5641ab1879076b099a08f5fd846810ca2ff8717a2a099c66b8933cad6f5b7f14

General

Target

1d65c0a566fcc837b3c1cca500e1bc67.exe
Size

2.0MB
MD5

1d65c0a566fcc837b3c1cca500e1bc67
SHA1

041fd730bbc03ebb36ab698ab536d0e8c37f0644
SHA256

5641ab1879076b099a08f5fd846810ca2ff8717a2a099c66b8933cad6f5b7f14
SHA512

4eabadebfa92c560dc55ae321ecc78ba0ff5062ecbd5e39b1e2177b0466f4ed3f3a58edad079451877474ca27df921d5fab3c3f1a4769908f0ab022b6b82faef
SSDEEP

49152:dnlG1Cslk3GQ7ai7D3xTgOxYwpK1Uaw5zptu5LECT1G8JGQ7ai7D3xTgOxYwpK:dnlaXm3D2i7D3xkOxYwpK1Uaw5zptu52

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2336	1d65c0a566fcc837b3c1cca500e1bc67.exe

Executes dropped EXE 1 IoCs

pid	Process
2336	1d65c0a566fcc837b3c1cca500e1bc67.exe

Loads dropped DLL 1 IoCs

pid	Process
2552	1d65c0a566fcc837b3c1cca500e1bc67.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2552-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012234-11.dat	upx
behavioral1/files/0x000b000000012234-13.dat	upx
behavioral1/files/0x000b000000012234-17.dat	upx
behavioral1/memory/2552-16-0x0000000023230000-0x000000002348C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2876	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	1d65c0a566fcc837b3c1cca500e1bc67.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	1d65c0a566fcc837b3c1cca500e1bc67.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	1d65c0a566fcc837b3c1cca500e1bc67.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	1d65c0a566fcc837b3c1cca500e1bc67.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2552	1d65c0a566fcc837b3c1cca500e1bc67.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2552	1d65c0a566fcc837b3c1cca500e1bc67.exe
2336	1d65c0a566fcc837b3c1cca500e1bc67.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2336	2552	1d65c0a566fcc837b3c1cca500e1bc67.exe	29
PID 2552 wrote to memory of 2336	2552	1d65c0a566fcc837b3c1cca500e1bc67.exe	29
PID 2552 wrote to memory of 2336	2552	1d65c0a566fcc837b3c1cca500e1bc67.exe	29
PID 2552 wrote to memory of 2336	2552	1d65c0a566fcc837b3c1cca500e1bc67.exe	29
PID 2336 wrote to memory of 2876	2336	1d65c0a566fcc837b3c1cca500e1bc67.exe	31
PID 2336 wrote to memory of 2876	2336	1d65c0a566fcc837b3c1cca500e1bc67.exe	31
PID 2336 wrote to memory of 2876	2336	1d65c0a566fcc837b3c1cca500e1bc67.exe	31
PID 2336 wrote to memory of 2876	2336	1d65c0a566fcc837b3c1cca500e1bc67.exe	31
PID 2336 wrote to memory of 2904	2336	1d65c0a566fcc837b3c1cca500e1bc67.exe	34
PID 2336 wrote to memory of 2904	2336	1d65c0a566fcc837b3c1cca500e1bc67.exe	34
PID 2336 wrote to memory of 2904	2336	1d65c0a566fcc837b3c1cca500e1bc67.exe	34
PID 2336 wrote to memory of 2904	2336	1d65c0a566fcc837b3c1cca500e1bc67.exe	34
PID 2904 wrote to memory of 2720	2904	cmd.exe	33
PID 2904 wrote to memory of 2720	2904	cmd.exe	33
PID 2904 wrote to memory of 2720	2904	cmd.exe	33
PID 2904 wrote to memory of 2720	2904	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\1d65c0a566fcc837b3c1cca500e1bc67.exe
"C:\Users\Admin\AppData\Local\Temp\1d65c0a566fcc837b3c1cca500e1bc67.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\1d65c0a566fcc837b3c1cca500e1bc67.exe
  C:\Users\Admin\AppData\Local\Temp\1d65c0a566fcc837b3c1cca500e1bc67.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\1d65c0a566fcc837b3c1cca500e1bc67.exe" /TN QxutJGth3fd4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN QxutJGth3fd4 > C:\Users\Admin\AppData\Local\Temp\vxukqiOAi.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN QxutJGth3fd4
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1d65c0a566fcc837b3c1cca500e1bc67.exe

Filesize
1.2MB

MD5
de8e4c9d9a55fdd08c8ff0e36869819a

SHA1
7eeb35c8938283d63f668161d61ae8ae37d130cd

SHA256
9b0a1c1e72cf90399df1b834be8b098b26b8c7d3dc73ee6b966f333f0fd84674

SHA512
732f802f0aae8dee2b50690a87f97f92cdaa6eb67d879616940487d7e02cb65f14534e412574342dec1f3e1a562f95d09553d0a09f5bac7936b17a55aaea7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d65c0a566fcc837b3c1cca500e1bc67.exe

Filesize
876KB

MD5
181ce9dcae911ad3220b825a146e3307

SHA1
4c533746fb5e323c99121681fcbea18cc3e21789

SHA256
995d575a9f5686624f1d6aee306a24ff1f717a2814e1b2de8d35bad321d815ed

SHA512
bd34f2b42a8784e301536dc451872cae7235e8f7ce9c26077f60c558ec40737d654a9e859fba1b1e9ac08280b70fa3708ac39491a0a85f4f0660f92c5ea5106f

Download Submit
\Users\Admin\AppData\Local\Temp\1d65c0a566fcc837b3c1cca500e1bc67.exe

Filesize
833KB

MD5
4d3d5bccefd0590445f5b6ce8cf07f50

SHA1
307d310b37da01f36b6831b7f93e16ba2aa5cbbb

SHA256
c12b37ecda2f5cbf897ba84e360faee9225cdb43b36aa2c4d04b7a569b003251

SHA512
46b137a69676a0a020d32bc2dfcb57a854702ef726b79f32bfa9252cf1f6a0af479c277defc88a80467989b0749a6284f5ee87be01f805ed0c741a6df94f2385

Download Submit
memory/2336-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2336-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2336-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2336-22-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2336-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2552-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2552-2-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2552-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2552-16-0x0000000023230000-0x000000002348C000-memory.dmp

Filesize
2.4MB

Download
memory/2552-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads