adb24ee3f3e0221171ce77c69ac11d7e7da7b4c87d44f6a0693f46c9cf8183ee

General

Target

fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
Size

3.2MB
MD5

fcb579a08d6e49d0e3c83c6e3bc5b0ef
SHA1

0840884b8413fb493e4c41ca410067da224ae52c
SHA256

adb24ee3f3e0221171ce77c69ac11d7e7da7b4c87d44f6a0693f46c9cf8183ee
SHA512

816ce1df1e02e832cc6ba8d1ab953fac015479eeb9949a7e36094d6d96493bf528924c01d1d36bbdce89f3bc47d590b9a0459df9e1f97df02420b42f3f520316
SSDEEP

98304:Mv7VmjNRSimqLIU2lcakcejkIX+MylDCLCcakcK4bCEUJk1dUcakcejkIX+MylDA:ubimST+dlewo+v6CdlKmCadUdlewo+vM

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Executes dropped EXE 1 IoCs

pid	Process
2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Loads dropped DLL 1 IoCs

pid	Process
2100	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2100-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0008000000012223-11.dat	upx
behavioral1/memory/2100-16-0x0000000023680000-0x00000000238DC000-memory.dmp	upx
behavioral1/files/0x0008000000012223-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1712	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2100	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2100	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2832	2100	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	20
PID 2100 wrote to memory of 2832	2100	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	20
PID 2100 wrote to memory of 2832	2100	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	20
PID 2100 wrote to memory of 2832	2100	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	20
PID 2832 wrote to memory of 1712	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	18
PID 2832 wrote to memory of 1712	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	18
PID 2832 wrote to memory of 1712	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	18
PID 2832 wrote to memory of 1712	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	18
PID 2832 wrote to memory of 2332	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	34
PID 2832 wrote to memory of 2332	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	34
PID 2832 wrote to memory of 2332	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	34
PID 2832 wrote to memory of 2332	2832	fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe	34
PID 2332 wrote to memory of 2604	2332	cmd.exe	33
PID 2332 wrote to memory of 2604	2332	cmd.exe	33
PID 2332 wrote to memory of 2604	2332	cmd.exe	33
PID 2332 wrote to memory of 2604	2332	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
"C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
  C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uhTCmbCqd877 > C:\Users\Admin\AppData\Local\Temp\EO50skVJg.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe" /TN uhTCmbCqd877 /F
1⤵
- Creates scheduled task(s)
PID:1712

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN uhTCmbCqd877
1⤵
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EO50skVJg.xml

Filesize
1KB

MD5
0d920ce95703f86ebe26b21962e9a4e0

SHA1
9e91e7b21e162cb2b32c517fb60a37a154b36beb

SHA256
d9e596015a97a4081bb0393c017e1e9339c2dbfdb833e47978d5edf91c547b05

SHA512
4d41892c83d8064d4c91c0a680fd38dc9e535bed6862696f76c23c1d8164597a2f2ae54537ff9de6f48cb2caa27a1efe6be4c63f3d30957c48ba82d6e13377ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Filesize
92KB

MD5
46ff5764136c97005179b952d347e133

SHA1
9957f973df1924349041e60a42c513a9b405b4e3

SHA256
339fcb88afc093d77d334017ae457fb822b6f882711dba997576a85fa254aedb

SHA512
9682c7f73a200a4b83d8ac3922a37dce1158ca452f429a44f089845765ef3cced4bb2c5220284e9729e7f0b724cffad0c1cc55221d50dc926460449cba117ec2

Download Submit
\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

Filesize
72KB

MD5
68c9c396de778959f8a9283018e35ee4

SHA1
b338ae5193bf0e77ade9b7a28bf73ef778554388

SHA256
44b9f8a21841183054609a95feee27a5e241f83210c4483cfd726046dc5d59ab

SHA512
336f554c05af2fe700591194a3e8a294fbcb1c992277bb81039ae56a01715ae02840aebad22d9d4d0ef50729edf527ecda67bba1b5fc1e24cd29c2c1ab04a1b7

Download Submit
memory/2100-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2100-16-0x0000000023680000-0x00000000238DC000-memory.dmp

Filesize
2.4MB

Download
memory/2100-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2100-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2100-3-0x0000000000280000-0x00000000002FE000-memory.dmp

Filesize
504KB

Download
memory/2100-53-0x0000000023680000-0x00000000238DC000-memory.dmp

Filesize
2.4MB

Download
memory/2832-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2832-31-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/2832-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2832-22-0x0000000022DC0000-0x0000000022E3E000-memory.dmp

Filesize
504KB

Download
memory/2832-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads