22ea5a6766623b8f727d45d70a75e10c5dc27c1dbdfb6dc1de1325497ed1ece6

General

Target

f8494aadaa2fa9ef42b9376a82c00dd0.exe
Size

2.0MB
MD5

f8494aadaa2fa9ef42b9376a82c00dd0
SHA1

910380a09a3c1941d3796f9ed5c04f0876356003
SHA256

22ea5a6766623b8f727d45d70a75e10c5dc27c1dbdfb6dc1de1325497ed1ece6
SHA512

4f55a9f31c1c56e4af21e2da521779fa68c94046339504b734a87d955fa12de51b7c358c1e6132eecc13529f0c8443d66dcee129466d992c0117388cbf462681
SSDEEP

49152:fZxW/k+JlcakLz0ibq6yqhAP6xAnQZbs5MUX1jvmacakLz0ibq6yqh:fZxWFJlcakcibiqh26eQZbeMqZmacakh

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2304	f8494aadaa2fa9ef42b9376a82c00dd0.exe

Executes dropped EXE 1 IoCs

pid	Process
2304	f8494aadaa2fa9ef42b9376a82c00dd0.exe

Loads dropped DLL 1 IoCs

pid	Process
2612	f8494aadaa2fa9ef42b9376a82c00dd0.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2612-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012251-11.dat	upx
behavioral1/files/0x000b000000012251-14.dat	upx
behavioral1/files/0x000b000000012251-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2664	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	f8494aadaa2fa9ef42b9376a82c00dd0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	f8494aadaa2fa9ef42b9376a82c00dd0.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	f8494aadaa2fa9ef42b9376a82c00dd0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	f8494aadaa2fa9ef42b9376a82c00dd0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2612	f8494aadaa2fa9ef42b9376a82c00dd0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2612	f8494aadaa2fa9ef42b9376a82c00dd0.exe
2304	f8494aadaa2fa9ef42b9376a82c00dd0.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2304	2612	f8494aadaa2fa9ef42b9376a82c00dd0.exe	17
PID 2612 wrote to memory of 2304	2612	f8494aadaa2fa9ef42b9376a82c00dd0.exe	17
PID 2612 wrote to memory of 2304	2612	f8494aadaa2fa9ef42b9376a82c00dd0.exe	17
PID 2612 wrote to memory of 2304	2612	f8494aadaa2fa9ef42b9376a82c00dd0.exe	17
PID 2304 wrote to memory of 2664	2304	f8494aadaa2fa9ef42b9376a82c00dd0.exe	25
PID 2304 wrote to memory of 2664	2304	f8494aadaa2fa9ef42b9376a82c00dd0.exe	25
PID 2304 wrote to memory of 2664	2304	f8494aadaa2fa9ef42b9376a82c00dd0.exe	25
PID 2304 wrote to memory of 2664	2304	f8494aadaa2fa9ef42b9376a82c00dd0.exe	25
PID 2304 wrote to memory of 2780	2304	f8494aadaa2fa9ef42b9376a82c00dd0.exe	32
PID 2304 wrote to memory of 2780	2304	f8494aadaa2fa9ef42b9376a82c00dd0.exe	32
PID 2304 wrote to memory of 2780	2304	f8494aadaa2fa9ef42b9376a82c00dd0.exe	32
PID 2304 wrote to memory of 2780	2304	f8494aadaa2fa9ef42b9376a82c00dd0.exe	32
PID 2780 wrote to memory of 2844	2780	cmd.exe	30
PID 2780 wrote to memory of 2844	2780	cmd.exe	30
PID 2780 wrote to memory of 2844	2780	cmd.exe	30
PID 2780 wrote to memory of 2844	2780	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\f8494aadaa2fa9ef42b9376a82c00dd0.exe
C:\Users\Admin\AppData\Local\Temp\f8494aadaa2fa9ef42b9376a82c00dd0.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\f8494aadaa2fa9ef42b9376a82c00dd0.exe" /TN U5Z8sQiHf24d /F
  2⤵
  - Creates scheduled task(s)
  PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\I2rfFK.xml
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780

C:\Users\Admin\AppData\Local\Temp\f8494aadaa2fa9ef42b9376a82c00dd0.exe
"C:\Users\Admin\AppData\Local\Temp\f8494aadaa2fa9ef42b9376a82c00dd0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN U5Z8sQiHf24d
1⤵
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\I2rfFK.xml

Filesize
1KB

MD5
738f049d718364ba4067998349d61b43

SHA1
f04279e201bd4d23036540a31d141f6a01583583

SHA256
7dc1d91a295516f11b70c884ae85a5d699a77cd47c1cf73c0477833d60027932

SHA512
4079e6a407e57459f49cdbc5816ca612b29e5d8b78539493d8e152e3badd4b5d04386d6874f52eb018f0a1ae8754bc2ecd6dc1e7900ac3711205ce55090199c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8494aadaa2fa9ef42b9376a82c00dd0.exe

Filesize
96KB

MD5
7cadcfa154e19dbe6a3a8bba8f360c58

SHA1
adeede5f6f3901cf9cb6a54adb1b0f2748e2e63f

SHA256
d4d5588d8c5e7ed601e859a3126ddd4bacc171870d5fc42b39e3afadbadb189c

SHA512
0fa99be8d249e0b4b213c31597fc5311f11881424b7c2bd6b4dafb3e2a645a35826ece491663076cba43dd297dea25d5b5d3254e4841aff8a446201d25349e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8494aadaa2fa9ef42b9376a82c00dd0.exe

Filesize
270KB

MD5
c41f60870e69b1fa2c35e965816c0bac

SHA1
a321cc55ec9c2e1910a211e12b060d31ba723988

SHA256
01102d40b829d1bf2ee5544c05a89e98f2eab09494abcf8e8129502d9dacce14

SHA512
6ed49cdd39734d38ee02f6692d73c1464a76e791f9c04c1ff708d89e71b48ef7dab7d47dd94d17957ef517185ec354c2c758933a2c914996a3cfb5c806322387

Download Submit
\Users\Admin\AppData\Local\Temp\f8494aadaa2fa9ef42b9376a82c00dd0.exe

Filesize
102KB

MD5
fb4b05f02fadec6c56c08e91f53639c0

SHA1
6cb0fa4a7ebfa180a47548606d3d067d29fdd9b5

SHA256
8d3ba0f3605bc4465516282561b6db9f42d4f1ea3c23aabfa52a4bfcee0aabaf

SHA512
7c6c7babd46b6156eb16dff2b425de861b6a07a24d50966d74501fcd09c2d080b843e577666a3ba3e67a1b2fab049b30331aed1e50cfa3bf8442e00f49450ed1

Download Submit
memory/2304-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2304-22-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/2304-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2304-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2304-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2612-17-0x00000000232A0000-0x00000000234FC000-memory.dmp

Filesize
2.4MB

Download
memory/2612-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2612-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2612-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2612-3-0x0000000022E00000-0x0000000022E7E000-memory.dmp

Filesize
504KB

Download
memory/2612-53-0x00000000232A0000-0x00000000234FC000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads