26ddd03f4ef3ee5b8063002a4abfb65523f7cde73c0077fe874dc0ff3275e529

General

Target

0b15d5f6480bf62518d7d3f1f6f8478c.exe
Size

302KB
MD5

0b15d5f6480bf62518d7d3f1f6f8478c
SHA1

f2172c25a42f58964eb21388e6fbee036bec7408
SHA256

26ddd03f4ef3ee5b8063002a4abfb65523f7cde73c0077fe874dc0ff3275e529
SHA512

5f8415ac062dae657be964d0b8012991271d7011bedb79166223fc12c74b51ae0720550b03ecd6e71eb60b4793e54e2dfb5a9f29fc1ce2fa503b5e356a5744c2
SSDEEP

3072:zWQXKpgxs2RiOanZIpR94RAWG4aIErKkFTGNxyMbrsHYUgdDUZjWDUlN+rQC6AR:opghRgwXWdEh7AU6DUBWgmQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2796	0b15d5f6480bf62518d7d3f1f6f8478c.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	0b15d5f6480bf62518d7d3f1f6f8478c.exe

Loads dropped DLL 1 IoCs

pid	Process
3044	0b15d5f6480bf62518d7d3f1f6f8478c.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3044-0-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
behavioral1/files/0x000b000000012252-15.dat	upx
behavioral1/files/0x000b000000012252-11.dat	upx
behavioral1/memory/2796-18-0x0000000000400000-0x00000000004E0000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	0b15d5f6480bf62518d7d3f1f6f8478c.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	0b15d5f6480bf62518d7d3f1f6f8478c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	0b15d5f6480bf62518d7d3f1f6f8478c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	0b15d5f6480bf62518d7d3f1f6f8478c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3044	0b15d5f6480bf62518d7d3f1f6f8478c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3044	0b15d5f6480bf62518d7d3f1f6f8478c.exe
2796	0b15d5f6480bf62518d7d3f1f6f8478c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2796	3044	0b15d5f6480bf62518d7d3f1f6f8478c.exe	29
PID 3044 wrote to memory of 2796	3044	0b15d5f6480bf62518d7d3f1f6f8478c.exe	29
PID 3044 wrote to memory of 2796	3044	0b15d5f6480bf62518d7d3f1f6f8478c.exe	29
PID 3044 wrote to memory of 2796	3044	0b15d5f6480bf62518d7d3f1f6f8478c.exe	29

C:\Users\Admin\AppData\Local\Temp\0b15d5f6480bf62518d7d3f1f6f8478c.exe
"C:\Users\Admin\AppData\Local\Temp\0b15d5f6480bf62518d7d3f1f6f8478c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\0b15d5f6480bf62518d7d3f1f6f8478c.exe
  C:\Users\Admin\AppData\Local\Temp\0b15d5f6480bf62518d7d3f1f6f8478c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0b15d5f6480bf62518d7d3f1f6f8478c.exe

Filesize
70KB

MD5
c118b32211e9146b1f19fb9b8ce9a627

SHA1
4c15e9b4d8adb87ce2e82cea54c50f82e6f448f3

SHA256
56fceebd1964b7745861139731d9dbf77062c2b5209025757371c6976add7c2b

SHA512
bfca3b2a3a99b27263489a2bbe01c604f9a8a4c299bcc846f50abde1e9303c3c57c540bc6261ba62510992aa87abdf1bacfcab713420a6759622c4cea37e77fb

Download Submit
\Users\Admin\AppData\Local\Temp\0b15d5f6480bf62518d7d3f1f6f8478c.exe

Filesize
85KB

MD5
1d3c4b7ad6c4b13c925217e662366441

SHA1
1f8fdd1f8e2ead24569cdbf67ccd0071adf01078

SHA256
d3ef8d90229de86ba6791e33d3c28a9def0420f48e03957b0d73c714c8106ed0

SHA512
89d502857ea7f593a7b990f55590c78d6d52244fd02492736ee4e7d233bbecfd610d0cdbde9854873968afb4b967cae4b1b10a58456b0563abf334a55ad805e0

Download Submit
memory/2796-18-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2796-20-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/2796-41-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3044-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3044-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3044-4-0x0000000000300000-0x0000000000331000-memory.dmp

Filesize
196KB

Download
memory/3044-17-0x0000000022DF0000-0x0000000022ED0000-memory.dmp

Filesize
896KB

Download
memory/3044-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing