0a8b4703517118f05483c8d7f3416130f1e8cb5e512fd4a756c2fb4ada2cd43f

General

Target

211da615bc1c5bda63e8ed3caecaf68b.exe
Size

501KB
MD5

211da615bc1c5bda63e8ed3caecaf68b
SHA1

818ee48249335fc10b8b6fc42fca35bb66e9a95a
SHA256

0a8b4703517118f05483c8d7f3416130f1e8cb5e512fd4a756c2fb4ada2cd43f
SHA512

39cf4441d480647eb23f0744a86b5e2af62850da9d44ac096613ce1a085a7ed720b6903a4c909a7bb1f8277e4c5274e30ddff894eb3595cbeafa0a1cac71aabd
SSDEEP

12288:vRjPijdsbNjk1gl0cDdvC1wG1/fKyXzaVY0A5:vVmd4jBxvI1/fKyXzr0

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2280	211da615bc1c5bda63e8ed3caecaf68b.exe

Executes dropped EXE 1 IoCs

pid	Process
2280	211da615bc1c5bda63e8ed3caecaf68b.exe

Loads dropped DLL 1 IoCs

pid	Process
2008	211da615bc1c5bda63e8ed3caecaf68b.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2008-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000e0000000122ec-11.dat	upx
behavioral1/memory/2280-19-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/memory/2008-15-0x0000000022F00000-0x000000002315C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2716	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	211da615bc1c5bda63e8ed3caecaf68b.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	211da615bc1c5bda63e8ed3caecaf68b.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	211da615bc1c5bda63e8ed3caecaf68b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	211da615bc1c5bda63e8ed3caecaf68b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2008	211da615bc1c5bda63e8ed3caecaf68b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2008	211da615bc1c5bda63e8ed3caecaf68b.exe
2280	211da615bc1c5bda63e8ed3caecaf68b.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2280	2008	211da615bc1c5bda63e8ed3caecaf68b.exe	29
PID 2008 wrote to memory of 2280	2008	211da615bc1c5bda63e8ed3caecaf68b.exe	29
PID 2008 wrote to memory of 2280	2008	211da615bc1c5bda63e8ed3caecaf68b.exe	29
PID 2008 wrote to memory of 2280	2008	211da615bc1c5bda63e8ed3caecaf68b.exe	29
PID 2280 wrote to memory of 2716	2280	211da615bc1c5bda63e8ed3caecaf68b.exe	30
PID 2280 wrote to memory of 2716	2280	211da615bc1c5bda63e8ed3caecaf68b.exe	30
PID 2280 wrote to memory of 2716	2280	211da615bc1c5bda63e8ed3caecaf68b.exe	30
PID 2280 wrote to memory of 2716	2280	211da615bc1c5bda63e8ed3caecaf68b.exe	30
PID 2280 wrote to memory of 2708	2280	211da615bc1c5bda63e8ed3caecaf68b.exe	33
PID 2280 wrote to memory of 2708	2280	211da615bc1c5bda63e8ed3caecaf68b.exe	33
PID 2280 wrote to memory of 2708	2280	211da615bc1c5bda63e8ed3caecaf68b.exe	33
PID 2280 wrote to memory of 2708	2280	211da615bc1c5bda63e8ed3caecaf68b.exe	33
PID 2708 wrote to memory of 2620	2708	cmd.exe	34
PID 2708 wrote to memory of 2620	2708	cmd.exe	34
PID 2708 wrote to memory of 2620	2708	cmd.exe	34
PID 2708 wrote to memory of 2620	2708	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\211da615bc1c5bda63e8ed3caecaf68b.exe
"C:\Users\Admin\AppData\Local\Temp\211da615bc1c5bda63e8ed3caecaf68b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\211da615bc1c5bda63e8ed3caecaf68b.exe
  C:\Users\Admin\AppData\Local\Temp\211da615bc1c5bda63e8ed3caecaf68b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\211da615bc1c5bda63e8ed3caecaf68b.exe" /TN Nnb8kaFf43a4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN Nnb8kaFf43a4 > C:\Users\Admin\AppData\Local\Temp\NQxHYRga.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN Nnb8kaFf43a4
      4⤵
      PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NQxHYRga.xml

Filesize
1KB

MD5
0048728fa4395ed7cb364b90524699ad

SHA1
49dcac5380837819c955d808dc66f291638021d4

SHA256
0b402b83b68db738c30bcd69e080b1c088db183d632b16e2f55ab0591e9d645e

SHA512
dc7ec2bcc1daa39a1b665747437752d2db70ff760d2ee849378236cddf0bdaf16c2174a8279570c8936fb0dd455fd1123fa8973c321cf3316a93b28f99e2a1df

Download Submit
\Users\Admin\AppData\Local\Temp\211da615bc1c5bda63e8ed3caecaf68b.exe

Filesize
501KB

MD5
b886ebe1208c0fdf774cf9c2d94e7b74

SHA1
0b534f1f5adc6baf05ae4d33cfe8b710ecbe46a5

SHA256
636c961ad152c4dc12a463ddf0d39318ec4a623bea255f4f5f449ac7f5528533

SHA512
a41664afec236baaec23ffefb683703af92106dadcb94ac72af71b46b7afa3e3d74a036ba2901b134db2e89f2b588a648e43a25d2633eff75b6a403426904e90

Download Submit
memory/2008-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2008-2-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/2008-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2008-15-0x0000000022F00000-0x000000002315C000-memory.dmp

Filesize
2.4MB

Download
memory/2008-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2008-43-0x0000000022F00000-0x000000002315C000-memory.dmp

Filesize
2.4MB

Download
memory/2280-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2280-20-0x00000000002A0000-0x000000000031E000-memory.dmp

Filesize
504KB

Download
memory/2280-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2280-31-0x0000000000320000-0x000000000038B000-memory.dmp

Filesize
428KB

Download
memory/2280-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads