4a5e747ae28948df4bf3c7fa2d249c0f8dd39dfdde9a733b69ae6a6ad383f2c2

General

Target

02ae8736611d3bccc120e3579bdd76df.exe
Size

501KB
MD5

02ae8736611d3bccc120e3579bdd76df
SHA1

1048439bd12d6837aafd04fb61efbb5d766fb8b1
SHA256

4a5e747ae28948df4bf3c7fa2d249c0f8dd39dfdde9a733b69ae6a6ad383f2c2
SHA512

69ce18d017e7e26fded9212a03cc5a03a5bbb12a1175ea479336d85ada6e0f485cf6ba877d182fcd373fce73fdf30b7a73c2578b1cfd45cdeaae2ac7c1252aa8
SSDEEP

12288:wkAOVOhk1KsO+z+fVI1iGTfuMV6I9k9h8bIC:w82sHSfsi2V6Ia9h8bx

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2976	02ae8736611d3bccc120e3579bdd76df.exe

Executes dropped EXE 1 IoCs

pid	Process
2976	02ae8736611d3bccc120e3579bdd76df.exe

Loads dropped DLL 1 IoCs

pid	Process
2776	02ae8736611d3bccc120e3579bdd76df.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2776-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012263-11.dat	upx
behavioral1/files/0x000b000000012263-15.dat	upx
behavioral1/memory/2976-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2692	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	02ae8736611d3bccc120e3579bdd76df.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	02ae8736611d3bccc120e3579bdd76df.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	02ae8736611d3bccc120e3579bdd76df.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	02ae8736611d3bccc120e3579bdd76df.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2776	02ae8736611d3bccc120e3579bdd76df.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2776	02ae8736611d3bccc120e3579bdd76df.exe
2976	02ae8736611d3bccc120e3579bdd76df.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2976	2776	02ae8736611d3bccc120e3579bdd76df.exe	29
PID 2776 wrote to memory of 2976	2776	02ae8736611d3bccc120e3579bdd76df.exe	29
PID 2776 wrote to memory of 2976	2776	02ae8736611d3bccc120e3579bdd76df.exe	29
PID 2776 wrote to memory of 2976	2776	02ae8736611d3bccc120e3579bdd76df.exe	29
PID 2976 wrote to memory of 2692	2976	02ae8736611d3bccc120e3579bdd76df.exe	30
PID 2976 wrote to memory of 2692	2976	02ae8736611d3bccc120e3579bdd76df.exe	30
PID 2976 wrote to memory of 2692	2976	02ae8736611d3bccc120e3579bdd76df.exe	30
PID 2976 wrote to memory of 2692	2976	02ae8736611d3bccc120e3579bdd76df.exe	30
PID 2976 wrote to memory of 2628	2976	02ae8736611d3bccc120e3579bdd76df.exe	34
PID 2976 wrote to memory of 2628	2976	02ae8736611d3bccc120e3579bdd76df.exe	34
PID 2976 wrote to memory of 2628	2976	02ae8736611d3bccc120e3579bdd76df.exe	34
PID 2976 wrote to memory of 2628	2976	02ae8736611d3bccc120e3579bdd76df.exe	34
PID 2628 wrote to memory of 2268	2628	cmd.exe	33
PID 2628 wrote to memory of 2268	2628	cmd.exe	33
PID 2628 wrote to memory of 2268	2628	cmd.exe	33
PID 2628 wrote to memory of 2268	2628	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\02ae8736611d3bccc120e3579bdd76df.exe
"C:\Users\Admin\AppData\Local\Temp\02ae8736611d3bccc120e3579bdd76df.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\02ae8736611d3bccc120e3579bdd76df.exe
  C:\Users\Admin\AppData\Local\Temp\02ae8736611d3bccc120e3579bdd76df.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\02ae8736611d3bccc120e3579bdd76df.exe" /TN MXmKXYLpa01b /F
    3⤵
    - Creates scheduled task(s)
    PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MXmKXYLpa01b > C:\Users\Admin\AppData\Local\Temp\CD5zt.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN MXmKXYLpa01b
1⤵
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02ae8736611d3bccc120e3579bdd76df.exe

Filesize
144KB

MD5
36d570775f782ad00b06243161be60f2

SHA1
ee46f0632a2e3f4fd8267d663cfd6047838a4443

SHA256
8f70fe0159e1d436965a93892ace2626c6af2db617245b6b6fc40bdd2a12054d

SHA512
385be7089d7560712f76366e2f8db4f866f1a300f566407c8944ebed854a1a90bdbd9947817515602eadb297bcff533e9e37e31eb0d9ebccaf41eb10678094df

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD5zt.xml

Filesize
1KB

MD5
a643378e7cbcafb2184192b1056aba34

SHA1
076b621d6c06a5cde7f10e9c5813a594c2a8f835

SHA256
81193d8b8e1f2b390c9fb75e1c2f4cd6d8439019797e07d2aad6673a87a727f6

SHA512
f8b9b588b1987cb6395d00bb0437fd461a70f9298d436475a3af8c55de8abe4258f89284da9edde8f289b0ef972f0a5f40e4b468db0b5b6cc2e2e176db91bc94

Download Submit
\Users\Admin\AppData\Local\Temp\02ae8736611d3bccc120e3579bdd76df.exe

Filesize
188KB

MD5
6ea49c11055c15b3ad1399bf049d69dc

SHA1
2519654a78ba47255d4f568e09d18a6acbeff9b1

SHA256
d7fba4d1e432c5a20e7265580f442a7e72a80e4533ade0195a7a60567b49dcab

SHA512
1f6139bb7a9c0a274b0d5ace70b92cd6c66821c3cecdffe2bba54b804dda3ecfc36a1c7b7481a2c5eaa50cdb266974463233e2dc67cc35c66d42762bb9431726

Download Submit
memory/2776-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2776-4-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/2776-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2776-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2776-17-0x0000000022F00000-0x000000002315C000-memory.dmp

Filesize
2.4MB

Download
memory/2976-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2976-31-0x0000000000320000-0x000000000038B000-memory.dmp

Filesize
428KB

Download
memory/2976-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2976-20-0x0000000000240000-0x00000000002BE000-memory.dmp

Filesize
504KB

Download
memory/2976-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads