2195d7b59ead71a79be6d46b9551172e2829aae4a502a5e155170ae0bde2abd6

General

Target

1eea0e3e00abc5244990a97d4526240a.exe
Size

133KB
MD5

1eea0e3e00abc5244990a97d4526240a
SHA1

8dcccf5a38d23806f3d9b5e41a94ea41c5de4997
SHA256

2195d7b59ead71a79be6d46b9551172e2829aae4a502a5e155170ae0bde2abd6
SHA512

231ad1eefbec5f03e6649b44b2538feb2a1aed9e2acb08376be4d4f6b24f31e0389df8e67996c58b9076c17cc21ce89ec9a8555066141db6157145f92210777e
SSDEEP

3072:YJB6KE8xtHqx1Hlwqxsj9hkqF3JidVBaygl3cVleIQ:i4KV7qrHlihkqF0dXY3cVRQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2224	1eea0e3e00abc5244990a97d4526240a.exe

Executes dropped EXE 1 IoCs

pid	Process
2224	1eea0e3e00abc5244990a97d4526240a.exe

Loads dropped DLL 1 IoCs

pid	Process
2504	1eea0e3e00abc5244990a97d4526240a.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000b000000012262-11.dat	upx
behavioral1/files/0x000b000000012262-16.dat	upx
behavioral1/memory/2504-15-0x0000000000260000-0x00000000002E6000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	1eea0e3e00abc5244990a97d4526240a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	1eea0e3e00abc5244990a97d4526240a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	1eea0e3e00abc5244990a97d4526240a.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	1eea0e3e00abc5244990a97d4526240a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2504	1eea0e3e00abc5244990a97d4526240a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2504	1eea0e3e00abc5244990a97d4526240a.exe
2224	1eea0e3e00abc5244990a97d4526240a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2224	2504	1eea0e3e00abc5244990a97d4526240a.exe	29
PID 2504 wrote to memory of 2224	2504	1eea0e3e00abc5244990a97d4526240a.exe	29
PID 2504 wrote to memory of 2224	2504	1eea0e3e00abc5244990a97d4526240a.exe	29
PID 2504 wrote to memory of 2224	2504	1eea0e3e00abc5244990a97d4526240a.exe	29

C:\Users\Admin\AppData\Local\Temp\1eea0e3e00abc5244990a97d4526240a.exe
"C:\Users\Admin\AppData\Local\Temp\1eea0e3e00abc5244990a97d4526240a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\1eea0e3e00abc5244990a97d4526240a.exe
  C:\Users\Admin\AppData\Local\Temp\1eea0e3e00abc5244990a97d4526240a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1eea0e3e00abc5244990a97d4526240a.exe

Filesize
133KB

MD5
87c81e6095c2972703a3f129ee9afdeb

SHA1
27988be6084843c80035f8a11e03ecdb45d23eec

SHA256
333da2d2e50a3a2ed4ed258ee6651b31085a6559676d5520cd2a3b136c923457

SHA512
cb8932958ee250ff098e29915435b6b9bde765110d296a62e7b1013c8cf399c5212bc583f5e745543f5c7f6f551391f1ad7ad11818599ceb7512a5fa89b9a8eb

Download Submit
\Users\Admin\AppData\Local\Temp\1eea0e3e00abc5244990a97d4526240a.exe

Filesize
64KB

MD5
98029d46dfb38211987cc588566d60c3

SHA1
b90cb71c4769117fb694f5b2014b0448c9f5f799

SHA256
9ec88dc184b64989b21b5aca4ce90f3ef60211489fbcde9ba912f235c9f38a10

SHA512
e7b3ceb3edd4acab56b0481072a228514ac6d78b959f127fab767f5a7aaec30a6023dce58cfad4a7f7f257609a38c61f5f301413056407bf23cb7578cb6e2e82

Download Submit
memory/2224-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2224-21-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2224-43-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2504-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2504-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2504-2-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2504-15-0x0000000000260000-0x00000000002E6000-memory.dmp

Filesize
536KB

Download
memory/2504-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2504-42-0x0000000000260000-0x00000000002E6000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing