a88d2892f7b34eec9b25ba6dab4c3af913a83a41acdb5dea1a3627925c9a0e24

General

Target

09b55b380dd2015e6539bf644750e257.exe
Size

3.0MB
MD5

09b55b380dd2015e6539bf644750e257
SHA1

8a94c56bf9a7efca4b14a93594f3847a709074b0
SHA256

a88d2892f7b34eec9b25ba6dab4c3af913a83a41acdb5dea1a3627925c9a0e24
SHA512

39c0405395d65e1570402de953674258b10e69924357930b2bc3fd48fd3ea034f046158c143ce39225105ce6ebbf2de1beafc6025c7bbb25f35052d9ea0ab00c
SSDEEP

98304:ooFoFoRfycakcibiqhMbMgOn7n0bcakcibiqhySnJ1UO6L+cakcibiqhMbr:XW2FydlirybMgOnkdlirgSDy+dlirybr

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2148	09b55b380dd2015e6539bf644750e257.exe

Executes dropped EXE 1 IoCs

pid	Process
2148	09b55b380dd2015e6539bf644750e257.exe

Loads dropped DLL 1 IoCs

pid	Process
2036	09b55b380dd2015e6539bf644750e257.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2036-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a00000001226e-11.dat	upx
behavioral1/files/0x000a00000001226e-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2716	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	09b55b380dd2015e6539bf644750e257.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	09b55b380dd2015e6539bf644750e257.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	09b55b380dd2015e6539bf644750e257.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	09b55b380dd2015e6539bf644750e257.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2036	09b55b380dd2015e6539bf644750e257.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2036	09b55b380dd2015e6539bf644750e257.exe
2148	09b55b380dd2015e6539bf644750e257.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2148	2036	09b55b380dd2015e6539bf644750e257.exe	29
PID 2036 wrote to memory of 2148	2036	09b55b380dd2015e6539bf644750e257.exe	29
PID 2036 wrote to memory of 2148	2036	09b55b380dd2015e6539bf644750e257.exe	29
PID 2036 wrote to memory of 2148	2036	09b55b380dd2015e6539bf644750e257.exe	29
PID 2148 wrote to memory of 2716	2148	09b55b380dd2015e6539bf644750e257.exe	30
PID 2148 wrote to memory of 2716	2148	09b55b380dd2015e6539bf644750e257.exe	30
PID 2148 wrote to memory of 2716	2148	09b55b380dd2015e6539bf644750e257.exe	30
PID 2148 wrote to memory of 2716	2148	09b55b380dd2015e6539bf644750e257.exe	30
PID 2148 wrote to memory of 2032	2148	09b55b380dd2015e6539bf644750e257.exe	32
PID 2148 wrote to memory of 2032	2148	09b55b380dd2015e6539bf644750e257.exe	32
PID 2148 wrote to memory of 2032	2148	09b55b380dd2015e6539bf644750e257.exe	32
PID 2148 wrote to memory of 2032	2148	09b55b380dd2015e6539bf644750e257.exe	32
PID 2032 wrote to memory of 2860	2032	cmd.exe	33
PID 2032 wrote to memory of 2860	2032	cmd.exe	33
PID 2032 wrote to memory of 2860	2032	cmd.exe	33
PID 2032 wrote to memory of 2860	2032	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\09b55b380dd2015e6539bf644750e257.exe
"C:\Users\Admin\AppData\Local\Temp\09b55b380dd2015e6539bf644750e257.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\09b55b380dd2015e6539bf644750e257.exe
  C:\Users\Admin\AppData\Local\Temp\09b55b380dd2015e6539bf644750e257.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\09b55b380dd2015e6539bf644750e257.exe" /TN MXmKXYLpa01b /F
    3⤵
    - Creates scheduled task(s)
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MXmKXYLpa01b > C:\Users\Admin\AppData\Local\Temp\kjI7m2.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN MXmKXYLpa01b
      4⤵
      PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\09b55b380dd2015e6539bf644750e257.exe

Filesize
22KB

MD5
6ef0402dd0da5d4a21dfc37957467416

SHA1
1c98e162f087508c72e69966408c9b55b7ebdc1a

SHA256
0d5bc41f9e153860564148ed38ba6fd8c128093068abb7236be4855269e98c80

SHA512
b75eabd75620eac963cb76ec3edde66a1a4cecea73b9da0db4f894338300f97251d4a0ac101b8f046fc070fcbd81d00244e85c164afa6d0600cca9f2a460fa29

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjI7m2.xml

Filesize
1KB

MD5
f09040a9fdb4bb201ede3f76ca197ada

SHA1
52f05ef42c356da7c6f114e2f3ce6b652d6b963b

SHA256
6a965bb9c33808ebdea97d0967da962ec25a9408417d383f7f2c708ba405094f

SHA512
e86ddacf993c303479b9cd2899a2ad1629d44b4781f073d7e06be6b8ad289ab55de086b1e75e7fe4147a3ee50ba0ff2bbc5fb8ec686ed2097b6386ad5c6ba293

Download Submit
\Users\Admin\AppData\Local\Temp\09b55b380dd2015e6539bf644750e257.exe

Filesize
30KB

MD5
e88981c30e83b553482453d31f249d5e

SHA1
9d8caf9c8daac9b634c3e9345b026a5f58645c5d

SHA256
8cb14c6268858d83c5784bbb2d057e781e82e6ccea760274686e86da45416900

SHA512
9efc65b91f899ffd14b6679f1f21f7c129c7352d5923ae93c8fee3d835d610ec734b1e6a8e37d06b3fc9dfa17f8f1171b77659118be455a7c26a728628013448

Download Submit
memory/2036-2-0x0000000000200000-0x000000000027E000-memory.dmp

Filesize
504KB

Download
memory/2036-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2036-16-0x0000000023520000-0x000000002377C000-memory.dmp

Filesize
2.4MB

Download
memory/2036-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2036-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2036-53-0x0000000023520000-0x000000002377C000-memory.dmp

Filesize
2.4MB

Download
memory/2148-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2148-22-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2148-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2148-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2148-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads