08b33a9f8de461362651077bc81ab64452ce6b4d01cd4b8f500b19243ee83b2c

General

Target

08daee817b45ea17a1fb3cfcc6cda32f.exe
Size

133KB
MD5

08daee817b45ea17a1fb3cfcc6cda32f
SHA1

8b84a199855cfd4c26ccc3983f7d17cb918f0475
SHA256

08b33a9f8de461362651077bc81ab64452ce6b4d01cd4b8f500b19243ee83b2c
SHA512

08317524c1256ac25dcebaaabf4ba6ba711f0eff4b95d4b5702ffbc69d48d516921bd163737a3800c9a2aca490f22c67bfed33713a8511deb5996f462f0f67ce
SSDEEP

3072:u/TRak83kGmwksD+EsIe5uU/Im+qFTeJWJZcxhTcOJh41TQai1odSWQ:uT4k8UGGYsIY/ICFTeJWQxhoOJhCQav8

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2728	08daee817b45ea17a1fb3cfcc6cda32f.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	08daee817b45ea17a1fb3cfcc6cda32f.exe

Loads dropped DLL 1 IoCs

pid	Process
2460	08daee817b45ea17a1fb3cfcc6cda32f.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2460-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x00080000000120dc-11.dat	upx
behavioral1/files/0x00080000000120dc-13.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	08daee817b45ea17a1fb3cfcc6cda32f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	08daee817b45ea17a1fb3cfcc6cda32f.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	08daee817b45ea17a1fb3cfcc6cda32f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	08daee817b45ea17a1fb3cfcc6cda32f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2460	08daee817b45ea17a1fb3cfcc6cda32f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2460	08daee817b45ea17a1fb3cfcc6cda32f.exe
2728	08daee817b45ea17a1fb3cfcc6cda32f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2728	2460	08daee817b45ea17a1fb3cfcc6cda32f.exe	17
PID 2460 wrote to memory of 2728	2460	08daee817b45ea17a1fb3cfcc6cda32f.exe	17
PID 2460 wrote to memory of 2728	2460	08daee817b45ea17a1fb3cfcc6cda32f.exe	17
PID 2460 wrote to memory of 2728	2460	08daee817b45ea17a1fb3cfcc6cda32f.exe	17

C:\Users\Admin\AppData\Local\Temp\08daee817b45ea17a1fb3cfcc6cda32f.exe
"C:\Users\Admin\AppData\Local\Temp\08daee817b45ea17a1fb3cfcc6cda32f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\08daee817b45ea17a1fb3cfcc6cda32f.exe
  C:\Users\Admin\AppData\Local\Temp\08daee817b45ea17a1fb3cfcc6cda32f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\08daee817b45ea17a1fb3cfcc6cda32f.exe

Filesize
29KB

MD5
57f86991ad7611a12845738e9aa468a8

SHA1
84d22a5c1cb683b4df997b21e0b215cccb362973

SHA256
c32ad738f988fe734f6c98c679dad00b1254dc87afd9e49913c4db4dc589b314

SHA512
e21dd3f2fa1260aa61195dd2f8698ee719af13aa3f0f10756e1eff69aef6bdf6c968b9e52187d433fd2040aee43ec8cfa23fd503bc0f4876a7f201864fbdd358

Download Submit
\Users\Admin\AppData\Local\Temp\08daee817b45ea17a1fb3cfcc6cda32f.exe

Filesize
28KB

MD5
a19f7255926f58e5af01a29841c1f512

SHA1
f906867820b3168053bf7498b869d0fdf6fbbb04

SHA256
3ad03b604718083903089a2d22cd11e05c0e65e6e97d6fa0a4b3a2ba30455526

SHA512
82378408b4fc234a4d31d839570a052df45f08cd7d4c5457c5874152c101b55f42bc3cbc35f1454754190234efcbed43052c1afa4de794761d2b277a61fe3645

Download Submit
memory/2460-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2460-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2460-18-0x0000000002D40000-0x0000000002DC6000-memory.dmp

Filesize
536KB

Download
memory/2460-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2460-1-0x00000000001F0000-0x0000000000211000-memory.dmp

Filesize
132KB

Download
memory/2460-42-0x0000000002D40000-0x0000000002DC6000-memory.dmp

Filesize
536KB

Download
memory/2728-16-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2728-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2728-43-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing