2c8582895c86201aa9f95178e45f7a5d5d4bbe4cba3d35cddbb1219d3169903b

General

Target

05b61e1ecdeef855125b966e0ce02f54.exe
Size

3.0MB
MD5

05b61e1ecdeef855125b966e0ce02f54
SHA1

21b81dd98421d0e060dfa68c7edd4829126cd936
SHA256

2c8582895c86201aa9f95178e45f7a5d5d4bbe4cba3d35cddbb1219d3169903b
SHA512

ffc74de2ffebf7057b1cf0eb886ee476ec12be0b8508b23124788a39ea9b3f1df839161a5413b4f5f2b170e063e2f9e3d5ec357296713100a4bf7414f77badbc
SSDEEP

49152:cx0py9HwcakLhukrCZ6T6GfUstcakLc2QTl/UD0b3NAzYGcakLhukrCZ6T6GfUsI:cx3pwcakl1rCZ+6GfUstcakY2mlc4GYk

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2728	05b61e1ecdeef855125b966e0ce02f54.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	05b61e1ecdeef855125b966e0ce02f54.exe

Loads dropped DLL 1 IoCs

pid	Process
2756	05b61e1ecdeef855125b966e0ce02f54.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2756-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000e0000000122f0-11.dat	upx
behavioral1/files/0x000e0000000122f0-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2708	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	05b61e1ecdeef855125b966e0ce02f54.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	05b61e1ecdeef855125b966e0ce02f54.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	05b61e1ecdeef855125b966e0ce02f54.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	05b61e1ecdeef855125b966e0ce02f54.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2756	05b61e1ecdeef855125b966e0ce02f54.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2756	05b61e1ecdeef855125b966e0ce02f54.exe
2728	05b61e1ecdeef855125b966e0ce02f54.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2728	2756	05b61e1ecdeef855125b966e0ce02f54.exe	29
PID 2756 wrote to memory of 2728	2756	05b61e1ecdeef855125b966e0ce02f54.exe	29
PID 2756 wrote to memory of 2728	2756	05b61e1ecdeef855125b966e0ce02f54.exe	29
PID 2756 wrote to memory of 2728	2756	05b61e1ecdeef855125b966e0ce02f54.exe	29
PID 2728 wrote to memory of 2708	2728	05b61e1ecdeef855125b966e0ce02f54.exe	31
PID 2728 wrote to memory of 2708	2728	05b61e1ecdeef855125b966e0ce02f54.exe	31
PID 2728 wrote to memory of 2708	2728	05b61e1ecdeef855125b966e0ce02f54.exe	31
PID 2728 wrote to memory of 2708	2728	05b61e1ecdeef855125b966e0ce02f54.exe	31
PID 2728 wrote to memory of 1580	2728	05b61e1ecdeef855125b966e0ce02f54.exe	33
PID 2728 wrote to memory of 1580	2728	05b61e1ecdeef855125b966e0ce02f54.exe	33
PID 2728 wrote to memory of 1580	2728	05b61e1ecdeef855125b966e0ce02f54.exe	33
PID 2728 wrote to memory of 1580	2728	05b61e1ecdeef855125b966e0ce02f54.exe	33
PID 1580 wrote to memory of 2824	1580	cmd.exe	36
PID 1580 wrote to memory of 2824	1580	cmd.exe	36
PID 1580 wrote to memory of 2824	1580	cmd.exe	36
PID 1580 wrote to memory of 2824	1580	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\05b61e1ecdeef855125b966e0ce02f54.exe
"C:\Users\Admin\AppData\Local\Temp\05b61e1ecdeef855125b966e0ce02f54.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\05b61e1ecdeef855125b966e0ce02f54.exe
  C:\Users\Admin\AppData\Local\Temp\05b61e1ecdeef855125b966e0ce02f54.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\05b61e1ecdeef855125b966e0ce02f54.exe" /TN Nnb8kaFf43a4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN Nnb8kaFf43a4 > C:\Users\Admin\AppData\Local\Temp\7m498.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN Nnb8kaFf43a4
      4⤵
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05b61e1ecdeef855125b966e0ce02f54.exe

Filesize
359KB

MD5
87f848504046d20be653e062ebd657c9

SHA1
29e9e1a2e7f2e0c0236b939eccfd1a48ca14aa3f

SHA256
67f25ac26eef424db8b8db584f625ef9b10f8ebcdc4d2dacdb189825c1177d41

SHA512
160dfb0c2ebcd5868a82e99e6579a507d8947596ba4365e7f2d7d691fcd174b3e57d5589c4c9fb61935f1f4dbef111bd82d7b3f80ea9a230b48c7de28419aa11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7m498.xml

Filesize
1KB

MD5
80a3688a8acb6249ad4604691531248e

SHA1
ec960fb659392255f47d73804f767c11028c041a

SHA256
73ee32732abdb681ed14667397420198c744f76412132c3e7fc5bb34f0898d25

SHA512
fd04e43c86776df9e1c2fa117a25cf628eabbb79796971a9c7bd126ef0e287153255660c0639dfb71dc9b7ae0e59f79a1fa4d1e6e8573df30e564ce8d3a6ed88

Download Submit
\Users\Admin\AppData\Local\Temp\05b61e1ecdeef855125b966e0ce02f54.exe

Filesize
486KB

MD5
86486ff683b2e756b416f69e7e06ed0a

SHA1
d732eb2e8883b48fc04cbb9ff36e872fda54d09a

SHA256
a7ef46b95778530bc4ce91ac25001ed42f530db0be2d73651a4b47b6e3ae7d73

SHA512
7b750aa65d24849b80af72ecea01dd7a5228879717448cb231b453128c4e4cef683621d27417b4a504bfbdda3419e6e9ac6abf65eaa0c95b6cdd03475f567955

Download Submit
memory/2728-28-0x00000000002B0000-0x000000000031B000-memory.dmp

Filesize
428KB

Download
memory/2728-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2728-22-0x00000000001B0000-0x000000000022E000-memory.dmp

Filesize
504KB

Download
memory/2728-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2728-32-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2756-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2756-16-0x00000000235C0000-0x000000002381C000-memory.dmp

Filesize
2.4MB

Download
memory/2756-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2756-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2756-2-0x0000000000240000-0x00000000002BE000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads