83c3740fd8633c609a8aa759eb648e09f303ebe86847c394e1935ae0685e985d

General

Target

098d6c65132e23264b6f2257b1b197ff.exe
Size

133KB
MD5

098d6c65132e23264b6f2257b1b197ff
SHA1

d3e184a642cc8a56e767075c0e9da2304ae32fd2
SHA256

83c3740fd8633c609a8aa759eb648e09f303ebe86847c394e1935ae0685e985d
SHA512

211956b300c7ff7e54c9a7e23da0d53ce46e775e65a9b1c66990cd7ae04cc0a8fc884c5f26716a553a30b11cbb420c087d2a4ae36f0cede15ed1e590c9117ef3
SSDEEP

3072:PzflShpObxM3Y3W9YBFn+iIPtHbkprvv8cMACSdQ:Pp8ioY3CYBFYdbkpDpdQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2672	098d6c65132e23264b6f2257b1b197ff.exe

Executes dropped EXE 1 IoCs

pid	Process
2672	098d6c65132e23264b6f2257b1b197ff.exe

Loads dropped DLL 1 IoCs

pid	Process
2276	098d6c65132e23264b6f2257b1b197ff.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2276-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000d0000000122e8-11.dat	upx
behavioral1/memory/2672-17-0x0000000000400000-0x0000000000486000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	098d6c65132e23264b6f2257b1b197ff.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	098d6c65132e23264b6f2257b1b197ff.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	098d6c65132e23264b6f2257b1b197ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	098d6c65132e23264b6f2257b1b197ff.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2276	098d6c65132e23264b6f2257b1b197ff.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2276	098d6c65132e23264b6f2257b1b197ff.exe
2672	098d6c65132e23264b6f2257b1b197ff.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2672	2276	098d6c65132e23264b6f2257b1b197ff.exe	29
PID 2276 wrote to memory of 2672	2276	098d6c65132e23264b6f2257b1b197ff.exe	29
PID 2276 wrote to memory of 2672	2276	098d6c65132e23264b6f2257b1b197ff.exe	29
PID 2276 wrote to memory of 2672	2276	098d6c65132e23264b6f2257b1b197ff.exe	29

C:\Users\Admin\AppData\Local\Temp\098d6c65132e23264b6f2257b1b197ff.exe
"C:\Users\Admin\AppData\Local\Temp\098d6c65132e23264b6f2257b1b197ff.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\098d6c65132e23264b6f2257b1b197ff.exe
  C:\Users\Admin\AppData\Local\Temp\098d6c65132e23264b6f2257b1b197ff.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2672

Network

DNS

cutit.org

098d6c65132e23264b6f2257b1b197ff.exe

Remote address:

8.8.8.8:53

Request

cutit.org

IN A

Response

cutit.org

IN A

64.91.240.248
GET

https://cutit.org/oxgBR

098d6c65132e23264b6f2257b1b197ff.exe

Remote address:

64.91.240.248:443

Request

GET /oxgBR HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: cutit.org
Cache-Control: no-cache

Response

HTTP/1.1 302 Moved Temporarily

Date: Sat, 30 Dec 2023 12:39:29 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
X-Powered-By: PHP/5.4.16
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Location: http://ww12.cutit.org/oxgBR?usid=25&utid=4486273667
Content-Length: 0
Content-Type: text/html; charset=UTF-8
DNS

ww12.cutit.org

098d6c65132e23264b6f2257b1b197ff.exe

Remote address:

8.8.8.8:53

Request

ww12.cutit.org

IN A

Response

ww12.cutit.org

IN CNAME

726512.parkingcrew.net

726512.parkingcrew.net

IN A

76.223.26.96

726512.parkingcrew.net

IN A

13.248.148.254
GET

http://ww12.cutit.org/oxgBR?usid=25&utid=4486273667

098d6c65132e23264b6f2257b1b197ff.exe

Remote address:

76.223.26.96:80

Request

GET /oxgBR?usid=25&utid=4486273667 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: ww12.cutit.org

Response

HTTP/1.1 200 OK

Date: Sat, 30 Dec 2023 12:39:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Buckets: bucket011
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_V7lPUCQGk1Qi4wHntHxZXEagzxJbqm9zKc3bqx4y7MJil9Vga8puhL5fK2gZxP/JUGCoBOi8AMs1WZaLZ0heAg==
X-Template: tpl_CleanPeppermintBlack_twoclick
X-Language: english
Accept-CH: viewport-width
Accept-CH: dpr
Accept-CH: device-memory
Accept-CH: rtt
Accept-CH: downlink
Accept-CH: ect
Accept-CH: ua
Accept-CH: ua-full-version
Accept-CH: ua-platform
Accept-CH: ua-platform-version
Accept-CH: ua-arch
Accept-CH: ua-model
Accept-CH: ua-mobile
Accept-CH-Lifetime: 30
X-Domain: cutit.org
X-Subdomain: ww12

64.91.240.248:443

https://cutit.org/oxgBR

tls, http

098d6c65132e23264b6f2257b1b197ff.exe

1.5kB
3.4kB
14
9

HTTP Request

GET https://cutit.org/oxgBR

HTTP Response

302
76.223.26.96:80

http://ww12.cutit.org/oxgBR?usid=25&utid=4486273667

http

098d6c65132e23264b6f2257b1b197ff.exe

1.2kB
18.6kB
16
21

HTTP Request

GET http://ww12.cutit.org/oxgBR?usid=25&utid=4486273667

HTTP Response

200

8.8.8.8:53

cutit.org

dns

098d6c65132e23264b6f2257b1b197ff.exe

55 B
71 B
1
1

DNS Request

cutit.org

DNS Response

64.91.240.248
8.8.8.8:53

ww12.cutit.org

dns

098d6c65132e23264b6f2257b1b197ff.exe

60 B
128 B
1
1

DNS Request

ww12.cutit.org

DNS Response

76.223.26.96

13.248.148.254

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\098d6c65132e23264b6f2257b1b197ff.exe

Filesize
133KB

MD5
1e33371c968d9ef42e56a7bdaea9e222

SHA1
db9732106cd3c741fde84c2c64a791a6ffa3b5b0

SHA256
6b4c328142df7c93e3f3b70b13b75665ea18e32b853e0efc90032879dc567038

SHA512
ec81af4d48e633eae7770d5bc56dc52544fff67775ba421deeb826c6536710b0f11fb5063d56fe51a5637fedae0290363b6a43615076a8fb4ba70f7712f8e18a

Download Submit
memory/2276-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2276-2-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2276-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2276-15-0x0000000000220000-0x00000000002A6000-memory.dmp

Filesize
536KB

Download
memory/2276-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-20-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2672-43-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response