7d57b2a7688f4ca1a0b68bbd8c312eecdb0898b78ff787d7012b3558e96ec6b7

General

Target

f97470011e939a03f70512a0a59a5ca4.exe
Size

2.0MB
MD5

f97470011e939a03f70512a0a59a5ca4
SHA1

e6a5ddda535584196b807a8f6e28323b5c28dcf7
SHA256

7d57b2a7688f4ca1a0b68bbd8c312eecdb0898b78ff787d7012b3558e96ec6b7
SHA512

6433206669370f4775ec48ab2ee4fc42e8888edce000220be7f2e4bd62585702149ad78ff542d2252465a62299839cbe10d8096e048fef5795fd99c0a86379ed
SSDEEP

49152:TnFIjjd0tA0lHxgsYIGHOhoCGQ7ai7D3xTgOxYwpK9QPJex64ynRAIuGQ7ai7D3g:TqjjdUA0zgZIGHOhoCD2i7D3xkOxYwpP

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1568	f97470011e939a03f70512a0a59a5ca4.exe

Executes dropped EXE 1 IoCs

pid	Process
1568	f97470011e939a03f70512a0a59a5ca4.exe

Loads dropped DLL 1 IoCs

pid	Process
2760	f97470011e939a03f70512a0a59a5ca4.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2760-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-12.dat	upx
behavioral1/memory/2760-17-0x00000000231B0000-0x000000002340C000-memory.dmp	upx
behavioral1/memory/1568-19-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-18.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2780	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	f97470011e939a03f70512a0a59a5ca4.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	f97470011e939a03f70512a0a59a5ca4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	f97470011e939a03f70512a0a59a5ca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	f97470011e939a03f70512a0a59a5ca4.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2760	f97470011e939a03f70512a0a59a5ca4.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2760	f97470011e939a03f70512a0a59a5ca4.exe
1568	f97470011e939a03f70512a0a59a5ca4.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 1568	2760	f97470011e939a03f70512a0a59a5ca4.exe	29
PID 2760 wrote to memory of 1568	2760	f97470011e939a03f70512a0a59a5ca4.exe	29
PID 2760 wrote to memory of 1568	2760	f97470011e939a03f70512a0a59a5ca4.exe	29
PID 2760 wrote to memory of 1568	2760	f97470011e939a03f70512a0a59a5ca4.exe	29
PID 1568 wrote to memory of 2780	1568	f97470011e939a03f70512a0a59a5ca4.exe	30
PID 1568 wrote to memory of 2780	1568	f97470011e939a03f70512a0a59a5ca4.exe	30
PID 1568 wrote to memory of 2780	1568	f97470011e939a03f70512a0a59a5ca4.exe	30
PID 1568 wrote to memory of 2780	1568	f97470011e939a03f70512a0a59a5ca4.exe	30
PID 1568 wrote to memory of 2288	1568	f97470011e939a03f70512a0a59a5ca4.exe	32
PID 1568 wrote to memory of 2288	1568	f97470011e939a03f70512a0a59a5ca4.exe	32
PID 1568 wrote to memory of 2288	1568	f97470011e939a03f70512a0a59a5ca4.exe	32
PID 1568 wrote to memory of 2288	1568	f97470011e939a03f70512a0a59a5ca4.exe	32
PID 2288 wrote to memory of 1788	2288	cmd.exe	34
PID 2288 wrote to memory of 1788	2288	cmd.exe	34
PID 2288 wrote to memory of 1788	2288	cmd.exe	34
PID 2288 wrote to memory of 1788	2288	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\f97470011e939a03f70512a0a59a5ca4.exe
"C:\Users\Admin\AppData\Local\Temp\f97470011e939a03f70512a0a59a5ca4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\f97470011e939a03f70512a0a59a5ca4.exe
  C:\Users\Admin\AppData\Local\Temp\f97470011e939a03f70512a0a59a5ca4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\f97470011e939a03f70512a0a59a5ca4.exe" /TN m8v9k5kD0c8e /F
    3⤵
    - Creates scheduled task(s)
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN m8v9k5kD0c8e > C:\Users\Admin\AppData\Local\Temp\3pf36g5.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN m8v9k5kD0c8e
      4⤵
      PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3pf36g5.xml

Filesize
1KB

MD5
d7eb8ba5994b53eba1280be669b5805f

SHA1
b22c5b0de807b7c4ca529f93693aac8cd93ef22b

SHA256
6fe8a3a53e2e1a513d849ce1730e3d3b22948ad3f719dcc2678b2e96202511f1

SHA512
d8083545593d0f2e20080bb5b19984e9ee3a4a936c7a7635de7162f2b67c7967e5f95a3f470ef3844afe6fb508212b320681ccdb2230aac6fb575512b49e7503

Download Submit
C:\Users\Admin\AppData\Local\Temp\f97470011e939a03f70512a0a59a5ca4.exe

Filesize
1.7MB

MD5
2a1529301904950b830b96f7745bf4bb

SHA1
9396a046d369db8cc929e8444f7738c71242def2

SHA256
dd1bc4778021c40e73a9ec1ed736b2be0fffdb9b349157af79619594bdcf3bf3

SHA512
2aab8321b90f814b2b1e9eafa2e6e20933b9983088cfa68656ea2b22fcb1c85cf690dd0511cddc5673e1c507c7598490f28705affe70c3c679a434b9b2552917

Download Submit
\Users\Admin\AppData\Local\Temp\f97470011e939a03f70512a0a59a5ca4.exe

Filesize
1.8MB

MD5
8c8010d3e8ff23e01573fe7ad3c2ca71

SHA1
f6d6a6fbfacc71a711a3087f090ae87e8d227e12

SHA256
7a1b7fab8ee7ca8d9cee369863667338ebb379ec9cdcedc01b0c42d134c7e9df

SHA512
629049db44a4bfdf6521165305ce80c156312649f4dfc78c887d63ce6e91d20bd31bcdf11dac443ae374605557bb2cf4b74962b6c3ea181656e439d4dcda5ad1

Download Submit
memory/1568-33-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1568-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1568-28-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1568-22-0x0000000022DB0000-0x0000000022E2E000-memory.dmp

Filesize
504KB

Download
memory/1568-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2760-11-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2760-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2760-17-0x00000000231B0000-0x000000002340C000-memory.dmp

Filesize
2.4MB

Download
memory/2760-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2760-6-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/2760-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads