f0a96391348bf3b2430f9e070bb4bdff7b6f6873b4e2e44e1bfc92804fc10156

General

Target

f893a7a4e187b759b45f593ec6279fa0.exe
Size

3.2MB
MD5

f893a7a4e187b759b45f593ec6279fa0
SHA1

c2cf49e1a07327725c7c85d093504c80a48ad69a
SHA256

f0a96391348bf3b2430f9e070bb4bdff7b6f6873b4e2e44e1bfc92804fc10156
SHA512

2a529a7b8d3cda20f06e359be0a6dc6f368ef7bb936a3d0a4494f2381523864066466261ad97bada79d79ffb333450630ef4aedee0e4da0042a881ee28e99da3
SSDEEP

98304:3msw4e/hxKcakcLjHvnk/CkT+66UDcakcdzFp8a7GG9cakcLjHvnk/CkT+66UDcp:WqkhcdlLz8FH66dlL7PdlLz8FH66dlO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3052	f893a7a4e187b759b45f593ec6279fa0.exe

Executes dropped EXE 1 IoCs

pid	Process
3052	f893a7a4e187b759b45f593ec6279fa0.exe

Loads dropped DLL 1 IoCs

pid	Process
2136	f893a7a4e187b759b45f593ec6279fa0.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2136-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000013a71-11.dat	upx
behavioral1/files/0x000a000000013a71-17.dat	upx
behavioral1/memory/2136-16-0x0000000023680000-0x00000000238DC000-memory.dmp	upx
behavioral1/files/0x000a000000013a71-13.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2608	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	f893a7a4e187b759b45f593ec6279fa0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	f893a7a4e187b759b45f593ec6279fa0.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	f893a7a4e187b759b45f593ec6279fa0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	f893a7a4e187b759b45f593ec6279fa0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2136	f893a7a4e187b759b45f593ec6279fa0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2136	f893a7a4e187b759b45f593ec6279fa0.exe
3052	f893a7a4e187b759b45f593ec6279fa0.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 3052	2136	f893a7a4e187b759b45f593ec6279fa0.exe	19
PID 2136 wrote to memory of 3052	2136	f893a7a4e187b759b45f593ec6279fa0.exe	19
PID 2136 wrote to memory of 3052	2136	f893a7a4e187b759b45f593ec6279fa0.exe	19
PID 2136 wrote to memory of 3052	2136	f893a7a4e187b759b45f593ec6279fa0.exe	19
PID 3052 wrote to memory of 2608	3052	f893a7a4e187b759b45f593ec6279fa0.exe	23
PID 3052 wrote to memory of 2608	3052	f893a7a4e187b759b45f593ec6279fa0.exe	23
PID 3052 wrote to memory of 2608	3052	f893a7a4e187b759b45f593ec6279fa0.exe	23
PID 3052 wrote to memory of 2608	3052	f893a7a4e187b759b45f593ec6279fa0.exe	23
PID 3052 wrote to memory of 2732	3052	f893a7a4e187b759b45f593ec6279fa0.exe	24
PID 3052 wrote to memory of 2732	3052	f893a7a4e187b759b45f593ec6279fa0.exe	24
PID 3052 wrote to memory of 2732	3052	f893a7a4e187b759b45f593ec6279fa0.exe	24
PID 3052 wrote to memory of 2732	3052	f893a7a4e187b759b45f593ec6279fa0.exe	24
PID 2732 wrote to memory of 2652	2732	cmd.exe	25
PID 2732 wrote to memory of 2652	2732	cmd.exe	25
PID 2732 wrote to memory of 2652	2732	cmd.exe	25
PID 2732 wrote to memory of 2652	2732	cmd.exe	25

C:\Users\Admin\AppData\Local\Temp\f893a7a4e187b759b45f593ec6279fa0.exe
"C:\Users\Admin\AppData\Local\Temp\f893a7a4e187b759b45f593ec6279fa0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\f893a7a4e187b759b45f593ec6279fa0.exe
  C:\Users\Admin\AppData\Local\Temp\f893a7a4e187b759b45f593ec6279fa0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\f893a7a4e187b759b45f593ec6279fa0.exe" /TN 6ek6uOO9da42 /F
    3⤵
    - Creates scheduled task(s)
    PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 6ek6uOO9da42 > C:\Users\Admin\AppData\Local\Temp\0GrhGe46.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN 6ek6uOO9da42
      4⤵
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0GrhGe46.xml

Filesize
1KB

MD5
406a5d36a66c196213ee18fda81c06ec

SHA1
878ea083c2a664381114e82a51816343a522dd1a

SHA256
1bc0388d89b377a2200d1db58ebedfaf4d5d384d247489ccd1f8e7eeb0a09c86

SHA512
5e1404b9b3dc22f6963e5b5238a33ad2dfa2da9acb320f3c9ac6c3d3137750c3a34f1223e3efe1919336b8ab5e6b15006059c7befd7c155b8e4b0f017c319fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f893a7a4e187b759b45f593ec6279fa0.exe

Filesize
283KB

MD5
dab51a1f0c0c05a1265da20fa69b675e

SHA1
a63d74e79a93624e954216950db672f064e13fa4

SHA256
10eb7044efd5582adfbf701d85aa2ce61d65e5feae15dbdb987a4b675b607020

SHA512
4da16322ba4c389008fd9b8f1f6304586dfbb9ff39db3a4f0c7a4e4de3ed840282a62add5f35d6d9c2307d6fdc258d1011824ae396bbeb22f44d425bb2a093a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f893a7a4e187b759b45f593ec6279fa0.exe

Filesize
59KB

MD5
203d0618ef005d8bf73264785f2c0b24

SHA1
7ffb95ab7bbc3a725814c44eb3af8a81dd31f9e0

SHA256
8c6de50acd6524677e40caea34713197c663fbb7312dab9137d3492202b21cc3

SHA512
f3d7040d044e2ee1c0d6d3e65e058ea44a410578f0274d39742118a4545d96c8daee60d63ea85e2f926159d2ab9868d71cdb2ac6daa0797b22e8b94418653084

Download Submit
\Users\Admin\AppData\Local\Temp\f893a7a4e187b759b45f593ec6279fa0.exe

Filesize
106KB

MD5
2a54238ff59bd9b57ad3f42f07e9140f

SHA1
7f8cbba76787084bb3e2196303ea6d27d89d09eb

SHA256
1fafbde4e904cda3ab3fae0a3956c426cd55656f278371c55d43a1ed4d1e1b3d

SHA512
f6f69b562a6e74c475eb39b68759fbc21831a94e1511adbe37626d3baaff7f6d9fd442f83ba07f2663ab1d026d542ee06234eb578f902de386079176c605a6fd

Download Submit
memory/2136-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2136-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2136-16-0x0000000023680000-0x00000000238DC000-memory.dmp

Filesize
2.4MB

Download
memory/2136-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2136-3-0x00000000002F0000-0x000000000036E000-memory.dmp

Filesize
504KB

Download
memory/2136-45-0x0000000023680000-0x00000000238DC000-memory.dmp

Filesize
2.4MB

Download
memory/3052-25-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3052-26-0x00000000002E0000-0x000000000034B000-memory.dmp

Filesize
428KB

Download
memory/3052-28-0x0000000000260000-0x00000000002DE000-memory.dmp

Filesize
504KB

Download
memory/3052-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3052-46-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads