eafd961168a4966b3a71181adb0d7641118a13fd98ead2d80e6d918835f7c1b3

General

Target

03cf4393cba473ec10d58ab0143353f7.exe
Size

1.6MB
MD5

03cf4393cba473ec10d58ab0143353f7
SHA1

ffc3bc567215502b8d6ca640f7ce85275a29958d
SHA256

eafd961168a4966b3a71181adb0d7641118a13fd98ead2d80e6d918835f7c1b3
SHA512

34e1deee7ce5d6020ddec262c3815d9a1a406c14d5a4290c9d4283da46427c7c3c78e69b43580797922c7ec69c1858a6b1237348127e87cee64b760cb4a469cf
SSDEEP

49152:JTwCIVPcakLz0YIzH15jsfWXYi1JBcakLz0O:JTwCIVPcakcYAH15jyWIi1JBcakcO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2764	03cf4393cba473ec10d58ab0143353f7.exe

Executes dropped EXE 1 IoCs

pid	Process
2764	03cf4393cba473ec10d58ab0143353f7.exe

Loads dropped DLL 1 IoCs

pid	Process
2604	03cf4393cba473ec10d58ab0143353f7.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2604-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x001000000000b1f5-13.dat	upx
behavioral1/files/0x001000000000b1f5-15.dat	upx
behavioral1/files/0x001000000000b1f5-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2956	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	03cf4393cba473ec10d58ab0143353f7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	03cf4393cba473ec10d58ab0143353f7.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	03cf4393cba473ec10d58ab0143353f7.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	03cf4393cba473ec10d58ab0143353f7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2604	03cf4393cba473ec10d58ab0143353f7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2604	03cf4393cba473ec10d58ab0143353f7.exe
2764	03cf4393cba473ec10d58ab0143353f7.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2764	2604	03cf4393cba473ec10d58ab0143353f7.exe	30
PID 2604 wrote to memory of 2764	2604	03cf4393cba473ec10d58ab0143353f7.exe	30
PID 2604 wrote to memory of 2764	2604	03cf4393cba473ec10d58ab0143353f7.exe	30
PID 2604 wrote to memory of 2764	2604	03cf4393cba473ec10d58ab0143353f7.exe	30
PID 2764 wrote to memory of 2956	2764	03cf4393cba473ec10d58ab0143353f7.exe	31
PID 2764 wrote to memory of 2956	2764	03cf4393cba473ec10d58ab0143353f7.exe	31
PID 2764 wrote to memory of 2956	2764	03cf4393cba473ec10d58ab0143353f7.exe	31
PID 2764 wrote to memory of 2956	2764	03cf4393cba473ec10d58ab0143353f7.exe	31
PID 2764 wrote to memory of 1064	2764	03cf4393cba473ec10d58ab0143353f7.exe	33
PID 2764 wrote to memory of 1064	2764	03cf4393cba473ec10d58ab0143353f7.exe	33
PID 2764 wrote to memory of 1064	2764	03cf4393cba473ec10d58ab0143353f7.exe	33
PID 2764 wrote to memory of 1064	2764	03cf4393cba473ec10d58ab0143353f7.exe	33
PID 1064 wrote to memory of 460	1064	cmd.exe	35
PID 1064 wrote to memory of 460	1064	cmd.exe	35
PID 1064 wrote to memory of 460	1064	cmd.exe	35
PID 1064 wrote to memory of 460	1064	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\03cf4393cba473ec10d58ab0143353f7.exe
"C:\Users\Admin\AppData\Local\Temp\03cf4393cba473ec10d58ab0143353f7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\03cf4393cba473ec10d58ab0143353f7.exe
  C:\Users\Admin\AppData\Local\Temp\03cf4393cba473ec10d58ab0143353f7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\03cf4393cba473ec10d58ab0143353f7.exe" /TN m8v9k5kD0c8e /F
    3⤵
    - Creates scheduled task(s)
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN m8v9k5kD0c8e > C:\Users\Admin\AppData\Local\Temp\cjCqzD.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN m8v9k5kD0c8e
      4⤵
      PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\03cf4393cba473ec10d58ab0143353f7.exe

Filesize
123KB

MD5
2bd149d6235e922295cc39026c806967

SHA1
aeaf7ef19a5bbe681094fbb9ce7beb982955ccb9

SHA256
6751ca2653a285fc6e03a84eaa7c6a77ac02b78e010f4b49dc7f79ddffe7726e

SHA512
a030bceb381e566ea55003ffbc9aa3c94900f63c8692c7f2e536c423e380fea993b67916af224446ae32692aa79e2a2a4dd3a6e8f50c9be5013e1f81fae6294b

Download Submit
C:\Users\Admin\AppData\Local\Temp\03cf4393cba473ec10d58ab0143353f7.exe

Filesize
109KB

MD5
1a474981b3f712fe69480167dd12c4e3

SHA1
e800633627fd917bfdee3a113f75a2b6bd5d6416

SHA256
9b941e7db633b687431d22d3a67156be5f0a148fd946d6e3eb1cec282506a753

SHA512
44d38c9fc679490cc9d2510270b4aaff66a3c6d059ae750c0c110cdc34133eae785056bb8cf530a97d2272d5130057c577c32db1c34f5f9a2f5d47c1a737d02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjCqzD.xml

Filesize
1KB

MD5
41b95cb9a7e7a6b792840870a6e8d7fd

SHA1
09e0284409042171a013811373d295b9cc0ea7bb

SHA256
66476f2b694de0fc68166c1643ad134f52c6d930bccbcb87517c3ea8e9db5668

SHA512
a3fc37907e86f23ae6e4264927cc0692b18142ffad92ff42f3134ddd313777ac5522eb36dba30fe44e9121f2ebafe23c92ebf5d18a1bd9662d1e16174f749aa2

Download Submit
\Users\Admin\AppData\Local\Temp\03cf4393cba473ec10d58ab0143353f7.exe

Filesize
151KB

MD5
3857781c2043835c880658d4e4fd4fcb

SHA1
826800cfd8eb78ed0a7b9cd75cd6f8044342b3d1

SHA256
6750a11e39e44a13d2c5993916badd5115a9cc29bfd28e8581de48805881673b

SHA512
20c41ec17b645fe3f58c02b156bd782e76aeadb183eecb130a0ea7a603a4afb736c9c2b0a6292533976abbb88cd4d5ac964deeeb7b0e7e0c642b51a27d97dfb5

Download Submit
memory/2604-2-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2604-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2604-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2604-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2764-21-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2764-26-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2764-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2764-19-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2764-31-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads