397fa2887836dd57faf84524c251d19598060f0be0a5e02bc6c52ba2ab711c0a

General

Target

081ed7416b96c96559ab345630cc62c5.exe
Size

302KB
MD5

081ed7416b96c96559ab345630cc62c5
SHA1

e52ee9fd04f840ec2f539256769871c929264030
SHA256

397fa2887836dd57faf84524c251d19598060f0be0a5e02bc6c52ba2ab711c0a
SHA512

80a27483a11a6d5cef13296f5b92372e7184d71f9b7c80acef3ebfa3b97d3c967d4e56c099ff429c4c71b8e46c564368ecb614759be357e669bc9dc97707ccf0
SSDEEP

6144:uZU5jZggfOO7uC28ylSiY0rv4iN1G8IejnY65mQ:uGjZHmkfVi1rv4iN/YYm

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2360	081ed7416b96c96559ab345630cc62c5.exe

Executes dropped EXE 1 IoCs

pid	Process
2360	081ed7416b96c96559ab345630cc62c5.exe

Loads dropped DLL 1 IoCs

pid	Process
3048	081ed7416b96c96559ab345630cc62c5.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3048-0-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
behavioral1/files/0x000900000001225b-11.dat	upx
behavioral1/files/0x000900000001225b-17.dat	upx
behavioral1/memory/3048-16-0x0000000022D60000-0x0000000022E40000-memory.dmp	upx
behavioral1/files/0x000900000001225b-13.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	081ed7416b96c96559ab345630cc62c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	081ed7416b96c96559ab345630cc62c5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	081ed7416b96c96559ab345630cc62c5.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	081ed7416b96c96559ab345630cc62c5.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3048	081ed7416b96c96559ab345630cc62c5.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3048	081ed7416b96c96559ab345630cc62c5.exe
2360	081ed7416b96c96559ab345630cc62c5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2360	3048	081ed7416b96c96559ab345630cc62c5.exe	29
PID 3048 wrote to memory of 2360	3048	081ed7416b96c96559ab345630cc62c5.exe	29
PID 3048 wrote to memory of 2360	3048	081ed7416b96c96559ab345630cc62c5.exe	29
PID 3048 wrote to memory of 2360	3048	081ed7416b96c96559ab345630cc62c5.exe	29

C:\Users\Admin\AppData\Local\Temp\081ed7416b96c96559ab345630cc62c5.exe
"C:\Users\Admin\AppData\Local\Temp\081ed7416b96c96559ab345630cc62c5.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\081ed7416b96c96559ab345630cc62c5.exe
  C:\Users\Admin\AppData\Local\Temp\081ed7416b96c96559ab345630cc62c5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\081ed7416b96c96559ab345630cc62c5.exe

Filesize
203KB

MD5
94f0a6b6b77a345284cb4a3b05be5333

SHA1
d50836a52ab801ebb6c2b7b6eaf5fe292ad425d8

SHA256
23413a73a12cd37a5b2903c7f09449f2739a5beb885bf202b96ffc813852b378

SHA512
286d57885b4bbed768fad83713210f71397a04c328449ba5509ae53d20cb6fd62202fb397b563be95362b4ae835c69ae5e7322da0735546ba9eaf25f36176a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\081ed7416b96c96559ab345630cc62c5.exe

Filesize
221KB

MD5
c38e20cb1e3583aae6617a9f6cd434b5

SHA1
1f5d8cedb00ff8a5c7825a545d85ea4503d59582

SHA256
da176bad72dd2efeb12b369d8aeee98f9321b71605b748a88bc30d57d91205b0

SHA512
9d83c920f015d8db1429df6dfd1aaf5144af1877d903a26b2c6937b1c99806bfc79a53d6bbf74bbbe58c4f83f915a55a5f6cbb22bdb60ec3c8c09f8182b3f980

Download Submit
\Users\Admin\AppData\Local\Temp\081ed7416b96c96559ab345630cc62c5.exe

Filesize
278KB

MD5
f8133fb21cd717d107ebb653d5d6b0f7

SHA1
b730e9619306a1be3d6aac41b556cf54be80fe08

SHA256
f52b2a224f9a768e381ae830cf80731d78d633fad8cdaf8138018d09250714a7

SHA512
7b080928a8d57026a607360e47e2bff4101b6f230329676bddd6941363c6da98b92dd3d57428d31d4d284ad73a4c072f0f135c1b35b32f063840b915b88b4efe

Download Submit
memory/2360-20-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2360-22-0x0000000000200000-0x0000000000231000-memory.dmp

Filesize
196KB

Download
memory/2360-45-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3048-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3048-2-0x0000000000300000-0x0000000000331000-memory.dmp

Filesize
196KB

Download
memory/3048-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3048-16-0x0000000022D60000-0x0000000022E40000-memory.dmp

Filesize
896KB

Download
memory/3048-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3048-44-0x0000000022D60000-0x0000000022E40000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing