80e84f5dcca926fd33422c60b9890f7a4ecc58770efa44ee0509183de296c3e1

General

Target

0464a3136a49d8cabd02d856f970c2fd.exe
Size

133KB
MD5

0464a3136a49d8cabd02d856f970c2fd
SHA1

f050163446afd79b2fc3529d5ce0860acc5a76b0
SHA256

80e84f5dcca926fd33422c60b9890f7a4ecc58770efa44ee0509183de296c3e1
SHA512

705c282ba40537910f3bc4c06704861eedd3232b4851e1db4d552247afe940d6ef78d18147a6942dde2839956b9d09cae6022e7ff530bd9cabb80d8789c54ce9
SSDEEP

3072:BA/oA0eWuz5WVAddMX6N67eSY2Alfqx4XGBJWSjQD3hmfpVw9Q:pA0eWbAdvSZAlyx4XGBMSED3YRVw9Q

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2176	0464a3136a49d8cabd02d856f970c2fd.exe

Executes dropped EXE 1 IoCs

pid	Process
2176	0464a3136a49d8cabd02d856f970c2fd.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	0464a3136a49d8cabd02d856f970c2fd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3024-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x0009000000015f01-11.dat	upx
behavioral1/files/0x0009000000015f01-14.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	0464a3136a49d8cabd02d856f970c2fd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	0464a3136a49d8cabd02d856f970c2fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	0464a3136a49d8cabd02d856f970c2fd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	0464a3136a49d8cabd02d856f970c2fd.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3024	0464a3136a49d8cabd02d856f970c2fd.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3024	0464a3136a49d8cabd02d856f970c2fd.exe
2176	0464a3136a49d8cabd02d856f970c2fd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2176	3024	0464a3136a49d8cabd02d856f970c2fd.exe	29
PID 3024 wrote to memory of 2176	3024	0464a3136a49d8cabd02d856f970c2fd.exe	29
PID 3024 wrote to memory of 2176	3024	0464a3136a49d8cabd02d856f970c2fd.exe	29
PID 3024 wrote to memory of 2176	3024	0464a3136a49d8cabd02d856f970c2fd.exe	29

C:\Users\Admin\AppData\Local\Temp\0464a3136a49d8cabd02d856f970c2fd.exe
"C:\Users\Admin\AppData\Local\Temp\0464a3136a49d8cabd02d856f970c2fd.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\0464a3136a49d8cabd02d856f970c2fd.exe
  C:\Users\Admin\AppData\Local\Temp\0464a3136a49d8cabd02d856f970c2fd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0464a3136a49d8cabd02d856f970c2fd.exe

Filesize
133KB

MD5
ebfbff6a4067b4bd949a1e958c7e39b6

SHA1
055427891bba3bc54f350b7d72bccdb879cf2c70

SHA256
78fdbdb5d35524acadd2bd24ac010002b9ce4a942ac3ba9cbf7c8f8fc0be52f8

SHA512
6d823fc5430e2a617dcd4af60cc624b42a87537e03001a4f4f24a0ec13e805feb5eb86ca51fa7ee9b4c0b2655645fff248730a00735aae8e982564b0aecc7b6a

Download Submit
\Users\Admin\AppData\Local\Temp\0464a3136a49d8cabd02d856f970c2fd.exe

Filesize
92KB

MD5
ac6029602b620045dac78af849a47b75

SHA1
8b09aae13f51bf031588955f4fa1982ff273a4dc

SHA256
8e3475df9c9254cf622d178ca5d9c96413c51ce16ee1cad90862b7b964cd31b0

SHA512
d6a6d1befe9832c3cbd3c1a1b7e03edce61dc36a7d11a3a6745766fee5d4462358236c93bb53f6bdf4120fe2dea07718c14369a2742d0a6af29f54e9f60a6b6c

Download Submit
memory/2176-16-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2176-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2176-32-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3024-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3024-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3024-10-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/3024-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing