1fe98d36aa6a89c6bfe1b94bd073f7986d193c96accb4a262cd3571d8fab1f01

General

Target

fd40a3260a19a78a7d373c3fbce9b67f.exe
Size

133KB
MD5

fd40a3260a19a78a7d373c3fbce9b67f
SHA1

34eb973cd48f1516ee31e9209fee410e2e17e103
SHA256

1fe98d36aa6a89c6bfe1b94bd073f7986d193c96accb4a262cd3571d8fab1f01
SHA512

8d78515fa0ef3b68b0c49f964b0fd94aebd770ca9691364f1110bb1febc17133d2ff92fdd1eed015e18840c8f3b620dc3ba2a0c429fb8cb50da6c359fd380acf
SSDEEP

3072:muwyWRUiGyQ7EBDKY+IR5dLo77Rmy2v0rD3txye6jgHYAruaLwVSTJfkQ:mu8RhUwB5R83ReoD9xZ6jgBruTVSTJMQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2192	fd40a3260a19a78a7d373c3fbce9b67f.exe

Executes dropped EXE 1 IoCs

pid	Process
2192	fd40a3260a19a78a7d373c3fbce9b67f.exe

Loads dropped DLL 1 IoCs

pid	Process
1680	fd40a3260a19a78a7d373c3fbce9b67f.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000139e0-14.dat	upx
behavioral1/files/0x000b0000000139e0-11.dat	upx
behavioral1/memory/1680-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	fd40a3260a19a78a7d373c3fbce9b67f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	fd40a3260a19a78a7d373c3fbce9b67f.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	fd40a3260a19a78a7d373c3fbce9b67f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	fd40a3260a19a78a7d373c3fbce9b67f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1680	fd40a3260a19a78a7d373c3fbce9b67f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1680	fd40a3260a19a78a7d373c3fbce9b67f.exe
2192	fd40a3260a19a78a7d373c3fbce9b67f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2192	1680	fd40a3260a19a78a7d373c3fbce9b67f.exe	15
PID 1680 wrote to memory of 2192	1680	fd40a3260a19a78a7d373c3fbce9b67f.exe	15
PID 1680 wrote to memory of 2192	1680	fd40a3260a19a78a7d373c3fbce9b67f.exe	15
PID 1680 wrote to memory of 2192	1680	fd40a3260a19a78a7d373c3fbce9b67f.exe	15

C:\Users\Admin\AppData\Local\Temp\fd40a3260a19a78a7d373c3fbce9b67f.exe
C:\Users\Admin\AppData\Local\Temp\fd40a3260a19a78a7d373c3fbce9b67f.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2192

C:\Users\Admin\AppData\Local\Temp\fd40a3260a19a78a7d373c3fbce9b67f.exe
"C:\Users\Admin\AppData\Local\Temp\fd40a3260a19a78a7d373c3fbce9b67f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fd40a3260a19a78a7d373c3fbce9b67f.exe

Filesize
1KB

MD5
a2f24f822e5e7d0fb662b784c0fe6795

SHA1
4e51d3d4882acae4e2e5e8eb3f87cd4e38335f25

SHA256
6ac10d90a9dfc56e88ff5344a44ebb7268c8941e1664de8bd64abb25a604c139

SHA512
20b43abde2e9dd08cd85c6cd19217ede8b5837c8a986dd10ea9c384bae644a741ff71174da2b8fb1879a654eec14d1efff7aadbddb6508931ab3a9a773331efa

Download Submit
\Users\Admin\AppData\Local\Temp\fd40a3260a19a78a7d373c3fbce9b67f.exe

Filesize
44KB

MD5
cd93febdf874d6f3083c6cc651b88cd3

SHA1
8d7d439407ae9c92e409e8b7d7d1ea2002218da2

SHA256
620480b75901d10aa2b6d5dd060ac729cc21feceac4c13223ada6d13e257e4a5

SHA512
059ea931840bbb3da1cd0af051564c2ae0c0a0e337f208bb651312717c1bb958ab334a46ccee0251ba6b7d1f6b4f83b84f58a9f89e8c3272fcf0e634cd9944f6

Download Submit
memory/1680-3-0x00000000000E0000-0x0000000000101000-memory.dmp

Filesize
132KB

Download
memory/1680-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1680-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1680-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1680-16-0x0000000000350000-0x00000000003D6000-memory.dmp

Filesize
536KB

Download
memory/2192-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2192-20-0x00000000001E0000-0x0000000000201000-memory.dmp

Filesize
132KB

Download
memory/2192-34-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing