afa8a565ef6053b08626ca31ba3fef5826e697bfb9389216f8178121bb5678fd

General

Target

04bdaff46cd1efedbf2ee6ef0126d60a.exe
Size

11.0MB
MD5

04bdaff46cd1efedbf2ee6ef0126d60a
SHA1

2f4eb0dea3ece52ed7bf1f9d40a324fcec1de095
SHA256

afa8a565ef6053b08626ca31ba3fef5826e697bfb9389216f8178121bb5678fd
SHA512

71cb789e692c8c0c1951a7f0c4d39eea2d1f8a9f27a4a5ce03023ec7807f1b37bec453c058aff0ce06c32ec75f573c9aa80168af774534843415bacd27c3fb59
SSDEEP

98304:Sw6JmblBqL5XUxb35mCckFR+vicS43bPeLoqbE1KcYE1UP35mCckFR+vicS43:0suL5a133FR+6cT9qfcY5R33FR+6c

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2672	04bdaff46cd1efedbf2ee6ef0126d60a.exe

Executes dropped EXE 1 IoCs

pid	Process
2672	04bdaff46cd1efedbf2ee6ef0126d60a.exe

Loads dropped DLL 1 IoCs

pid	Process
1736	04bdaff46cd1efedbf2ee6ef0126d60a.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-1-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000a000000012247-11.dat	upx
behavioral1/files/0x000a000000012247-14.dat	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	04bdaff46cd1efedbf2ee6ef0126d60a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	04bdaff46cd1efedbf2ee6ef0126d60a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1736	04bdaff46cd1efedbf2ee6ef0126d60a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1736	04bdaff46cd1efedbf2ee6ef0126d60a.exe
2672	04bdaff46cd1efedbf2ee6ef0126d60a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2672	1736	04bdaff46cd1efedbf2ee6ef0126d60a.exe	28
PID 1736 wrote to memory of 2672	1736	04bdaff46cd1efedbf2ee6ef0126d60a.exe	28
PID 1736 wrote to memory of 2672	1736	04bdaff46cd1efedbf2ee6ef0126d60a.exe	28
PID 1736 wrote to memory of 2672	1736	04bdaff46cd1efedbf2ee6ef0126d60a.exe	28

C:\Users\Admin\AppData\Local\Temp\04bdaff46cd1efedbf2ee6ef0126d60a.exe
"C:\Users\Admin\AppData\Local\Temp\04bdaff46cd1efedbf2ee6ef0126d60a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\04bdaff46cd1efedbf2ee6ef0126d60a.exe
  C:\Users\Admin\AppData\Local\Temp\04bdaff46cd1efedbf2ee6ef0126d60a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\04bdaff46cd1efedbf2ee6ef0126d60a.exe

Filesize
88KB

MD5
ee47d8d14c9c8214c040ec9028f49546

SHA1
6404352ef4c594549eae5aac3d0862b7b0b5d1e0

SHA256
5fdf547817f33de9b2ea848e6957cd9ef8d5a106c2b53b5232107070900890ed

SHA512
9ddaaf6bf245afb0459917b06726d8d2a3a7d02cb2bb91834da7c66c974582e76fec80fecf845692b49708d1b92c9b7e736f328ee4b7f160368d22300a83c5d3

Download Submit
\Users\Admin\AppData\Local\Temp\04bdaff46cd1efedbf2ee6ef0126d60a.exe

Filesize
46KB

MD5
28a9488d6a2ab49a7db3c669607e2d0f

SHA1
b79c2aa18519254af945b16944fdcb8ff29d1209

SHA256
6a2bc3973e9a26b98d3cd0d1bf79de42d275aca0b709b451cc2b466488ecb2d7

SHA512
c3a6187a05f0fac8c9cca632fb83d09d95cc61f00d5526a906b7e1e611a784bb58e92dadcd2c42944d3ac5cf3cc2c62f6754cb1a3631b675414573d08e6bc523

Download Submit
memory/1736-0-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1736-4-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/1736-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/1736-16-0x0000000004C40000-0x00000000055DE000-memory.dmp

Filesize
9.6MB

Download
memory/1736-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1736-43-0x0000000004C40000-0x00000000055DE000-memory.dmp

Filesize
9.6MB

Download
memory/2672-19-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2672-21-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2672-44-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing