8414af7d0f5fb5cbe9ae413002d5d02966cfed7e4ff809a0b330520b66cc7107

General

Target

09f75fe4ba2dec61517a9cc5584517ad.exe
Size

2.0MB
MD5

09f75fe4ba2dec61517a9cc5584517ad
SHA1

075d6e6f6991f50a977ceb25537a7febb70ae891
SHA256

8414af7d0f5fb5cbe9ae413002d5d02966cfed7e4ff809a0b330520b66cc7107
SHA512

89b8dc7e9335c02c1e631a0544db8caf455bddbcab7b72661e49ace24657ed0c5f4c3e100640dc43e2ce859601f20bc720126079a5904d3d27815a9d3c73b86a
SSDEEP

49152:kyzhr8XRRNy67cN+9zWFULG+JAhwqcHbN3cN+9zWFULG+:k0GXzNy6wA9zyULG+JAhZcHbaA9zyULp

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2704	09f75fe4ba2dec61517a9cc5584517ad.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	09f75fe4ba2dec61517a9cc5584517ad.exe

Loads dropped DLL 1 IoCs

pid	Process
2464	09f75fe4ba2dec61517a9cc5584517ad.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2464-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012248-11.dat	upx
behavioral1/memory/2464-16-0x00000000233A0000-0x00000000235FC000-memory.dmp	upx
behavioral1/memory/2704-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2812	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	09f75fe4ba2dec61517a9cc5584517ad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	09f75fe4ba2dec61517a9cc5584517ad.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	09f75fe4ba2dec61517a9cc5584517ad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	09f75fe4ba2dec61517a9cc5584517ad.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2464	09f75fe4ba2dec61517a9cc5584517ad.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2464	09f75fe4ba2dec61517a9cc5584517ad.exe
2704	09f75fe4ba2dec61517a9cc5584517ad.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2704	2464	09f75fe4ba2dec61517a9cc5584517ad.exe	29
PID 2464 wrote to memory of 2704	2464	09f75fe4ba2dec61517a9cc5584517ad.exe	29
PID 2464 wrote to memory of 2704	2464	09f75fe4ba2dec61517a9cc5584517ad.exe	29
PID 2464 wrote to memory of 2704	2464	09f75fe4ba2dec61517a9cc5584517ad.exe	29
PID 2704 wrote to memory of 2812	2704	09f75fe4ba2dec61517a9cc5584517ad.exe	30
PID 2704 wrote to memory of 2812	2704	09f75fe4ba2dec61517a9cc5584517ad.exe	30
PID 2704 wrote to memory of 2812	2704	09f75fe4ba2dec61517a9cc5584517ad.exe	30
PID 2704 wrote to memory of 2812	2704	09f75fe4ba2dec61517a9cc5584517ad.exe	30
PID 2704 wrote to memory of 2732	2704	09f75fe4ba2dec61517a9cc5584517ad.exe	32
PID 2704 wrote to memory of 2732	2704	09f75fe4ba2dec61517a9cc5584517ad.exe	32
PID 2704 wrote to memory of 2732	2704	09f75fe4ba2dec61517a9cc5584517ad.exe	32
PID 2704 wrote to memory of 2732	2704	09f75fe4ba2dec61517a9cc5584517ad.exe	32
PID 2732 wrote to memory of 2448	2732	cmd.exe	34
PID 2732 wrote to memory of 2448	2732	cmd.exe	34
PID 2732 wrote to memory of 2448	2732	cmd.exe	34
PID 2732 wrote to memory of 2448	2732	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\09f75fe4ba2dec61517a9cc5584517ad.exe
"C:\Users\Admin\AppData\Local\Temp\09f75fe4ba2dec61517a9cc5584517ad.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\09f75fe4ba2dec61517a9cc5584517ad.exe
  C:\Users\Admin\AppData\Local\Temp\09f75fe4ba2dec61517a9cc5584517ad.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\09f75fe4ba2dec61517a9cc5584517ad.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\Ew1FF73s.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ew1FF73s.xml

Filesize
1KB

MD5
1694fc2593fe45dc92cbad951ef3fa95

SHA1
18dc5d2101bc673b02f22921a06a371493d8b4d6

SHA256
290b2b37c319fbf57af89e7bd6237cb81cd17e4f5c8625462b25dc909b0bf79f

SHA512
a0428b650a38c535569a674f812b02778e7601b8337560a5aa0a5da27ea02fbe692400a93348bba7e174f39edc3fc3454afb79daafd8fbcc59c800fb3e40d115

Download Submit
\Users\Admin\AppData\Local\Temp\09f75fe4ba2dec61517a9cc5584517ad.exe

Filesize
2.0MB

MD5
8e0504a066855d4c21d605304b28de26

SHA1
07dcb556df259b76dcaa40500b2fa0be67a9c3e2

SHA256
a9b380a7042d1d7171711efddf0547a68e7b3467413a8855d530cb033e4fe8e0

SHA512
e8c48eb0718dcf6471675e684a1304703e9022834dbb17b70c75895680da3c60e428d333dbf0696d0c08fbb378f55d80e0d09a02fec132e0f3dcc3dda416dc2c

Download Submit
memory/2464-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2464-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2464-2-0x0000000000220000-0x000000000029E000-memory.dmp

Filesize
504KB

Download
memory/2464-16-0x00000000233A0000-0x00000000235FC000-memory.dmp

Filesize
2.4MB

Download
memory/2464-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2704-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2704-20-0x0000000022E00000-0x0000000022E7E000-memory.dmp

Filesize
504KB

Download
memory/2704-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2704-29-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2704-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads