kngzH9eD2O:22/ptqh7FkNqKI001yh7FkNqK6g9i1EN

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1940	edfa001f31e14d05c4c8c3559d5bde88.exe

Executes dropped EXE 1 IoCs

pid	Process
1940	edfa001f31e14d05c4c8c3559d5bde88.exe

Loads dropped DLL 1 IoCs

pid	Process
2368	edfa001f31e14d05c4c8c3559d5bde88.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2368-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000014abe-15.dat	upx
behavioral1/files/0x0009000000014abe-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2556	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	edfa001f31e14d05c4c8c3559d5bde88.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	edfa001f31e14d05c4c8c3559d5bde88.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	edfa001f31e14d05c4c8c3559d5bde88.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	edfa001f31e14d05c4c8c3559d5bde88.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2368	edfa001f31e14d05c4c8c3559d5bde88.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2368	edfa001f31e14d05c4c8c3559d5bde88.exe
1940	edfa001f31e14d05c4c8c3559d5bde88.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1940	2368	edfa001f31e14d05c4c8c3559d5bde88.exe	25
PID 2368 wrote to memory of 1940	2368	edfa001f31e14d05c4c8c3559d5bde88.exe	25
PID 2368 wrote to memory of 1940	2368	edfa001f31e14d05c4c8c3559d5bde88.exe	25
PID 2368 wrote to memory of 1940	2368	edfa001f31e14d05c4c8c3559d5bde88.exe	25
PID 1940 wrote to memory of 2556	1940	edfa001f31e14d05c4c8c3559d5bde88.exe	20
PID 1940 wrote to memory of 2556	1940	edfa001f31e14d05c4c8c3559d5bde88.exe	20
PID 1940 wrote to memory of 2556	1940	edfa001f31e14d05c4c8c3559d5bde88.exe	20
PID 1940 wrote to memory of 2556	1940	edfa001f31e14d05c4c8c3559d5bde88.exe	20
PID 1940 wrote to memory of 2652	1940	edfa001f31e14d05c4c8c3559d5bde88.exe	22
PID 1940 wrote to memory of 2652	1940	edfa001f31e14d05c4c8c3559d5bde88.exe	22
PID 1940 wrote to memory of 2652	1940	edfa001f31e14d05c4c8c3559d5bde88.exe	22
PID 1940 wrote to memory of 2652	1940	edfa001f31e14d05c4c8c3559d5bde88.exe	22
PID 2652 wrote to memory of 2868	2652	cmd.exe	23
PID 2652 wrote to memory of 2868	2652	cmd.exe	23
PID 2652 wrote to memory of 2868	2652	cmd.exe	23
PID 2652 wrote to memory of 2868	2652	cmd.exe	23

C:\Users\Admin\AppData\Local\Temp\edfa001f31e14d05c4c8c3559d5bde88.exe
"C:\Users\Admin\AppData\Local\Temp\edfa001f31e14d05c4c8c3559d5bde88.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\edfa001f31e14d05c4c8c3559d5bde88.exe
  C:\Users\Admin\AppData\Local\Temp\edfa001f31e14d05c4c8c3559d5bde88.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1940

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\edfa001f31e14d05c4c8c3559d5bde88.exe" /TN 6ek6uOO9da42 /F
1⤵
- Creates scheduled task(s)
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN 6ek6uOO9da42 > C:\Users\Admin\AppData\Local\Temp\WJf5XuntD.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Query /XML /TN 6ek6uOO9da42
  2⤵
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WJf5XuntD.xml

Filesize
1KB

MD5
3529205d8a37b0da4f2a6374ae56bd77

SHA1
42adc10ffc27aa8e834f9e4fcf000a61ccecffc4

SHA256
60b48ba6bb9d6b535922495771f36fc8cd911b7ad6ac6569d6726b9df0c22b15

SHA512
7172d5094bc11be7c7cc790c4745577c8c5eead018c89f03a6cf2bbec16574ce07bfd42fff5dc4959d24bcc45b3f3fcb1687990536deedf296cd34d92cd1c58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\edfa001f31e14d05c4c8c3559d5bde88.exe

Filesize
604KB

MD5
f03cd582ddfd76c15d84d734ba965d66

SHA1
9bb4634db7f79f7ea938e3960cb28c5d43aa56e8

SHA256
051db93328b1334cf41d7cb7e07322b06e76c04caf1f58f1918bf82baf8ad24d

SHA512
9a4a0c9f373e3e517e99e4653dd7e109879bf19f7f8fa5d28364b3acc23a7947c1b0e2eeacf4348f42016dc137c443880089f85a04487aea92ea289138e48295

Download Submit
\Users\Admin\AppData\Local\Temp\edfa001f31e14d05c4c8c3559d5bde88.exe

Filesize
729KB

MD5
ef368494ed14e291c74e924f237a3749

SHA1
c6882584c001c1920c17a030ba60e91b6f937e8c

SHA256
43c8826027560e24fb83fd17adece8f3f3da433303b77baa032ddd32846eee95

SHA512
299472c1f0be74d246c01381e6eacd5fad2e7efc46816c59d9c55adaf29ae37d818bb2795550ee992e57c55a8c671ddefabcf66358fbe144e3d685289338e2c5

Download Submit
memory/1940-22-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1940-18-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/1940-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1940-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1940-45-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2368-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2368-20-0x00000000236D0000-0x000000002392C000-memory.dmp

Filesize
2.4MB

Download
memory/2368-3-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2368-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2368-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads