be16127b4c25e455576267fa4dd582f117cb734e4910cff04b97fbc6c2da973c

General

Target

1fbb935726148c8b5a3456585d7c1a08.exe
Size

133KB
MD5

1fbb935726148c8b5a3456585d7c1a08
SHA1

8646aaced62f77d4cd3cfaf1b5a2a059eddccff8
SHA256

be16127b4c25e455576267fa4dd582f117cb734e4910cff04b97fbc6c2da973c
SHA512

e0498f0166b895a3a4d5d1529a3b9b1b82073cf309b7666c87d559f253bc697a10a81d9ed6ba2bda20a8ac7f6628658d5fd441e621d3eadb3a6c11621413eaef
SSDEEP

3072:/PsObP1UZ5glB6PRay8DEUQZmZ0bLMiAKiEUDROmCx2SjQ:/XbP1UXT2UCeLMrPROmCEKQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1264	1fbb935726148c8b5a3456585d7c1a08.exe

Executes dropped EXE 1 IoCs

pid	Process
1264	1fbb935726148c8b5a3456585d7c1a08.exe

Loads dropped DLL 1 IoCs

pid	Process
2896	1fbb935726148c8b5a3456585d7c1a08.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2896-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000b0000000133a9-11.dat	upx
behavioral1/files/0x000b0000000133a9-16.dat	upx
behavioral1/memory/2896-14-0x0000000001490000-0x0000000001516000-memory.dmp	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	1fbb935726148c8b5a3456585d7c1a08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	1fbb935726148c8b5a3456585d7c1a08.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2896	1fbb935726148c8b5a3456585d7c1a08.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2896	1fbb935726148c8b5a3456585d7c1a08.exe
1264	1fbb935726148c8b5a3456585d7c1a08.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 1264	2896	1fbb935726148c8b5a3456585d7c1a08.exe	17
PID 2896 wrote to memory of 1264	2896	1fbb935726148c8b5a3456585d7c1a08.exe	17
PID 2896 wrote to memory of 1264	2896	1fbb935726148c8b5a3456585d7c1a08.exe	17
PID 2896 wrote to memory of 1264	2896	1fbb935726148c8b5a3456585d7c1a08.exe	17

C:\Users\Admin\AppData\Local\Temp\1fbb935726148c8b5a3456585d7c1a08.exe
"C:\Users\Admin\AppData\Local\Temp\1fbb935726148c8b5a3456585d7c1a08.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\1fbb935726148c8b5a3456585d7c1a08.exe
  C:\Users\Admin\AppData\Local\Temp\1fbb935726148c8b5a3456585d7c1a08.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1fbb935726148c8b5a3456585d7c1a08.exe

Filesize
28KB

MD5
1a66337dd7c56029ffe90499ecb834a1

SHA1
48470b25c47e1ab38b89a1977bacb62435286a62

SHA256
b5c8045c6373edfa20226f2fb9d1ec2dc7bdd2c194d49a7e61041c3e36e42696

SHA512
25a3aa0b151ee47ac36d19d47855bf4a0c78cf65278fc61f713b1c8a463f59d55aa8f57bf88712b1937fe08de2893ed81ba6c825f2c86b5688068f1dcd19bddb

Download Submit
\Users\Admin\AppData\Local\Temp\1fbb935726148c8b5a3456585d7c1a08.exe

Filesize
1KB

MD5
03581400df06fa0cc40c2b5a4a658d12

SHA1
b28aeb94440486ef90ec93066a8461f06ab8ca1f

SHA256
36e17c642e0237730d52694bbf975bf52b5e2be71c87426223bedc3f953169b6

SHA512
1f4c76442a2c38d56f1251b81edb25b521884f8f81582c4018c09cb4867ed2ff435add68488d9f9ed542707e22751b5a5cb6eb6072c6fdaa595fc59f04125da7

Download Submit
memory/1264-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1264-20-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/1264-34-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2896-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2896-2-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2896-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2896-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2896-14-0x0000000001490000-0x0000000001516000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing