aaac811a26a5e674f5c1ae43e5f0c4999dcbfa993989fedec23504e907509dd3

General

Target

798cb1a90c067f2eee577a7dd05f8e2f.exe
Size

1003KB
MD5

798cb1a90c067f2eee577a7dd05f8e2f
SHA1

7d865a17055ec5c0850e2d89de8190a7b95c08f6
SHA256

aaac811a26a5e674f5c1ae43e5f0c4999dcbfa993989fedec23504e907509dd3
SHA512

5ce30d7d45743c3aff58350b791afd00c02725cc0174ccd136591b2208d076388fcdda05d8dc06db22096f9f744d77ce10db52bd69dc87400798d09b956778eb
SSDEEP

24576:HgTV6dM0wtZ7yjFXcH5f+64JRWFULCD+:HgTVISZOjhcN+9zWFULG+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	798cb1a90c067f2eee577a7dd05f8e2f.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	798cb1a90c067f2eee577a7dd05f8e2f.exe

Loads dropped DLL 1 IoCs

pid	Process
1444	798cb1a90c067f2eee577a7dd05f8e2f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1444-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012238-11.dat	upx
behavioral1/memory/1444-16-0x0000000022F20000-0x000000002317C000-memory.dmp	upx
behavioral1/memory/2732-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2660	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	798cb1a90c067f2eee577a7dd05f8e2f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	798cb1a90c067f2eee577a7dd05f8e2f.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	798cb1a90c067f2eee577a7dd05f8e2f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	798cb1a90c067f2eee577a7dd05f8e2f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1444	798cb1a90c067f2eee577a7dd05f8e2f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1444	798cb1a90c067f2eee577a7dd05f8e2f.exe
2732	798cb1a90c067f2eee577a7dd05f8e2f.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2732	1444	798cb1a90c067f2eee577a7dd05f8e2f.exe	29
PID 1444 wrote to memory of 2732	1444	798cb1a90c067f2eee577a7dd05f8e2f.exe	29
PID 1444 wrote to memory of 2732	1444	798cb1a90c067f2eee577a7dd05f8e2f.exe	29
PID 1444 wrote to memory of 2732	1444	798cb1a90c067f2eee577a7dd05f8e2f.exe	29
PID 2732 wrote to memory of 2660	2732	798cb1a90c067f2eee577a7dd05f8e2f.exe	30
PID 2732 wrote to memory of 2660	2732	798cb1a90c067f2eee577a7dd05f8e2f.exe	30
PID 2732 wrote to memory of 2660	2732	798cb1a90c067f2eee577a7dd05f8e2f.exe	30
PID 2732 wrote to memory of 2660	2732	798cb1a90c067f2eee577a7dd05f8e2f.exe	30
PID 2732 wrote to memory of 2968	2732	798cb1a90c067f2eee577a7dd05f8e2f.exe	32
PID 2732 wrote to memory of 2968	2732	798cb1a90c067f2eee577a7dd05f8e2f.exe	32
PID 2732 wrote to memory of 2968	2732	798cb1a90c067f2eee577a7dd05f8e2f.exe	32
PID 2732 wrote to memory of 2968	2732	798cb1a90c067f2eee577a7dd05f8e2f.exe	32
PID 2968 wrote to memory of 2800	2968	cmd.exe	34
PID 2968 wrote to memory of 2800	2968	cmd.exe	34
PID 2968 wrote to memory of 2800	2968	cmd.exe	34
PID 2968 wrote to memory of 2800	2968	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\798cb1a90c067f2eee577a7dd05f8e2f.exe
"C:\Users\Admin\AppData\Local\Temp\798cb1a90c067f2eee577a7dd05f8e2f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\798cb1a90c067f2eee577a7dd05f8e2f.exe
  C:\Users\Admin\AppData\Local\Temp\798cb1a90c067f2eee577a7dd05f8e2f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\798cb1a90c067f2eee577a7dd05f8e2f.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\GDfBNTxmw.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\798cb1a90c067f2eee577a7dd05f8e2f.exe

Filesize
1003KB

MD5
ac8b40c110a0ed259e7a0aced7095dc2

SHA1
e7cc76bca5e9684a4ef6c51e195579c62695cfbc

SHA256
ba46df2e0d7051f968f8b33d5142d8aef3636acacaf9b9574a5d6f95821e6089

SHA512
411dc7120092f4a7278dd44d65a381acf1b67ba6257655f48a5a481f912c70d334fcf30d5f7ed3d0c7d0b5e00e63c4f6223615c51682ff9f07afee6307a94600

Download Submit
memory/1444-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1444-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1444-3-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/1444-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1444-16-0x0000000022F20000-0x000000002317C000-memory.dmp

Filesize
2.4MB

Download
memory/2732-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2732-20-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2732-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2732-29-0x00000000002B0000-0x000000000031B000-memory.dmp

Filesize
428KB

Download
memory/2732-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads