c7294b7f9c5f8168182299ea0c4d77122d59ea3f3eed0d22997f621469166d64

General

Target

1dc6c477aac51a82d2185af6f36a0cd9.exe
Size

1003KB
MD5

1dc6c477aac51a82d2185af6f36a0cd9
SHA1

189ea91a5d3c7fbcf402723d8e9e7f102376087c
SHA256

c7294b7f9c5f8168182299ea0c4d77122d59ea3f3eed0d22997f621469166d64
SHA512

319c57fffb685a149845ab04016beb4d829ee0a6a8c103c4dca363e786fce5b9b0334807114783a6be348ed175f554677b398e7ae98998b66990b42347d8e14b
SSDEEP

24576:0DP28XcUZ004EQzfvmwDXK2frNkziacRbT0RbTr/Rm:MP28sUZ00Zwfvmw+SNkzURnGbTr/4

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1352	1dc6c477aac51a82d2185af6f36a0cd9.exe

Executes dropped EXE 1 IoCs

pid	Process
1352	1dc6c477aac51a82d2185af6f36a0cd9.exe

Loads dropped DLL 1 IoCs

pid	Process
3068	1dc6c477aac51a82d2185af6f36a0cd9.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3068-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/memory/1352-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000800000001224f-15.dat	upx
behavioral1/files/0x000800000001224f-14.dat	upx
behavioral1/files/0x000800000001224f-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2948	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	1dc6c477aac51a82d2185af6f36a0cd9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	1dc6c477aac51a82d2185af6f36a0cd9.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	1dc6c477aac51a82d2185af6f36a0cd9.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	1dc6c477aac51a82d2185af6f36a0cd9.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3068	1dc6c477aac51a82d2185af6f36a0cd9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3068	1dc6c477aac51a82d2185af6f36a0cd9.exe
1352	1dc6c477aac51a82d2185af6f36a0cd9.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1352	3068	1dc6c477aac51a82d2185af6f36a0cd9.exe	29
PID 3068 wrote to memory of 1352	3068	1dc6c477aac51a82d2185af6f36a0cd9.exe	29
PID 3068 wrote to memory of 1352	3068	1dc6c477aac51a82d2185af6f36a0cd9.exe	29
PID 3068 wrote to memory of 1352	3068	1dc6c477aac51a82d2185af6f36a0cd9.exe	29
PID 1352 wrote to memory of 2948	1352	1dc6c477aac51a82d2185af6f36a0cd9.exe	30
PID 1352 wrote to memory of 2948	1352	1dc6c477aac51a82d2185af6f36a0cd9.exe	30
PID 1352 wrote to memory of 2948	1352	1dc6c477aac51a82d2185af6f36a0cd9.exe	30
PID 1352 wrote to memory of 2948	1352	1dc6c477aac51a82d2185af6f36a0cd9.exe	30
PID 1352 wrote to memory of 2580	1352	1dc6c477aac51a82d2185af6f36a0cd9.exe	33
PID 1352 wrote to memory of 2580	1352	1dc6c477aac51a82d2185af6f36a0cd9.exe	33
PID 1352 wrote to memory of 2580	1352	1dc6c477aac51a82d2185af6f36a0cd9.exe	33
PID 1352 wrote to memory of 2580	1352	1dc6c477aac51a82d2185af6f36a0cd9.exe	33
PID 2580 wrote to memory of 2608	2580	cmd.exe	34
PID 2580 wrote to memory of 2608	2580	cmd.exe	34
PID 2580 wrote to memory of 2608	2580	cmd.exe	34
PID 2580 wrote to memory of 2608	2580	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\1dc6c477aac51a82d2185af6f36a0cd9.exe
"C:\Users\Admin\AppData\Local\Temp\1dc6c477aac51a82d2185af6f36a0cd9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\1dc6c477aac51a82d2185af6f36a0cd9.exe
  C:\Users\Admin\AppData\Local\Temp\1dc6c477aac51a82d2185af6f36a0cd9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\1dc6c477aac51a82d2185af6f36a0cd9.exe" /TN Nnb8kaFf43a4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN Nnb8kaFf43a4 > C:\Users\Admin\AppData\Local\Temp\o4TIvyE.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN Nnb8kaFf43a4
      4⤵
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1dc6c477aac51a82d2185af6f36a0cd9.exe

Filesize
150KB

MD5
a3faa61496e1591ce93941c7c090c1a1

SHA1
10bbc2239694a7446072c198de5516cd92b086fe

SHA256
f40c1e1758bc80cf335b90206a83fe14a9d6f1d6e2942d04e8dfafb362eb3935

SHA512
f06baf6fab0263d14ad7f50169e18c7a80e96efef4fdfb87ef432f86e950ed60837a5b48e327cb30265ce42d3cb4419094a0d07af0705c2573baf234ca2bc9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dc6c477aac51a82d2185af6f36a0cd9.exe

Filesize
96KB

MD5
f58395f4b70a0394a297db1a1a23c21e

SHA1
8a7f705002961f55ca413b6a7bf995e3f2d9495e

SHA256
d4d008a4a5d657f25cc0d750cb9c5d9541ac013b5023bed50f784c79d455cf17

SHA512
20ae16b78fbaf9c99c3b37aa0aa9697adde149ebeeed16fe81f3ac3b22b0e3040feb92f37eb70faec98e26759ce5431f6a11945f75e32a1fbd9256442dccbe06

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4TIvyE.xml

Filesize
1KB

MD5
dda483a7ccb3b5a5a2b48e7124e9dd94

SHA1
bdd7d3e9f664f48c63b21f313cd2b322e52ee0be

SHA256
ea7efd50c76206d155bcb0ffcde06d84aba2b03bd6ef474233cc0f8de09f4365

SHA512
4a8560ad3750712c6abbbc497c17465e2f52844bc880e8bb964c8292f61f3d4a485b21076cceff58a55deba87c71721d4a2ca3b067b5411c800b20403e5cd65a

Download Submit
\Users\Admin\AppData\Local\Temp\1dc6c477aac51a82d2185af6f36a0cd9.exe

Filesize
262KB

MD5
573bc8b11efd294e6785d9fbc15c2e4a

SHA1
5f3f51d0db7ff08784214a4c02e823393564c8d5

SHA256
5e805617d364f800377162ebc22556f65f2246959c071251e8932ad3ad882e13

SHA512
0ea20e0cd6db25b8c899a29148d9e7df678cca70426f8a05f236cf4946dd72104fb6afc5542919d9766ca0ecd7af070e13631c1e64b55d5dcbe3bbdbce760091

Download Submit
memory/1352-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1352-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1352-19-0x0000000000380000-0x00000000003FE000-memory.dmp

Filesize
504KB

Download
memory/1352-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1352-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3068-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3068-4-0x0000000022DF0000-0x0000000022E6E000-memory.dmp

Filesize
504KB

Download
memory/3068-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3068-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads