c6b00db4ce342ff378bd8c1ccd7acb607246d334d645bdaa64887407d1094d4c

General

Target

2025b9e26267efead64f719a14f37633.exe
Size

2.0MB
MD5

2025b9e26267efead64f719a14f37633
SHA1

b7f117b1fd51f8fdd74c62a4b5e9c2f1537795f9
SHA256

c6b00db4ce342ff378bd8c1ccd7acb607246d334d645bdaa64887407d1094d4c
SHA512

76ec3d7b2704326bdfe44333307cc693f95de84898672b6704532f0d5fd26f7169510dc9df39799d4d36d20f8d1d4298a2cf919f0acc9d309d527c53f25b6cd0
SSDEEP

49152:eXK1ZbPTNuum+cN+9zWFULG+0dKS24DpVUcN+9zWFULG+:9zduumnA9zyULG+0dKz4DpvA9zyULG+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2384	2025b9e26267efead64f719a14f37633.exe

Executes dropped EXE 1 IoCs

pid	Process
2384	2025b9e26267efead64f719a14f37633.exe

Loads dropped DLL 1 IoCs

pid	Process
2172	2025b9e26267efead64f719a14f37633.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2172-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000c000000012251-11.dat	upx
behavioral1/files/0x000c000000012251-14.dat	upx
behavioral1/files/0x000c000000012251-17.dat	upx
behavioral1/memory/2172-16-0x0000000023230000-0x000000002348C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2904	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2025b9e26267efead64f719a14f37633.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	2025b9e26267efead64f719a14f37633.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	2025b9e26267efead64f719a14f37633.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2025b9e26267efead64f719a14f37633.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2172	2025b9e26267efead64f719a14f37633.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2172	2025b9e26267efead64f719a14f37633.exe
2384	2025b9e26267efead64f719a14f37633.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2384	2172	2025b9e26267efead64f719a14f37633.exe	29
PID 2172 wrote to memory of 2384	2172	2025b9e26267efead64f719a14f37633.exe	29
PID 2172 wrote to memory of 2384	2172	2025b9e26267efead64f719a14f37633.exe	29
PID 2172 wrote to memory of 2384	2172	2025b9e26267efead64f719a14f37633.exe	29
PID 2384 wrote to memory of 2904	2384	2025b9e26267efead64f719a14f37633.exe	31
PID 2384 wrote to memory of 2904	2384	2025b9e26267efead64f719a14f37633.exe	31
PID 2384 wrote to memory of 2904	2384	2025b9e26267efead64f719a14f37633.exe	31
PID 2384 wrote to memory of 2904	2384	2025b9e26267efead64f719a14f37633.exe	31
PID 2384 wrote to memory of 2752	2384	2025b9e26267efead64f719a14f37633.exe	34
PID 2384 wrote to memory of 2752	2384	2025b9e26267efead64f719a14f37633.exe	34
PID 2384 wrote to memory of 2752	2384	2025b9e26267efead64f719a14f37633.exe	34
PID 2384 wrote to memory of 2752	2384	2025b9e26267efead64f719a14f37633.exe	34
PID 2752 wrote to memory of 2916	2752	cmd.exe	32
PID 2752 wrote to memory of 2916	2752	cmd.exe	32
PID 2752 wrote to memory of 2916	2752	cmd.exe	32
PID 2752 wrote to memory of 2916	2752	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\2025b9e26267efead64f719a14f37633.exe
"C:\Users\Admin\AppData\Local\Temp\2025b9e26267efead64f719a14f37633.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\2025b9e26267efead64f719a14f37633.exe
  C:\Users\Admin\AppData\Local\Temp\2025b9e26267efead64f719a14f37633.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\2025b9e26267efead64f719a14f37633.exe" /TN U5Z8sQiHf24d /F
    3⤵
    - Creates scheduled task(s)
    PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\jKnMIdn2A.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN U5Z8sQiHf24d
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2025b9e26267efead64f719a14f37633.exe

Filesize
102KB

MD5
715c7acba1db3c78331164aebc11c4ae

SHA1
add66aa4681d051782d52c0e6ff459d3f479de64

SHA256
99f1837dc33dd9a70dcec7cf1ddbfef67f7e834e85a268f702dcaddc8052bd64

SHA512
1b3f41eaf48c338552752c153d7c8b48b60f71f28f2697837d5678ad05ec8ddc8071b809fc7fd05d73e29698ad82274068839c96edfe9cceca0c45c1e3a7bc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025b9e26267efead64f719a14f37633.exe

Filesize
381KB

MD5
ed0358a176b7ddb4bcde203b1e44f251

SHA1
cf627f8cc632df70a3031f0a767b83cef50c3260

SHA256
a5cf48ee1a3d223e6088ef9af622139b69cbc1a52095be2de8a951b3777562a8

SHA512
97195633bf286813e15b01dbbdbe16e66d3d6f4c5f3749423f38ea7fda9b63d178c21755e3097e6969abb4b4ea80626726fc0ef616042a7c9504a1f8d47c9b52

Download Submit
\Users\Admin\AppData\Local\Temp\2025b9e26267efead64f719a14f37633.exe

Filesize
769KB

MD5
b2be87d88d2b0407548af765b615e3f4

SHA1
9395a8972bf906cc8f0930db532eed0096da2b73

SHA256
602e7694e918aa150d95c2a7ca89c4f5e11ee6a747cabb80bd16544b2b10a6ba

SHA512
5e6305e6fc79c9bf751b377f639b78c7d57eccfa2e97fcea531e95b0e02a7c3112c1121b7752ba7ecd202442b286f39e9088f1f47a4189a9b8e536b2582c1127

Download Submit
memory/2172-16-0x0000000023230000-0x000000002348C000-memory.dmp

Filesize
2.4MB

Download
memory/2172-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2172-6-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2172-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2172-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2384-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2384-21-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/2384-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2384-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2384-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads