b64bfef7685465b2f9606ee5f078a941451e888d5006786b292430ef7fa62cc0

General

Target

3d204d37236a4c80fd43781028708c56.exe
Size

302KB
MD5

3d204d37236a4c80fd43781028708c56
SHA1

460669cc5dc1a05c4bff5a9a48497997dd8af864
SHA256

b64bfef7685465b2f9606ee5f078a941451e888d5006786b292430ef7fa62cc0
SHA512

93c7fb8ca0b666144669c44ed91bc42ac0a7fe394ec411a74a7b2b4662631ff07dfbfd5f31c971e130d04c1a149b9fed656e7e93d283928c39b156f93a9cf9b7
SSDEEP

3072:jA/+d0mFDqD1xvakegOIxiVy8xA+93zCdBsJj+uSHLCZU+8yXW6NB3n7N4Vv1eNi:jA/+dYDGgtxNQ3zC2jDgpxyXlBMAmQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1340	3d204d37236a4c80fd43781028708c56.exe

Executes dropped EXE 1 IoCs

pid	Process
1340	3d204d37236a4c80fd43781028708c56.exe

Loads dropped DLL 1 IoCs

pid	Process
2052	3d204d37236a4c80fd43781028708c56.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2052-0-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
behavioral1/files/0x000a00000001226e-17.dat	upx
behavioral1/files/0x000a00000001226e-13.dat	upx
behavioral1/files/0x000a00000001226e-11.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	3d204d37236a4c80fd43781028708c56.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	3d204d37236a4c80fd43781028708c56.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	3d204d37236a4c80fd43781028708c56.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	3d204d37236a4c80fd43781028708c56.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2052	3d204d37236a4c80fd43781028708c56.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2052	3d204d37236a4c80fd43781028708c56.exe
1340	3d204d37236a4c80fd43781028708c56.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 1340	2052	3d204d37236a4c80fd43781028708c56.exe	29
PID 2052 wrote to memory of 1340	2052	3d204d37236a4c80fd43781028708c56.exe	29
PID 2052 wrote to memory of 1340	2052	3d204d37236a4c80fd43781028708c56.exe	29
PID 2052 wrote to memory of 1340	2052	3d204d37236a4c80fd43781028708c56.exe	29

C:\Users\Admin\AppData\Local\Temp\3d204d37236a4c80fd43781028708c56.exe
"C:\Users\Admin\AppData\Local\Temp\3d204d37236a4c80fd43781028708c56.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\3d204d37236a4c80fd43781028708c56.exe
  C:\Users\Admin\AppData\Local\Temp\3d204d37236a4c80fd43781028708c56.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3d204d37236a4c80fd43781028708c56.exe

Filesize
59KB

MD5
1fb7e0a85d00b1ee1c8e7144a9057b96

SHA1
c29295227de9938898184538154835a2910d7310

SHA256
f07990d6ee7310e944cd65a55f8bb3890b5c62d93a6a584ee8d45845954ad716

SHA512
527e9c7125d79c7bcbdbce73cdbed6f6131ebdc17a1cedbc3b82909a6d2e06acb08baa47ecf20a9984467bb36527bc52197e9aac70e254bc00e23b5e3526f594

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d204d37236a4c80fd43781028708c56.exe

Filesize
168KB

MD5
d269b2c5e0df81dba082c44ce2b55a12

SHA1
a5e6f5c2c13185b9caa5d578e8c3a7ec776901c2

SHA256
ad1108f63aa42e664b7b49c7815a05556a1cda2c00ea48e54a9c2217a9198604

SHA512
8784eba3f76932b2c1f69991e768ec88be6456e652e460989298677433fe2dc7df5b01d93d4a878737100d4c5179bcf01263268ee6a6c4129c8f964dbaa3c8ac

Download Submit
\Users\Admin\AppData\Local\Temp\3d204d37236a4c80fd43781028708c56.exe

Filesize
140KB

MD5
9a716e8036a20ff884de9dd594d17361

SHA1
c19f3034ce51551cb4aa40eed88a69aacc385eac

SHA256
f16ac93469e7357b8f95e303ca2cee92ce0e3d6cb56386fd944dc76ef48ac7c1

SHA512
c52a443564eb04eabe2779383140172a781ef2b9340beb3eac012ff143f4bdd2a86297639691e9054497e3d989af2d6c24cdd398f497f7de4453ee1759f39e6a

Download Submit
memory/1340-20-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1340-22-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/1340-43-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2052-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2052-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2052-1-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/2052-16-0x0000000022D00000-0x0000000022DE0000-memory.dmp

Filesize
896KB

Download
memory/2052-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing