efb600234814a78a65eca7d65cc2faca20ff8474a6fe1ffdbf7935907ca9cb43

General

Target

1f2a492fe2133e075cfc897eac32d3b8.exe
Size

133KB
MD5

1f2a492fe2133e075cfc897eac32d3b8
SHA1

ce2dd17c77aae9af61babf3ea67d6090175408d8
SHA256

efb600234814a78a65eca7d65cc2faca20ff8474a6fe1ffdbf7935907ca9cb43
SHA512

fd2c9aeb69ed7e842f8569bd4f035413717499363c04fb2476b7fa678ec54f57a5df720297475dc76317a67e29480985bbb0a094befa8ffd5bac921416c5ab39
SSDEEP

3072:0aNGeAe06av2rP1QaNZfxMUsgm9jWlKhsY4BMcKrQZFwlQEnfVPTNQ:DNRAqaOrP1QIfxJy9sFjWYw+OdrNQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2720	1f2a492fe2133e075cfc897eac32d3b8.exe

Executes dropped EXE 1 IoCs

pid	Process
2720	1f2a492fe2133e075cfc897eac32d3b8.exe

Loads dropped DLL 1 IoCs

pid	Process
1256	1f2a492fe2133e075cfc897eac32d3b8.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1256-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000a000000012243-11.dat	upx
behavioral1/memory/1256-13-0x0000000000330000-0x00000000003B6000-memory.dmp	upx
behavioral1/files/0x000a000000012243-16.dat	upx
behavioral1/memory/2720-17-0x0000000000400000-0x0000000000486000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	1f2a492fe2133e075cfc897eac32d3b8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	1f2a492fe2133e075cfc897eac32d3b8.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	1f2a492fe2133e075cfc897eac32d3b8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	1f2a492fe2133e075cfc897eac32d3b8.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1256	1f2a492fe2133e075cfc897eac32d3b8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1256	1f2a492fe2133e075cfc897eac32d3b8.exe
2720	1f2a492fe2133e075cfc897eac32d3b8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 2720	1256	1f2a492fe2133e075cfc897eac32d3b8.exe	29
PID 1256 wrote to memory of 2720	1256	1f2a492fe2133e075cfc897eac32d3b8.exe	29
PID 1256 wrote to memory of 2720	1256	1f2a492fe2133e075cfc897eac32d3b8.exe	29
PID 1256 wrote to memory of 2720	1256	1f2a492fe2133e075cfc897eac32d3b8.exe	29

C:\Users\Admin\AppData\Local\Temp\1f2a492fe2133e075cfc897eac32d3b8.exe
"C:\Users\Admin\AppData\Local\Temp\1f2a492fe2133e075cfc897eac32d3b8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\1f2a492fe2133e075cfc897eac32d3b8.exe
  C:\Users\Admin\AppData\Local\Temp\1f2a492fe2133e075cfc897eac32d3b8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1f2a492fe2133e075cfc897eac32d3b8.exe

Filesize
35KB

MD5
449519e99e24897d97cc541ea70f8e39

SHA1
ab6d07db4a91ef08ea251ab02af5698ba3569ed7

SHA256
2f72e90fcec843cb7358335a28c4d9060836ed645bd1007a2ec1636ec217fb8a

SHA512
30f5b5e0003e3b6a81c0a8ac15cf40aef77d63aebc40c853e1f480e18a1d00e5a8b2947addb7dffc27f7bbfab4e9b6f6aca27ce6506e796af45a1b296905414d

Download Submit
\Users\Admin\AppData\Local\Temp\1f2a492fe2133e075cfc897eac32d3b8.exe

Filesize
133KB

MD5
22f78fd0b42838fb95d221b37558cb9b

SHA1
692ac15c7d8b9ab7e61953b77a4ab73f6eb00907

SHA256
3bda8ad4bb9ab54f7c74dd431efdb5db76c12007d15a1b4cab01e83e28e7cb01

SHA512
399b5d53aa8f9316cdd818ca7556b012c997d20b223ccc9b09635b264f8af2753cfd7c04c9a7a0e599670ebabe00f3c8a689df9f29b0d8812e9b2ce31e01bc89

Download Submit
memory/1256-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1256-2-0x0000000000180000-0x00000000001A1000-memory.dmp

Filesize
132KB

Download
memory/1256-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1256-13-0x0000000000330000-0x00000000003B6000-memory.dmp

Filesize
536KB

Download
memory/1256-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2720-19-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2720-42-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing