9112816e37f6b9ee38670966a000845b41cbb8afeaf1fdd6d6279204660ee210

General

Target

10ca3f25dd2b399a59a604d5bdb94a0f.exe
Size

5.1MB
MD5

10ca3f25dd2b399a59a604d5bdb94a0f
SHA1

14cae6fe7ac781ad35116e63bd725830027f8055
SHA256

9112816e37f6b9ee38670966a000845b41cbb8afeaf1fdd6d6279204660ee210
SHA512

b960adbb9569b68f810896c1a88a3db63684687aa8b54c8ceb0b7b56a3e869da9bd80f28cfd9daebe3c9a8fd94adddb5fd31b2f1d7a96a966ada01ab6180d6d3
SSDEEP

98304:w6kgvet0T+43pK6fLTEQkhkfzzEezgs3:wKvrT+sfPGkr

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2248	10ca3f25dd2b399a59a604d5bdb94a0f.exe

Executes dropped EXE 1 IoCs

pid	Process
2248	10ca3f25dd2b399a59a604d5bdb94a0f.exe

Loads dropped DLL 1 IoCs

pid	Process
2212	10ca3f25dd2b399a59a604d5bdb94a0f.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2212-0-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000b00000001225f-11.dat	upx
behavioral1/files/0x000b00000001225f-15.dat	upx
behavioral1/memory/2212-16-0x0000000004060000-0x00000000049FE000-memory.dmp	upx
behavioral1/memory/2248-18-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	10ca3f25dd2b399a59a604d5bdb94a0f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	10ca3f25dd2b399a59a604d5bdb94a0f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2212	10ca3f25dd2b399a59a604d5bdb94a0f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2212	10ca3f25dd2b399a59a604d5bdb94a0f.exe
2248	10ca3f25dd2b399a59a604d5bdb94a0f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2248	2212	10ca3f25dd2b399a59a604d5bdb94a0f.exe	28
PID 2212 wrote to memory of 2248	2212	10ca3f25dd2b399a59a604d5bdb94a0f.exe	28
PID 2212 wrote to memory of 2248	2212	10ca3f25dd2b399a59a604d5bdb94a0f.exe	28
PID 2212 wrote to memory of 2248	2212	10ca3f25dd2b399a59a604d5bdb94a0f.exe	28

C:\Users\Admin\AppData\Local\Temp\10ca3f25dd2b399a59a604d5bdb94a0f.exe
"C:\Users\Admin\AppData\Local\Temp\10ca3f25dd2b399a59a604d5bdb94a0f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\10ca3f25dd2b399a59a604d5bdb94a0f.exe
  C:\Users\Admin\AppData\Local\Temp\10ca3f25dd2b399a59a604d5bdb94a0f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10ca3f25dd2b399a59a604d5bdb94a0f.exe

Filesize
91KB

MD5
bfe3ae91c8b6d0f13d5621a4f1882e7d

SHA1
7c23fd1ea2ce1561217a83cd9b8c798bbe9a4769

SHA256
a1cd5350ff4ed0120a69b998c198d3124e3a332ae3f9f6175506aa5d63e36a9e

SHA512
3765a9f30e841ea05376616b06db8d5474e2aad4d43ed6e50bf324ce91e0e24ca98b8bfe1493344c13ba25c7c2a0042d7e2d3a55f623759a7a5844734405f7fd

Download Submit
\Users\Admin\AppData\Local\Temp\10ca3f25dd2b399a59a604d5bdb94a0f.exe

Filesize
239KB

MD5
fb2f71c08d7133ee4c6eb0a17353810a

SHA1
676298965d4b57eb079b109ada430dee398bc99a

SHA256
6731b2cf6772fc82c0ed3c764dd826a65d59836f430cf5581c3e125f10813051

SHA512
0a4281916f3100491d95431a740b306022f74d835867a74975c51041e927e3f64709f8dc80ca97313b65708b2150346faaa34a2b0f3742036472cb1a9ea21b06

Download Submit
memory/2212-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2212-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2212-3-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2212-16-0x0000000004060000-0x00000000049FE000-memory.dmp

Filesize
9.6MB

Download
memory/2212-14-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2212-42-0x0000000004060000-0x00000000049FE000-memory.dmp

Filesize
9.6MB

Download
memory/2248-18-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2248-20-0x0000000002240000-0x000000000249A000-memory.dmp

Filesize
2.4MB

Download
memory/2248-43-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing