f409c1762bf4fef5a71c8f92ae8bb5016ddc0b97b71e43420283ce3b992c55d2

General

Target

027c4d8ad6dfc9df159fcdf8780b38c2.exe
Size

2.0MB
MD5

027c4d8ad6dfc9df159fcdf8780b38c2
SHA1

e462bfa4776738e38eb453d2c366df1dcd235eed
SHA256

f409c1762bf4fef5a71c8f92ae8bb5016ddc0b97b71e43420283ce3b992c55d2
SHA512

148f4262df55ba110cf21826d643a610ecea951a32002c8760bfb29a0b56ce9d8c8659f671b5c6d00ef4783fca2d3f5ff6adefce48a7b30033208a35e7181a77
SSDEEP

49152:uPMbLJQ0Is/GXkx/cakLz0ibq6yqhhubDY0CgOnQvEn0bcakLz0ibq6yqh:xJjIs/GX0/cakcibiqhMbMgOn7n0bcaI

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2072	027c4d8ad6dfc9df159fcdf8780b38c2.exe

Executes dropped EXE 1 IoCs

pid	Process
2072	027c4d8ad6dfc9df159fcdf8780b38c2.exe

Loads dropped DLL 1 IoCs

pid	Process
1160	027c4d8ad6dfc9df159fcdf8780b38c2.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1160-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012255-11.dat	upx
behavioral1/files/0x000a000000012255-17.dat	upx
behavioral1/memory/1160-15-0x00000000232C0000-0x000000002351C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2704	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	027c4d8ad6dfc9df159fcdf8780b38c2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	027c4d8ad6dfc9df159fcdf8780b38c2.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	027c4d8ad6dfc9df159fcdf8780b38c2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	027c4d8ad6dfc9df159fcdf8780b38c2.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1160	027c4d8ad6dfc9df159fcdf8780b38c2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1160	027c4d8ad6dfc9df159fcdf8780b38c2.exe
2072	027c4d8ad6dfc9df159fcdf8780b38c2.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 2072	1160	027c4d8ad6dfc9df159fcdf8780b38c2.exe	29
PID 1160 wrote to memory of 2072	1160	027c4d8ad6dfc9df159fcdf8780b38c2.exe	29
PID 1160 wrote to memory of 2072	1160	027c4d8ad6dfc9df159fcdf8780b38c2.exe	29
PID 1160 wrote to memory of 2072	1160	027c4d8ad6dfc9df159fcdf8780b38c2.exe	29
PID 2072 wrote to memory of 2704	2072	027c4d8ad6dfc9df159fcdf8780b38c2.exe	30
PID 2072 wrote to memory of 2704	2072	027c4d8ad6dfc9df159fcdf8780b38c2.exe	30
PID 2072 wrote to memory of 2704	2072	027c4d8ad6dfc9df159fcdf8780b38c2.exe	30
PID 2072 wrote to memory of 2704	2072	027c4d8ad6dfc9df159fcdf8780b38c2.exe	30
PID 2072 wrote to memory of 2740	2072	027c4d8ad6dfc9df159fcdf8780b38c2.exe	32
PID 2072 wrote to memory of 2740	2072	027c4d8ad6dfc9df159fcdf8780b38c2.exe	32
PID 2072 wrote to memory of 2740	2072	027c4d8ad6dfc9df159fcdf8780b38c2.exe	32
PID 2072 wrote to memory of 2740	2072	027c4d8ad6dfc9df159fcdf8780b38c2.exe	32
PID 2740 wrote to memory of 2944	2740	cmd.exe	34
PID 2740 wrote to memory of 2944	2740	cmd.exe	34
PID 2740 wrote to memory of 2944	2740	cmd.exe	34
PID 2740 wrote to memory of 2944	2740	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\027c4d8ad6dfc9df159fcdf8780b38c2.exe
"C:\Users\Admin\AppData\Local\Temp\027c4d8ad6dfc9df159fcdf8780b38c2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\027c4d8ad6dfc9df159fcdf8780b38c2.exe
  C:\Users\Admin\AppData\Local\Temp\027c4d8ad6dfc9df159fcdf8780b38c2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\027c4d8ad6dfc9df159fcdf8780b38c2.exe" /TN WAgLRKqP8c0d /F
    3⤵
    - Creates scheduled task(s)
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN WAgLRKqP8c0d > C:\Users\Admin\AppData\Local\Temp\u8ghZrlt.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN WAgLRKqP8c0d
      4⤵
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\027c4d8ad6dfc9df159fcdf8780b38c2.exe

Filesize
791KB

MD5
3da4bf17a78044edd6d3407d82bd4723

SHA1
e6d5ac1994085f0d7d99d4c2a16595c4a37d271b

SHA256
c7ad122f5990370b2da2fac8cdf0ea0c7344a93054a1b12ac011d4fb6f520cda

SHA512
d9608323ffdbe548778d42c1c86a163db3a5f4285f93851a30e3d4b462dda82c268f75a4441b228bf92c74338384b1e113ac4c1509026a7b344fea24832c3a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\u8ghZrlt.xml

Filesize
1KB

MD5
048c694d4f64c5daa1792e625d689352

SHA1
47b4b3fbac49676d723b993bebf1332d88cc71b9

SHA256
c852206ca41b451d75a893a2365e2cf1ad9ee666e6fb63fee8d50604c4820645

SHA512
243e9a70f6d63f24ee8367a246a706dcfcc9f98838e157619d3fa323cd930843f49e1079fdd334ac8f23944d72b1982fc80443637316cbeba8e5600babb3f33d

Download Submit
\Users\Admin\AppData\Local\Temp\027c4d8ad6dfc9df159fcdf8780b38c2.exe

Filesize
689KB

MD5
00d9306111645e616a7749b998ef2e75

SHA1
fb41f4f1b361afc5a17cc2d75b83db5c889f71a1

SHA256
98f186ea6b1a7acc9ebe7450d54fd8aa90a8605a98cd4035737c79a16f129465

SHA512
2aa055db4df6c7f0c8ee2ce6688cb32d6e3014b2afd6a18d69f2e48f1679a052f17db737a2f899e4d89b017f47a0934c674d10fd81c92c9ebecf63691729f2ad

Download Submit
memory/1160-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1160-3-0x00000000002D0000-0x000000000034E000-memory.dmp

Filesize
504KB

Download
memory/1160-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1160-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1160-15-0x00000000232C0000-0x000000002351C000-memory.dmp

Filesize
2.4MB

Download
memory/2072-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2072-27-0x00000000002C0000-0x000000000032B000-memory.dmp

Filesize
428KB

Download
memory/2072-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2072-20-0x0000000000240000-0x00000000002BE000-memory.dmp

Filesize
504KB

Download
memory/2072-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads