ab6cb4abea7d9e30c5381d2bb724bc332e750ec11e38ecfec17363b64946055d

General

Target

0c2d05e1428f239ae7dbb2b0b5612e65.exe
Size

302KB
MD5

0c2d05e1428f239ae7dbb2b0b5612e65
SHA1

ae587eec7a59bf340e4c3063e19bfe36cce1d36c
SHA256

ab6cb4abea7d9e30c5381d2bb724bc332e750ec11e38ecfec17363b64946055d
SHA512

53fdc65bd91740e7c7cd95aed520215e4e5e68f4f8fcdabe4f9ecda1b7926ee9430f5c7762d1c05d5a3ca425875e958bf6ae03b7d77691b60ade89742ad83dda
SSDEEP

3072:y2LRUlvBx/aFf4vyIRf3sxokD6WKYgWBwePoX5Ur+35S4sLYoRKTAFN+rQC6AR:VmtbaFfudzkklePsIkp2RKymQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2656	0c2d05e1428f239ae7dbb2b0b5612e65.exe

Executes dropped EXE 1 IoCs

pid	Process
2656	0c2d05e1428f239ae7dbb2b0b5612e65.exe

Loads dropped DLL 1 IoCs

pid	Process
1672	0c2d05e1428f239ae7dbb2b0b5612e65.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1672-0-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
behavioral1/files/0x00070000000122c9-11.dat	upx
behavioral1/files/0x00070000000122c9-17.dat	upx
behavioral1/memory/1672-16-0x00000000014E0000-0x00000000015C0000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	0c2d05e1428f239ae7dbb2b0b5612e65.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	0c2d05e1428f239ae7dbb2b0b5612e65.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	0c2d05e1428f239ae7dbb2b0b5612e65.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	0c2d05e1428f239ae7dbb2b0b5612e65.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1672	0c2d05e1428f239ae7dbb2b0b5612e65.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1672	0c2d05e1428f239ae7dbb2b0b5612e65.exe
2656	0c2d05e1428f239ae7dbb2b0b5612e65.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2656	1672	0c2d05e1428f239ae7dbb2b0b5612e65.exe	29
PID 1672 wrote to memory of 2656	1672	0c2d05e1428f239ae7dbb2b0b5612e65.exe	29
PID 1672 wrote to memory of 2656	1672	0c2d05e1428f239ae7dbb2b0b5612e65.exe	29
PID 1672 wrote to memory of 2656	1672	0c2d05e1428f239ae7dbb2b0b5612e65.exe	29

C:\Users\Admin\AppData\Local\Temp\0c2d05e1428f239ae7dbb2b0b5612e65.exe
"C:\Users\Admin\AppData\Local\Temp\0c2d05e1428f239ae7dbb2b0b5612e65.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\0c2d05e1428f239ae7dbb2b0b5612e65.exe
  C:\Users\Admin\AppData\Local\Temp\0c2d05e1428f239ae7dbb2b0b5612e65.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c2d05e1428f239ae7dbb2b0b5612e65.exe

Filesize
98KB

MD5
82e51560c125c0849eff8405bd12e581

SHA1
93d8499dba305dd6e54bb7dfbfddce22f2bc89fb

SHA256
7eee57b334e7ceb19e11b09bd37b75718659d33febfca91ab8cb3c3398ba5ac7

SHA512
b0c25c4f402546b77644c536f4c3a6027800a84604ef888616c90595a25fb8d86b285acc49cc3f6add7e6019880a0b84ff57e0dbd264e49042d6a626ff81d52f

Download Submit
\Users\Admin\AppData\Local\Temp\0c2d05e1428f239ae7dbb2b0b5612e65.exe

Filesize
302KB

MD5
c66373c51e00a8a8854931a7c583a9e0

SHA1
1419928b2179a2e1c64d39a5ec0eeac0c82e73a6

SHA256
a26739bb6041eb0ec74932867d211675833c0f053c66260f60be804bbbc27cf5

SHA512
a64f5b16da8192b4800900f430d0aa8d99da940b54e578bbea55ef6aa8e9f460aba3cdab2b17df7f4e14fc0450d9b4b5f134d856a2433818420f23eb0ebcf656

Download Submit
memory/1672-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1672-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1672-1-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/1672-16-0x00000000014E0000-0x00000000015C0000-memory.dmp

Filesize
896KB

Download
memory/1672-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-19-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2656-21-0x0000000000310000-0x0000000000341000-memory.dmp

Filesize
196KB

Download
memory/2656-43-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing