237252c749c4c572371664c626c3ffe1ac14f78c63259d979c5e8bf7e982b37a

General

Target

fcf14878aed86435cc03f2b3e7816eb3.exe
Size

133KB
MD5

fcf14878aed86435cc03f2b3e7816eb3
SHA1

5da5586da95b45cd8e63884f51df0e254dfdc3b4
SHA256

237252c749c4c572371664c626c3ffe1ac14f78c63259d979c5e8bf7e982b37a
SHA512

03b815d33723dfa2f4e731d1f21a17f5afd09d3a52831c107560cc3e4d24e8ba33540f2ae5c9f3af21ad7a10bbe3085c21dc9d1827dc42a7662f3af395a9935b
SSDEEP

1536:wj8kT7wTTudL5OEwP1ZOyqKbMw1TAiq+rEHumt6+pMRs2JqNjfbRPw2V9aD9ctGQ:xTTaL5Ol32uE6JG7ft/5Gx/U+Y2ryWPQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3004	fcf14878aed86435cc03f2b3e7816eb3.exe

Executes dropped EXE 1 IoCs

pid	Process
3004	fcf14878aed86435cc03f2b3e7816eb3.exe

Loads dropped DLL 1 IoCs

pid	Process
2380	fcf14878aed86435cc03f2b3e7816eb3.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	fcf14878aed86435cc03f2b3e7816eb3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	fcf14878aed86435cc03f2b3e7816eb3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2380	fcf14878aed86435cc03f2b3e7816eb3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2380	fcf14878aed86435cc03f2b3e7816eb3.exe
3004	fcf14878aed86435cc03f2b3e7816eb3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3004	2380	fcf14878aed86435cc03f2b3e7816eb3.exe	16
PID 2380 wrote to memory of 3004	2380	fcf14878aed86435cc03f2b3e7816eb3.exe	16
PID 2380 wrote to memory of 3004	2380	fcf14878aed86435cc03f2b3e7816eb3.exe	16
PID 2380 wrote to memory of 3004	2380	fcf14878aed86435cc03f2b3e7816eb3.exe	16

C:\Users\Admin\AppData\Local\Temp\fcf14878aed86435cc03f2b3e7816eb3.exe
"C:\Users\Admin\AppData\Local\Temp\fcf14878aed86435cc03f2b3e7816eb3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\fcf14878aed86435cc03f2b3e7816eb3.exe
  C:\Users\Admin\AppData\Local\Temp\fcf14878aed86435cc03f2b3e7816eb3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2380-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2380-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2380-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2380-1-0x00000000000E0000-0x0000000000101000-memory.dmp

Filesize
132KB

Download
memory/3004-16-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/3004-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3004-33-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing