52139c0b5ef8b95914e58aeae34b9078aed63331d305caf8019a3c005ba73d81

General

Target

1285301cfe6b4d43d9f2c2de3b08fefc.exe
Size

133KB
MD5

1285301cfe6b4d43d9f2c2de3b08fefc
SHA1

9a3b7cf91f19023b00407d5897f80d4e221c056d
SHA256

52139c0b5ef8b95914e58aeae34b9078aed63331d305caf8019a3c005ba73d81
SHA512

694e43cd58655600f7326be17a317f5cb219f6f23e653c14caa818bf953e680e1de78727c3d78d2721c5d7cb56ed9031935dbcd1810f92fa093aa7af57c549af
SSDEEP

3072:ZyA4kXdIxyCkyuuj2j50TW1uvIUt+xwz0ggeSb2lzqC3Bx3etQ:UA4kXGxye2Wi1uvIq+ezzNbqCxx3sQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3068	1285301cfe6b4d43d9f2c2de3b08fefc.exe

Executes dropped EXE 1 IoCs

pid	Process
3068	1285301cfe6b4d43d9f2c2de3b08fefc.exe

Loads dropped DLL 1 IoCs

pid	Process
2684	1285301cfe6b4d43d9f2c2de3b08fefc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2684-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000b000000012252-11.dat	upx
behavioral1/memory/2684-15-0x0000000000190000-0x0000000000216000-memory.dmp	upx
behavioral1/files/0x000b000000012252-16.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	1285301cfe6b4d43d9f2c2de3b08fefc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	1285301cfe6b4d43d9f2c2de3b08fefc.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	1285301cfe6b4d43d9f2c2de3b08fefc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	1285301cfe6b4d43d9f2c2de3b08fefc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2684	1285301cfe6b4d43d9f2c2de3b08fefc.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2684	1285301cfe6b4d43d9f2c2de3b08fefc.exe
3068	1285301cfe6b4d43d9f2c2de3b08fefc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 3068	2684	1285301cfe6b4d43d9f2c2de3b08fefc.exe	28
PID 2684 wrote to memory of 3068	2684	1285301cfe6b4d43d9f2c2de3b08fefc.exe	28
PID 2684 wrote to memory of 3068	2684	1285301cfe6b4d43d9f2c2de3b08fefc.exe	28
PID 2684 wrote to memory of 3068	2684	1285301cfe6b4d43d9f2c2de3b08fefc.exe	28

C:\Users\Admin\AppData\Local\Temp\1285301cfe6b4d43d9f2c2de3b08fefc.exe
"C:\Users\Admin\AppData\Local\Temp\1285301cfe6b4d43d9f2c2de3b08fefc.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\1285301cfe6b4d43d9f2c2de3b08fefc.exe
  C:\Users\Admin\AppData\Local\Temp\1285301cfe6b4d43d9f2c2de3b08fefc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1285301cfe6b4d43d9f2c2de3b08fefc.exe

Filesize
133KB

MD5
f6b2fc0d00e21f692efd4023dcc3ffe2

SHA1
1d6ebc0b16aafd0e52b0bac9c4a6e299cc7dcc51

SHA256
d35bb10f882601dd7842ede897998c0ca6e8c2c66f2ad0d3e475aa15aba56d38

SHA512
cdac20a3379938c73cf5586e082c76b0769eb26e18e444fe9ce9be8dc92fa1f2af7ada0d968ae9362b2e7ccd27cee5802452002e37baec469c958a3973460f1a

Download Submit
\Users\Admin\AppData\Local\Temp\1285301cfe6b4d43d9f2c2de3b08fefc.exe

Filesize
72KB

MD5
a5127d7e76d8ba32b3d0478859f697bb

SHA1
621e1d54f417a5105ee4665d486054fb492a3775

SHA256
a2055b3de6cf7daa9ae244ef80567ac7a5885b59d5ded0bc86dc527e729f7d50

SHA512
7ee9b069c1bff99222f6d5833a6e7d9c4d8cf9f3e6f1c465bff762ff7ec154cd9d04044d32077b232d4797ed3d712a9bb0e21b7662770a64be5ca1f204be8922

Download Submit
memory/2684-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2684-1-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2684-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2684-15-0x0000000000190000-0x0000000000216000-memory.dmp

Filesize
536KB

Download
memory/2684-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2684-43-0x0000000000190000-0x0000000000216000-memory.dmp

Filesize
536KB

Download
memory/3068-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3068-20-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/3068-44-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing