adb24ee3f3e0221171ce77c69ac11d7e7da7b4c87d44f6a0693f46c9cf8183ee | Triage

Analysis

max time kernel
118s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 17:15 UTC

Sharing

Report Analysis Logs

General

Target

fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
Size

3.2MB
MD5

fcb579a08d6e49d0e3c83c6e3bc5b0ef
SHA1

0840884b8413fb493e4c41ca410067da224ae52c
SHA256

adb24ee3f3e0221171ce77c69ac11d7e7da7b4c87d44f6a0693f46c9cf8183ee
SHA512

816ce1df1e02e832cc6ba8d1ab953fac015479eeb9949a7e36094d6d96493bf528924c01d1d36bbdce89f3bc47d590b9a0459df9e1f97df02420b42f3f520316
SSDEEP

98304:Mv7VmjNRSimqLIU2lcakcejkIX+MylDCLCcakcK4bCEUJk1dUcakcejkIX+MylDA:ubimST+dlewo+v6CdlKmCadUdlewo+vM

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Executes dropped EXE 1 IoCs

pid	Process
2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Loads dropped DLL 1 IoCs

pid	Process
2100	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2100-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0008000000012223-11.dat	upx
behavioral1/memory/2100-16-0x0000000023680000-0x00000000238DC000-memory.dmp	upx
behavioral1/files/0x0008000000012223-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
1712	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2100	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2100	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2832	2100	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	20
PID 2100 wrote to memory of 2832	2100	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	20
PID 2100 wrote to memory of 2832	2100	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	20
PID 2100 wrote to memory of 2832	2100	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	20
PID 2832 wrote to memory of 1712	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	18
PID 2832 wrote to memory of 1712	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	18
PID 2832 wrote to memory of 1712	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	18
PID 2832 wrote to memory of 1712	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	18
PID 2832 wrote to memory of 2332	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	34
PID 2832 wrote to memory of 2332	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	34
PID 2832 wrote to memory of 2332	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	34
PID 2832 wrote to memory of 2332	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	34
PID 2332 wrote to memory of 2604	2332	cmd.exe	33
PID 2332 wrote to memory of 2604	2332	cmd.exe	33
PID 2332 wrote to memory of 2604	2332	cmd.exe	33
PID 2332 wrote to memory of 2604	2332	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
"C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
  C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uhTCmbCqd877 > C:\Users\Admin\AppData\Local\Temp\EO50skVJg.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe" /TN uhTCmbCqd877 /F
1⤵
- Creates scheduled task(s)
PID:1712

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN uhTCmbCqd877
1⤵
PID:2604

Network

DNS

pastebin.com

fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

172.67.34.170

pastebin.com

IN A

104.20.68.143

pastebin.com

IN A

104.20.67.143
DNS

cutit.org

fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Remote address:

8.8.8.8:53

Request

cutit.org

IN A

Response

cutit.org

IN A

64.91.240.248
GET

https://cutit.org/oxgBR

fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Remote address:

64.91.240.248:443

Request

GET /oxgBR HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: cutit.org
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 22 Dec 2023 23:17:15 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
X-Powered-By: PHP/5.4.16
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 1954
Content-Type: text/html; charset=UTF-8

172.67.34.170:443

pastebin.com

fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

190 B
92 B
4
2
64.91.240.248:443

https://cutit.org/oxgBR

tls, http

fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

1.2kB
5.4kB
11
9

HTTP Request

GET https://cutit.org/oxgBR

HTTP Response

200

8.8.8.8:53

pastebin.com

dns

fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

172.67.34.170

104.20.68.143

104.20.67.143
8.8.8.8:53

cutit.org

dns

fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

55 B
71 B
1
1

DNS Request

cutit.org

DNS Response

64.91.240.248

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EO50skVJg.xml

Filesize
1KB

MD5
0d920ce95703f86ebe26b21962e9a4e0

SHA1
9e91e7b21e162cb2b32c517fb60a37a154b36beb

SHA256
d9e596015a97a4081bb0393c017e1e9339c2dbfdb833e47978d5edf91c547b05

SHA512
4d41892c83d8064d4c91c0a680fd38dc9e535bed6862696f76c23c1d8164597a2f2ae54537ff9de6f48cb2caa27a1efe6be4c63f3d30957c48ba82d6e13377ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Filesize
92KB

MD5
46ff5764136c97005179b952d347e133

SHA1
9957f973df1924349041e60a42c513a9b405b4e3

SHA256
339fcb88afc093d77d334017ae457fb822b6f882711dba997576a85fa254aedb

SHA512
9682c7f73a200a4b83d8ac3922a37dce1158ca452f429a44f089845765ef3cced4bb2c5220284e9729e7f0b724cffad0c1cc55221d50dc926460449cba117ec2

Download Submit
\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Filesize
72KB

MD5
68c9c396de778959f8a9283018e35ee4

SHA1
b338ae5193bf0e77ade9b7a28bf73ef778554388

SHA256
44b9f8a21841183054609a95feee27a5e241f83210c4483cfd726046dc5d59ab

SHA512
336f554c05af2fe700591194a3e8a294fbcb1c992277bb81039ae56a01715ae02840aebad22d9d4d0ef50729edf527ecda67bba1b5fc1e24cd29c2c1ab04a1b7

Download Submit
memory/2100-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2100-16-0x0000000023680000-0x00000000238DC000-memory.dmp

Filesize
2.4MB

Download
memory/2100-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2100-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2100-3-0x0000000000280000-0x00000000002FE000-memory.dmp

Filesize
504KB

Download
memory/2100-53-0x0000000023680000-0x00000000238DC000-memory.dmp

Filesize
2.4MB

Download
memory/2832-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2832-31-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/2832-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2832-22-0x0000000022DC0000-0x0000000022E3E000-memory.dmp

Filesize
504KB

Download
memory/2832-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download