08a5673180a5420bf309d0a5cfd76708082b6102d9a3a6fcdb749b5b77b1c521

General

Target

0f02949f56eeb6f7b93e49cc33bd2ac1.exe
Size

3.0MB
MD5

0f02949f56eeb6f7b93e49cc33bd2ac1
SHA1

c403a3146d2a0c9ad7424705b3cb2d0d3122853f
SHA256

08a5673180a5420bf309d0a5cfd76708082b6102d9a3a6fcdb749b5b77b1c521
SHA512

9ec64908895fbc5d1b05868d4066fdb6dc070b5d4f86a503ab51c62dfa09a399a747fa108c012d3e77edf1b35239e652b8655c865dc7922ac71e375cd7a447df
SSDEEP

49152:IrklOdJCHflDmcakLr0n8J39fEtJ4LcakLIjpvc+UcakLr0n8J39fEtJ4LcakLj:IrklOdJCtDmcakX0n8B9fEn4Lcakc1UZ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2716	0f02949f56eeb6f7b93e49cc33bd2ac1.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	0f02949f56eeb6f7b93e49cc33bd2ac1.exe

Loads dropped DLL 1 IoCs

pid	Process
1736	0f02949f56eeb6f7b93e49cc33bd2ac1.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012247-11.dat	upx
behavioral1/memory/1736-15-0x00000000233B0000-0x000000002360C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2864	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	0f02949f56eeb6f7b93e49cc33bd2ac1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	0f02949f56eeb6f7b93e49cc33bd2ac1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	0f02949f56eeb6f7b93e49cc33bd2ac1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	0f02949f56eeb6f7b93e49cc33bd2ac1.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1736	0f02949f56eeb6f7b93e49cc33bd2ac1.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1736	0f02949f56eeb6f7b93e49cc33bd2ac1.exe
2716	0f02949f56eeb6f7b93e49cc33bd2ac1.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2716	1736	0f02949f56eeb6f7b93e49cc33bd2ac1.exe	30
PID 1736 wrote to memory of 2716	1736	0f02949f56eeb6f7b93e49cc33bd2ac1.exe	30
PID 1736 wrote to memory of 2716	1736	0f02949f56eeb6f7b93e49cc33bd2ac1.exe	30
PID 1736 wrote to memory of 2716	1736	0f02949f56eeb6f7b93e49cc33bd2ac1.exe	30
PID 2716 wrote to memory of 2864	2716	0f02949f56eeb6f7b93e49cc33bd2ac1.exe	29
PID 2716 wrote to memory of 2864	2716	0f02949f56eeb6f7b93e49cc33bd2ac1.exe	29
PID 2716 wrote to memory of 2864	2716	0f02949f56eeb6f7b93e49cc33bd2ac1.exe	29
PID 2716 wrote to memory of 2864	2716	0f02949f56eeb6f7b93e49cc33bd2ac1.exe	29
PID 2716 wrote to memory of 2756	2716	0f02949f56eeb6f7b93e49cc33bd2ac1.exe	34
PID 2716 wrote to memory of 2756	2716	0f02949f56eeb6f7b93e49cc33bd2ac1.exe	34
PID 2716 wrote to memory of 2756	2716	0f02949f56eeb6f7b93e49cc33bd2ac1.exe	34
PID 2716 wrote to memory of 2756	2716	0f02949f56eeb6f7b93e49cc33bd2ac1.exe	34
PID 2756 wrote to memory of 2596	2756	cmd.exe	33
PID 2756 wrote to memory of 2596	2756	cmd.exe	33
PID 2756 wrote to memory of 2596	2756	cmd.exe	33
PID 2756 wrote to memory of 2596	2756	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\0f02949f56eeb6f7b93e49cc33bd2ac1.exe
"C:\Users\Admin\AppData\Local\Temp\0f02949f56eeb6f7b93e49cc33bd2ac1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\0f02949f56eeb6f7b93e49cc33bd2ac1.exe
  C:\Users\Admin\AppData\Local\Temp\0f02949f56eeb6f7b93e49cc33bd2ac1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uhTCmbCqd877 > C:\Users\Admin\AppData\Local\Temp\ICnXCLhoz.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0f02949f56eeb6f7b93e49cc33bd2ac1.exe" /TN uhTCmbCqd877 /F
1⤵
- Creates scheduled task(s)
PID:2864

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN uhTCmbCqd877
1⤵
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\0f02949f56eeb6f7b93e49cc33bd2ac1.exe

Filesize
384KB

MD5
65d20ea831ccd300dede9a476544cf7a

SHA1
38dd18a7ecf9d41a95f6718d0d7a7bb42d9636b3

SHA256
6a63fcb5dc07db770c6696b1043c17ff222196d31e7719ae924d5fa8349a581a

SHA512
3be32ad17d4738912b19ce08f9f0b6197c53ae3a6788ca1314351fe85bf2093d16dfecb161758e2e6f9c3725af8fc83f6c4e64948855b4a90980382b64d1e919

Download Submit
memory/1736-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1736-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1736-2-0x0000000000380000-0x00000000003FE000-memory.dmp

Filesize
504KB

Download
memory/1736-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1736-15-0x00000000233B0000-0x000000002360C000-memory.dmp

Filesize
2.4MB

Download
memory/1736-54-0x00000000233B0000-0x000000002360C000-memory.dmp

Filesize
2.4MB

Download
memory/2716-25-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2716-27-0x0000000000280000-0x00000000002FE000-memory.dmp

Filesize
504KB

Download
memory/2716-29-0x0000000000300000-0x000000000036B000-memory.dmp

Filesize
428KB

Download
memory/2716-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2716-55-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads