298160898f7dab88f6c6d7ca5478b8ab81b614d4ee025877a0c6017e30823893

General

Target

0439163d95fcc9dd62b91dff9dfdd2a7.exe
Size

2.0MB
MD5

0439163d95fcc9dd62b91dff9dfdd2a7
SHA1

f063eb563e42a842034a1cc0b3e18d947e005d80
SHA256

298160898f7dab88f6c6d7ca5478b8ab81b614d4ee025877a0c6017e30823893
SHA512

de98f6d287d747c1a717d11c1a752c98f9690c9574a096268f19cf14f6ea900adbc2fe78b15c8799f7511e8cd5621e9fd4a1d98cb5b64e918be39a8fae6e0e00
SSDEEP

49152:JBjdqMokrcakLz0ibq6yqhMt7RJwnOcakLz0ibq6yqh:rdqMogcakcibiqhMVqOcakcibiqh

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2656	0439163d95fcc9dd62b91dff9dfdd2a7.exe

Executes dropped EXE 1 IoCs

pid	Process
2656	0439163d95fcc9dd62b91dff9dfdd2a7.exe

Loads dropped DLL 1 IoCs

pid	Process
2156	0439163d95fcc9dd62b91dff9dfdd2a7.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2156-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/memory/2656-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000012281-15.dat	upx
behavioral1/files/0x0009000000012281-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2764	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	0439163d95fcc9dd62b91dff9dfdd2a7.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	0439163d95fcc9dd62b91dff9dfdd2a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	0439163d95fcc9dd62b91dff9dfdd2a7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	0439163d95fcc9dd62b91dff9dfdd2a7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2156	0439163d95fcc9dd62b91dff9dfdd2a7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2156	0439163d95fcc9dd62b91dff9dfdd2a7.exe
2656	0439163d95fcc9dd62b91dff9dfdd2a7.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2656	2156	0439163d95fcc9dd62b91dff9dfdd2a7.exe	29
PID 2156 wrote to memory of 2656	2156	0439163d95fcc9dd62b91dff9dfdd2a7.exe	29
PID 2156 wrote to memory of 2656	2156	0439163d95fcc9dd62b91dff9dfdd2a7.exe	29
PID 2156 wrote to memory of 2656	2156	0439163d95fcc9dd62b91dff9dfdd2a7.exe	29
PID 2656 wrote to memory of 2764	2656	0439163d95fcc9dd62b91dff9dfdd2a7.exe	30
PID 2656 wrote to memory of 2764	2656	0439163d95fcc9dd62b91dff9dfdd2a7.exe	30
PID 2656 wrote to memory of 2764	2656	0439163d95fcc9dd62b91dff9dfdd2a7.exe	30
PID 2656 wrote to memory of 2764	2656	0439163d95fcc9dd62b91dff9dfdd2a7.exe	30
PID 2656 wrote to memory of 2576	2656	0439163d95fcc9dd62b91dff9dfdd2a7.exe	32
PID 2656 wrote to memory of 2576	2656	0439163d95fcc9dd62b91dff9dfdd2a7.exe	32
PID 2656 wrote to memory of 2576	2656	0439163d95fcc9dd62b91dff9dfdd2a7.exe	32
PID 2656 wrote to memory of 2576	2656	0439163d95fcc9dd62b91dff9dfdd2a7.exe	32
PID 2576 wrote to memory of 2620	2576	cmd.exe	34
PID 2576 wrote to memory of 2620	2576	cmd.exe	34
PID 2576 wrote to memory of 2620	2576	cmd.exe	34
PID 2576 wrote to memory of 2620	2576	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\0439163d95fcc9dd62b91dff9dfdd2a7.exe
"C:\Users\Admin\AppData\Local\Temp\0439163d95fcc9dd62b91dff9dfdd2a7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\0439163d95fcc9dd62b91dff9dfdd2a7.exe
  C:\Users\Admin\AppData\Local\Temp\0439163d95fcc9dd62b91dff9dfdd2a7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0439163d95fcc9dd62b91dff9dfdd2a7.exe" /TN MXmKXYLpa01b /F
    3⤵
    - Creates scheduled task(s)
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MXmKXYLpa01b > C:\Users\Admin\AppData\Local\Temp\pcHlemF.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN MXmKXYLpa01b
      4⤵
      PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0439163d95fcc9dd62b91dff9dfdd2a7.exe

Filesize
367KB

MD5
e026e8d5cf90474d25239aa76526c92e

SHA1
31bb9c65d67cfc6374231eff643a845900fdbfc2

SHA256
7883801f7e485b54b045f6d063a0698f7612d40489d921cee9133ddfe80d137b

SHA512
e165ab8dd8b871e81283f3aca71dbc4ec26ced05e2082ccbd8a1b570a751f29dd7b70e025510189eae95a04b099670fa9e7d592b2f13d1e07bb709793aa6a751

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcHlemF.xml

Filesize
1KB

MD5
8610e4094734c6b87e428c8aa81da9f3

SHA1
a1ea6b665a4820bdead8d82e5a2119a1f6f467e1

SHA256
6310e058a2e390724eeda387c131561211eaad84e1e178b3797fda482d1c41d7

SHA512
16fdd6d51f35a02573cea9e0c3f8b162e584d1224be122b7c75a0415599e97aad31963243887345c1d5ac3e05bac9da7236e849fdbd8efaa25070abb01909c47

Download Submit
\Users\Admin\AppData\Local\Temp\0439163d95fcc9dd62b91dff9dfdd2a7.exe

Filesize
636KB

MD5
953eca77d4c57016183883769d962083

SHA1
a130ad45002675cc333fffa33b428f879dd1d785

SHA256
4346aa2f4ae4513601e6a05234cf82af669ddc0be8a3083f5e326e84f20b1fd2

SHA512
fa0e3b6ce2d6bfd6f0ea791ba2a66d289d7312a2dd11158b93087929655bd33c4ee34c39aa8a2945cc1c8a67ab2932c0d41c1af6b8d74784d6de6709c2dd243a

Download Submit
memory/2156-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2156-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2156-3-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/2156-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2656-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2656-19-0x0000000000230000-0x00000000002AE000-memory.dmp

Filesize
504KB

Download
memory/2656-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2656-26-0x00000000002E0000-0x000000000034B000-memory.dmp

Filesize
428KB

Download
memory/2656-31-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads