46fc73fc37222b2517c3ef8c356d4c49fc32a006f1af8df9e6ca3064381a5db7

General

Target

ffa99837584628b3fa9607942cc6826a.exe
Size

4.4MB
MD5

ffa99837584628b3fa9607942cc6826a
SHA1

045c30cc48058b7caf0d2ca3fc4f732f561bd854
SHA256

46fc73fc37222b2517c3ef8c356d4c49fc32a006f1af8df9e6ca3064381a5db7
SHA512

c0c875fa8849f2609b38d5c7337cb76457abfc0691959662704322da4b649f121c23d5d0beebd117c819f0d3f47a7715b28a8f1a1e39a07c3be43a9ce6efbef2
SSDEEP

49152:KXkbHPwPa2eOdwfR2/plVB3nDjzWJTvZdR36auPA9ywvlmmID5lN:KXkTPwT6U/plX3nD/WJTvZyrPA9psdl7

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2440	ffa99837584628b3fa9607942cc6826a.exe

Executes dropped EXE 1 IoCs

pid	Process
2440	ffa99837584628b3fa9607942cc6826a.exe

Loads dropped DLL 1 IoCs

pid	Process
1352	ffa99837584628b3fa9607942cc6826a.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1352-2-0x0000000000400000-0x0000000000CE1000-memory.dmp	upx
behavioral1/files/0x000a000000012256-15.dat	upx
behavioral1/files/0x000a000000012256-11.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	ffa99837584628b3fa9607942cc6826a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	ffa99837584628b3fa9607942cc6826a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ffa99837584628b3fa9607942cc6826a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ffa99837584628b3fa9607942cc6826a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1352	ffa99837584628b3fa9607942cc6826a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1352	ffa99837584628b3fa9607942cc6826a.exe
2440	ffa99837584628b3fa9607942cc6826a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2440	1352	ffa99837584628b3fa9607942cc6826a.exe	29
PID 1352 wrote to memory of 2440	1352	ffa99837584628b3fa9607942cc6826a.exe	29
PID 1352 wrote to memory of 2440	1352	ffa99837584628b3fa9607942cc6826a.exe	29
PID 1352 wrote to memory of 2440	1352	ffa99837584628b3fa9607942cc6826a.exe	29

C:\Users\Admin\AppData\Local\Temp\ffa99837584628b3fa9607942cc6826a.exe
"C:\Users\Admin\AppData\Local\Temp\ffa99837584628b3fa9607942cc6826a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\ffa99837584628b3fa9607942cc6826a.exe
  C:\Users\Admin\AppData\Local\Temp\ffa99837584628b3fa9607942cc6826a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ffa99837584628b3fa9607942cc6826a.exe

Filesize
561KB

MD5
bf1e21b7c7a56b974f5ed2d9f1fd268f

SHA1
b173ecf4ba551acc35301c9c3e32e2a4ed90f927

SHA256
619d620674a71192fbc380f0e154e0a49dd46e2775d61dddc35032c9f15b90e2

SHA512
2f2d9e01122ea6da42c3095d6d15b0591a4f19aeb423b577e1e777d10f7b4a078d4c683693637816b7a139b51e6ba9a7c4aecc2aa35a84e7d2fc26a501c351bf

Download Submit
\Users\Admin\AppData\Local\Temp\ffa99837584628b3fa9607942cc6826a.exe

Filesize
771KB

MD5
6a681f2726b6e2a69c057854aec7ff9f

SHA1
e67900227f6ed26ab8f4671c6ae6359a4a54f42c

SHA256
69d8b48f8a97897774f2a7d91be48c70f599c1322b94d346fb71afd737c901d5

SHA512
dad5fd28156f0eb7480b6450112d46c3aae91073cd160800562271f0d27875232c13d2fc752fd4d607c238d747a4c46b3344938521ae548078004edaadd2a16b

Download Submit
memory/1352-0-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/1352-2-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download
memory/1352-4-0x0000000001EE0000-0x000000000210E000-memory.dmp

Filesize
2.2MB

Download
memory/1352-16-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/1352-17-0x0000000003E10000-0x00000000046F1000-memory.dmp

Filesize
8.9MB

Download
memory/1352-44-0x0000000003E10000-0x00000000046F1000-memory.dmp

Filesize
8.9MB

Download
memory/2440-19-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download
memory/2440-21-0x0000000001EE0000-0x000000000210E000-memory.dmp

Filesize
2.2MB

Download
memory/2440-45-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download

Analysis

Sharing