ddf72d28394492663a26d52f6bd3bfede69c7fd985ab0bc24147bb44c351ca93

General

Target

0ff4ecf31e02b89a76db9e200f6650ac.exe
Size

3.9MB
MD5

0ff4ecf31e02b89a76db9e200f6650ac
SHA1

cbcf102b99a673a6f8f905077727d8ad9626ccc0
SHA256

ddf72d28394492663a26d52f6bd3bfede69c7fd985ab0bc24147bb44c351ca93
SHA512

c9d5f053b481707fb64ee2241721670c11519595c789b0a46a0008dadf07c847422e2bce1aed426c96eae65886a4639c9cd36f78729959afaad0c06fe41187d5
SSDEEP

98304:MvPCZvroYubA9zyULG+GFbRsSJ4J/izA9zyULG+0A7nAGxlkfzA9zyULG+GFbRsL:Jvr3BzLqjFRsSmJHzLqpbofzLqjFRsSr

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2800	0ff4ecf31e02b89a76db9e200f6650ac.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	0ff4ecf31e02b89a76db9e200f6650ac.exe

Loads dropped DLL 1 IoCs

pid	Process
536	0ff4ecf31e02b89a76db9e200f6650ac.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/536-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012243-11.dat	upx
behavioral1/files/0x000a000000012243-17.dat	upx
behavioral1/memory/536-16-0x0000000023610000-0x000000002386C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2816	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	0ff4ecf31e02b89a76db9e200f6650ac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	0ff4ecf31e02b89a76db9e200f6650ac.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	0ff4ecf31e02b89a76db9e200f6650ac.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	0ff4ecf31e02b89a76db9e200f6650ac.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
536	0ff4ecf31e02b89a76db9e200f6650ac.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
536	0ff4ecf31e02b89a76db9e200f6650ac.exe
2800	0ff4ecf31e02b89a76db9e200f6650ac.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 2800	536	0ff4ecf31e02b89a76db9e200f6650ac.exe	29
PID 536 wrote to memory of 2800	536	0ff4ecf31e02b89a76db9e200f6650ac.exe	29
PID 536 wrote to memory of 2800	536	0ff4ecf31e02b89a76db9e200f6650ac.exe	29
PID 536 wrote to memory of 2800	536	0ff4ecf31e02b89a76db9e200f6650ac.exe	29
PID 2800 wrote to memory of 2816	2800	0ff4ecf31e02b89a76db9e200f6650ac.exe	30
PID 2800 wrote to memory of 2816	2800	0ff4ecf31e02b89a76db9e200f6650ac.exe	30
PID 2800 wrote to memory of 2816	2800	0ff4ecf31e02b89a76db9e200f6650ac.exe	30
PID 2800 wrote to memory of 2816	2800	0ff4ecf31e02b89a76db9e200f6650ac.exe	30
PID 2800 wrote to memory of 2856	2800	0ff4ecf31e02b89a76db9e200f6650ac.exe	32
PID 2800 wrote to memory of 2856	2800	0ff4ecf31e02b89a76db9e200f6650ac.exe	32
PID 2800 wrote to memory of 2856	2800	0ff4ecf31e02b89a76db9e200f6650ac.exe	32
PID 2800 wrote to memory of 2856	2800	0ff4ecf31e02b89a76db9e200f6650ac.exe	32
PID 2856 wrote to memory of 3012	2856	cmd.exe	34
PID 2856 wrote to memory of 3012	2856	cmd.exe	34
PID 2856 wrote to memory of 3012	2856	cmd.exe	34
PID 2856 wrote to memory of 3012	2856	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\0ff4ecf31e02b89a76db9e200f6650ac.exe
"C:\Users\Admin\AppData\Local\Temp\0ff4ecf31e02b89a76db9e200f6650ac.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\0ff4ecf31e02b89a76db9e200f6650ac.exe
  C:\Users\Admin\AppData\Local\Temp\0ff4ecf31e02b89a76db9e200f6650ac.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0ff4ecf31e02b89a76db9e200f6650ac.exe" /TN uhTCmbCqd877 /F
    3⤵
    - Creates scheduled task(s)
    PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uhTCmbCqd877 > C:\Users\Admin\AppData\Local\Temp\bR6BT.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN uhTCmbCqd877
      4⤵
      PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ff4ecf31e02b89a76db9e200f6650ac.exe

Filesize
158KB

MD5
65715d8a277ba519426931d4b0781615

SHA1
3135de6427218f4f3e73cbd642ac4aabf1468dd7

SHA256
fec1fd49a788c1672396d545870938483cbdf80312646293645910ca3adc6901

SHA512
f1fd715e19e8fdde34bd6a6eb0aa6148235d08065958fb25546395fcdb04013fe7d8ba2b76b0a606034d267e7b0f27093cbe37802d5b7336d6eb42d5c1e7ac2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bR6BT.xml

Filesize
1KB

MD5
0cc4464a974d64d91432121b92aebb55

SHA1
e4ac91793924b3e92380e5a61541db35e6c73321

SHA256
c76a9cb2895d8e775d29e18e6962463950b199c3e31f36b76d065d763d02874b

SHA512
404dd34ab9ce86f6f932dd08e19265b6a053a7a1e769b703d19ce8e7ace5b5d66ac8b35a1293c3ebccb5faf74a77ec2f9e059315386b3dcf165769a3b216a114

Download Submit
\Users\Admin\AppData\Local\Temp\0ff4ecf31e02b89a76db9e200f6650ac.exe

Filesize
133KB

MD5
76107d728d55c290d54d40737f55f5fe

SHA1
2bc13e24c4611d89d161d464873c0578c1c48d2e

SHA256
36c57a8d6bd12e80b4d1c59bcb73b98d1c2a6b45df9af3e00bd644c72d2d8924

SHA512
cc6202668f1a71e02e43c30e7b829967daa0163c71800881ebd1e7e3271aaf7a9a26e6b1fba6f660e93d941674fb3809fa0caabeda52f21f4f5e3f4be710f959

Download Submit
memory/536-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/536-1-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/536-16-0x0000000023610000-0x000000002386C000-memory.dmp

Filesize
2.4MB

Download
memory/536-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/536-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/536-54-0x0000000023610000-0x000000002386C000-memory.dmp

Filesize
2.4MB

Download
memory/2800-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2800-20-0x0000000022DC0000-0x0000000022E3E000-memory.dmp

Filesize
504KB

Download
memory/2800-28-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/2800-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2800-55-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads