43dd0746428020699c243e8de0dc28ab6b778f54b522524bf226c17b0b577db3

General

Target

022df4c53a97cc56f647a0936e6754e1.exe
Size

3.9MB
MD5

022df4c53a97cc56f647a0936e6754e1
SHA1

72dc82c601d2d89c815d29949be5d5586c28fb61
SHA256

43dd0746428020699c243e8de0dc28ab6b778f54b522524bf226c17b0b577db3
SHA512

43ae94171d3665b85be06f110a99b9d509116a0c3051883e4be8fbe2651df1f5f3bf1d8ba68a2ad479a8f2514dafe38047609486a3745a8a5d67f4abd1e89b4e
SSDEEP

98304:wCgXH2URkBcakcibiqhZYOgSo2RcakcibiqhdkzGkIzczsboncakcibiqhZYOgSs:wVXH2Uydlir3g0RdlirvkqkIzJbondlh

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1168	022df4c53a97cc56f647a0936e6754e1.exe

Executes dropped EXE 1 IoCs

pid	Process
1168	022df4c53a97cc56f647a0936e6754e1.exe

Loads dropped DLL 1 IoCs

pid	Process
2236	022df4c53a97cc56f647a0936e6754e1.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000c000000012243-11.dat	upx
behavioral1/memory/2236-16-0x0000000023610000-0x000000002386C000-memory.dmp	upx
behavioral1/memory/1168-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2764	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	022df4c53a97cc56f647a0936e6754e1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	022df4c53a97cc56f647a0936e6754e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	022df4c53a97cc56f647a0936e6754e1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	022df4c53a97cc56f647a0936e6754e1.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2236	022df4c53a97cc56f647a0936e6754e1.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2236	022df4c53a97cc56f647a0936e6754e1.exe
1168	022df4c53a97cc56f647a0936e6754e1.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1168	2236	022df4c53a97cc56f647a0936e6754e1.exe	29
PID 2236 wrote to memory of 1168	2236	022df4c53a97cc56f647a0936e6754e1.exe	29
PID 2236 wrote to memory of 1168	2236	022df4c53a97cc56f647a0936e6754e1.exe	29
PID 2236 wrote to memory of 1168	2236	022df4c53a97cc56f647a0936e6754e1.exe	29
PID 1168 wrote to memory of 2764	1168	022df4c53a97cc56f647a0936e6754e1.exe	30
PID 1168 wrote to memory of 2764	1168	022df4c53a97cc56f647a0936e6754e1.exe	30
PID 1168 wrote to memory of 2764	1168	022df4c53a97cc56f647a0936e6754e1.exe	30
PID 1168 wrote to memory of 2764	1168	022df4c53a97cc56f647a0936e6754e1.exe	30
PID 1168 wrote to memory of 2708	1168	022df4c53a97cc56f647a0936e6754e1.exe	32
PID 1168 wrote to memory of 2708	1168	022df4c53a97cc56f647a0936e6754e1.exe	32
PID 1168 wrote to memory of 2708	1168	022df4c53a97cc56f647a0936e6754e1.exe	32
PID 1168 wrote to memory of 2708	1168	022df4c53a97cc56f647a0936e6754e1.exe	32
PID 2708 wrote to memory of 2824	2708	cmd.exe	34
PID 2708 wrote to memory of 2824	2708	cmd.exe	34
PID 2708 wrote to memory of 2824	2708	cmd.exe	34
PID 2708 wrote to memory of 2824	2708	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\022df4c53a97cc56f647a0936e6754e1.exe
"C:\Users\Admin\AppData\Local\Temp\022df4c53a97cc56f647a0936e6754e1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\022df4c53a97cc56f647a0936e6754e1.exe
  C:\Users\Admin\AppData\Local\Temp\022df4c53a97cc56f647a0936e6754e1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\022df4c53a97cc56f647a0936e6754e1.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\V6cGbc4T.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\V6cGbc4T.xml

Filesize
1KB

MD5
971d70f61aa2e93a3bc3bb183ecacc48

SHA1
b857bd1dfc706f350f6bbc8c08847b2cfd2e093d

SHA256
4de86682365c6af79b2669d078b8b4d24c1cd79f787ec3bc310852766b12d2bf

SHA512
ade9138cb44b38b6a5c9ec4b779ecb1d59bbec0dc587fdcd56f75aea435ab572549879c9aa941c2cb1a170d60b7e2bf43aeaa74d6e1608c8575f735930138e60

Download Submit
\Users\Admin\AppData\Local\Temp\022df4c53a97cc56f647a0936e6754e1.exe

Filesize
3.9MB

MD5
7153112d3026cb9639908ce9c23f8ec2

SHA1
81092e69fa70eb5e29821a08e49efce4770ca657

SHA256
ead7ce86c5d8c70415221d9d75e1b90b85747b7624779b4350da8a120bf6b911

SHA512
598d143d59b49769c4414493911b5044a3007bf5588d7e94dd6a985f878f2496c3a2c2651a50c27611b92ae7cb1181170a60b0aae5f61b7adcbd685b7e6aa877

Download Submit
memory/1168-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1168-20-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/1168-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1168-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1168-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2236-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2236-2-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2236-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2236-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2236-16-0x0000000023610000-0x000000002386C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads