f990ad415950250e659cf03e1b79aa4415cf8b374adadb611d5632c1ad6d519e

General

Target

0baa9004dc1d98dd3030663d4037fa4a.exe
Size

266KB
MD5

0baa9004dc1d98dd3030663d4037fa4a
SHA1

1ff97a63ae98f41ff62321e231db25a529dcf625
SHA256

f990ad415950250e659cf03e1b79aa4415cf8b374adadb611d5632c1ad6d519e
SHA512

dafe5dd211626fceef42a9612444832e06d89f403d2c228f139beff5ad13ce6f5819e06bee853fac9e0c7a25d56bb119d88ae8fa97e6c0e2f0a93604be41ea3d
SSDEEP

6144:TkkcQMmadOG15eMED+khv/OwkDflNZVKjEsOb/6g5HZnQ:+QMt8G15eMESNZVGEj6eq

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2792	0baa9004dc1d98dd3030663d4037fa4a.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	0baa9004dc1d98dd3030663d4037fa4a.exe

Loads dropped DLL 1 IoCs

pid	Process
2744	0baa9004dc1d98dd3030663d4037fa4a.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2744-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x0009000000012266-14.dat	upx
behavioral1/files/0x0009000000012266-13.dat	upx
behavioral1/files/0x0009000000012266-11.dat	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	0baa9004dc1d98dd3030663d4037fa4a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	0baa9004dc1d98dd3030663d4037fa4a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2744	0baa9004dc1d98dd3030663d4037fa4a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2744	0baa9004dc1d98dd3030663d4037fa4a.exe
2792	0baa9004dc1d98dd3030663d4037fa4a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2792	2744	0baa9004dc1d98dd3030663d4037fa4a.exe	17
PID 2744 wrote to memory of 2792	2744	0baa9004dc1d98dd3030663d4037fa4a.exe	17
PID 2744 wrote to memory of 2792	2744	0baa9004dc1d98dd3030663d4037fa4a.exe	17
PID 2744 wrote to memory of 2792	2744	0baa9004dc1d98dd3030663d4037fa4a.exe	17

C:\Users\Admin\AppData\Local\Temp\0baa9004dc1d98dd3030663d4037fa4a.exe
C:\Users\Admin\AppData\Local\Temp\0baa9004dc1d98dd3030663d4037fa4a.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2792

C:\Users\Admin\AppData\Local\Temp\0baa9004dc1d98dd3030663d4037fa4a.exe
"C:\Users\Admin\AppData\Local\Temp\0baa9004dc1d98dd3030663d4037fa4a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0baa9004dc1d98dd3030663d4037fa4a.exe

Filesize
12KB

MD5
6944052316b0a2751b990e0f2de18c99

SHA1
30582d5fad367e86855d04e2f2ffecac21c2b290

SHA256
e476964d089062461b21c0053335b4d2dc7a545bde0dce4c116ed78867596fc6

SHA512
a82d949c60e8c1f06e0db0aa3cad15b8285b6e0961766dc0a6b324dc8b94ba83d5b70a8625629459d89a329aab78e2b83925f5a0255495db6301886763ad41b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0baa9004dc1d98dd3030663d4037fa4a.exe

Filesize
25KB

MD5
a6f0533e1213189a3ed690bef2ff0c6a

SHA1
682109fb1604ad8b497a25c1563b8e11ea4a959b

SHA256
c279671109f8ed72360246d2be8eb06fee78c600c05110a462d893b4039a916f

SHA512
a4e89210ed10f085bf4562d3f9f3b0800dd27d2de8a8e6bd00b803e60c711baa827153e5fe4f440bd56164eeca2f3d18d604b019d96eec2592d242b799432663

Download Submit
\Users\Admin\AppData\Local\Temp\0baa9004dc1d98dd3030663d4037fa4a.exe

Filesize
28KB

MD5
651fe68e3fd21044852833625f1749de

SHA1
7b0f2bb836497ee757dda94654081560f0cacdf9

SHA256
cf06971ae8079af6887c3fff52197235cad1fa71b64a9316a55ab4ef83f57245

SHA512
062fd0725ceeb140def84c8523df48520839e8a3a8cc943aafa4cf2b6ba3543c74c8679f7bc52d5bafb394f55588cea0a1c5ba76e9353b29b96823383a9df22a

Download Submit
memory/2744-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2744-19-0x0000000000230000-0x00000000002B6000-memory.dmp

Filesize
536KB

Download
memory/2744-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-1-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2792-16-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2792-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2792-42-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing