cfcadd86e41f3854a8df3db82839738d851e022a53cd4122bb335ff9325b2aa8

General

Target

438620827cbb1b84161702f998a45d7e.exe
Size

1003KB
MD5

438620827cbb1b84161702f998a45d7e
SHA1

b72692ac622519ec9ec8bf48bf73cda1e66d3fed
SHA256

cfcadd86e41f3854a8df3db82839738d851e022a53cd4122bb335ff9325b2aa8
SHA512

f6efc998fd165938d52eeea9e9e9849ae8564f84443182edaaae3285f3261d9730c310b0d4d9041b76a137c7fa21a6b487bb60fe7f1fdc4e233b1ed3bbb19fc8
SSDEEP

24576:6S0hKCICznj1iHem1GQoadai7D3uITjIFOxo53ApIj:6S0OCzn4HZ1GQ7ai7D3xTgOxYwpK

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	438620827cbb1b84161702f998a45d7e.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	438620827cbb1b84161702f998a45d7e.exe

Loads dropped DLL 1 IoCs

pid	Process
2452	438620827cbb1b84161702f998a45d7e.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2452-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012248-17.dat	upx
behavioral1/memory/2452-16-0x0000000022FE0000-0x000000002323C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2816	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	438620827cbb1b84161702f998a45d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	438620827cbb1b84161702f998a45d7e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	438620827cbb1b84161702f998a45d7e.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	438620827cbb1b84161702f998a45d7e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2452	438620827cbb1b84161702f998a45d7e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2452	438620827cbb1b84161702f998a45d7e.exe
2692	438620827cbb1b84161702f998a45d7e.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2692	2452	438620827cbb1b84161702f998a45d7e.exe	29
PID 2452 wrote to memory of 2692	2452	438620827cbb1b84161702f998a45d7e.exe	29
PID 2452 wrote to memory of 2692	2452	438620827cbb1b84161702f998a45d7e.exe	29
PID 2452 wrote to memory of 2692	2452	438620827cbb1b84161702f998a45d7e.exe	29
PID 2692 wrote to memory of 2816	2692	438620827cbb1b84161702f998a45d7e.exe	30
PID 2692 wrote to memory of 2816	2692	438620827cbb1b84161702f998a45d7e.exe	30
PID 2692 wrote to memory of 2816	2692	438620827cbb1b84161702f998a45d7e.exe	30
PID 2692 wrote to memory of 2816	2692	438620827cbb1b84161702f998a45d7e.exe	30
PID 2692 wrote to memory of 2900	2692	438620827cbb1b84161702f998a45d7e.exe	32
PID 2692 wrote to memory of 2900	2692	438620827cbb1b84161702f998a45d7e.exe	32
PID 2692 wrote to memory of 2900	2692	438620827cbb1b84161702f998a45d7e.exe	32
PID 2692 wrote to memory of 2900	2692	438620827cbb1b84161702f998a45d7e.exe	32
PID 2900 wrote to memory of 2956	2900	cmd.exe	34
PID 2900 wrote to memory of 2956	2900	cmd.exe	34
PID 2900 wrote to memory of 2956	2900	cmd.exe	34
PID 2900 wrote to memory of 2956	2900	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\438620827cbb1b84161702f998a45d7e.exe
"C:\Users\Admin\AppData\Local\Temp\438620827cbb1b84161702f998a45d7e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\438620827cbb1b84161702f998a45d7e.exe
  C:\Users\Admin\AppData\Local\Temp\438620827cbb1b84161702f998a45d7e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\438620827cbb1b84161702f998a45d7e.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\fw7QsgA6O.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\438620827cbb1b84161702f998a45d7e.exe

Filesize
1003KB

MD5
a7c980477111fb105bc7cc12abbe4ff5

SHA1
af018a68eb755df6a29f617655b1936c5fa13dcc

SHA256
60fbbf5c6605a24f94991e926f1987aacde3d98739fb0e7be22d499fa1ac52cf

SHA512
a2ac9b2696a2e3b1e53dd4d62eaf1b7ce009d5b5d8017307bc734f1acd802ec783d21018e6bc8ad19f9bb7d8294f334c686a66ffb43742a16dd618fc5cc0b81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fw7QsgA6O.xml

Filesize
1KB

MD5
43305f663cb8edc140e577e9cec0a716

SHA1
da15d552fcd5f941deb53a12333915e4253bcf0b

SHA256
cc6b86b836b4818ca5ef9218f7cd8a5c748192cac68f2a9d91dca2720fce1051

SHA512
3bf7afae62db3b47cde3096315dad525866fd46f199ddc113d403fc9ed72bc02180e5d3c8961778ee52aeb46bc02cd95991c144563908808def71480ad128f27

Download Submit
memory/2452-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2452-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2452-3-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2452-16-0x0000000022FE0000-0x000000002323C000-memory.dmp

Filesize
2.4MB

Download
memory/2452-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2692-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2692-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2692-22-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2692-29-0x0000000000280000-0x00000000002EB000-memory.dmp

Filesize
428KB

Download
memory/2692-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads