0b200f51a4a8b6ff2c9feadf57bfc0706a1ce123f1b24c3f9fb42e508ab62494

General

Target

13936f44eb5e61cfd99310ba7ea937d0.exe
Size

7.8MB
MD5

13936f44eb5e61cfd99310ba7ea937d0
SHA1

2ce0a0e7156d059ada4627f16ca9084428bd4b82
SHA256

0b200f51a4a8b6ff2c9feadf57bfc0706a1ce123f1b24c3f9fb42e508ab62494
SHA512

6b63a569afb5d326deb7bf7aba8e008255687e0c778228281e87308634df9fb4a3431dfc694a085369679abbeabc121f67a7ce160c89abf48f0f452a4837c4b8
SSDEEP

196608:zLMfdlirybMgOnkdlirWOU3MSn9BJWcq/dlirybMgOnkdlirwbs5vf49Mdliryb/:M7bMrn3k1nDibbMrnycHfbMrn3k1nDiC

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2360	13936f44eb5e61cfd99310ba7ea937d0.exe

Executes dropped EXE 1 IoCs

pid	Process
2360	13936f44eb5e61cfd99310ba7ea937d0.exe

Loads dropped DLL 1 IoCs

pid	Process
2408	13936f44eb5e61cfd99310ba7ea937d0.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2360-19-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x00050000000120fb-17.dat	upx
behavioral1/memory/2408-16-0x0000000023E10000-0x000000002406C000-memory.dmp	upx
behavioral1/files/0x00050000000120fb-11.dat	upx
behavioral1/memory/2408-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2264	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	13936f44eb5e61cfd99310ba7ea937d0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	13936f44eb5e61cfd99310ba7ea937d0.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	13936f44eb5e61cfd99310ba7ea937d0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	13936f44eb5e61cfd99310ba7ea937d0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2408	13936f44eb5e61cfd99310ba7ea937d0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2408	13936f44eb5e61cfd99310ba7ea937d0.exe
2360	13936f44eb5e61cfd99310ba7ea937d0.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2360	2408	13936f44eb5e61cfd99310ba7ea937d0.exe	6
PID 2408 wrote to memory of 2360	2408	13936f44eb5e61cfd99310ba7ea937d0.exe	6
PID 2408 wrote to memory of 2360	2408	13936f44eb5e61cfd99310ba7ea937d0.exe	6
PID 2408 wrote to memory of 2360	2408	13936f44eb5e61cfd99310ba7ea937d0.exe	6
PID 2360 wrote to memory of 2264	2360	13936f44eb5e61cfd99310ba7ea937d0.exe	5
PID 2360 wrote to memory of 2264	2360	13936f44eb5e61cfd99310ba7ea937d0.exe	5
PID 2360 wrote to memory of 2264	2360	13936f44eb5e61cfd99310ba7ea937d0.exe	5
PID 2360 wrote to memory of 2264	2360	13936f44eb5e61cfd99310ba7ea937d0.exe	5
PID 2360 wrote to memory of 2692	2360	13936f44eb5e61cfd99310ba7ea937d0.exe	3
PID 2360 wrote to memory of 2692	2360	13936f44eb5e61cfd99310ba7ea937d0.exe	3
PID 2360 wrote to memory of 2692	2360	13936f44eb5e61cfd99310ba7ea937d0.exe	3
PID 2360 wrote to memory of 2692	2360	13936f44eb5e61cfd99310ba7ea937d0.exe	3
PID 2692 wrote to memory of 2796	2692	cmd.exe	1
PID 2692 wrote to memory of 2796	2692	cmd.exe	1
PID 2692 wrote to memory of 2796	2692	cmd.exe	1
PID 2692 wrote to memory of 2796	2692	cmd.exe	1

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN x1iLRz9v069a
1⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN x1iLRz9v069a > C:\Users\Admin\AppData\Local\Temp\6dJtM.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\13936f44eb5e61cfd99310ba7ea937d0.exe" /TN x1iLRz9v069a /F
1⤵
- Creates scheduled task(s)
PID:2264

C:\Users\Admin\AppData\Local\Temp\13936f44eb5e61cfd99310ba7ea937d0.exe
C:\Users\Admin\AppData\Local\Temp\13936f44eb5e61cfd99310ba7ea937d0.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\13936f44eb5e61cfd99310ba7ea937d0.exe
"C:\Users\Admin\AppData\Local\Temp\13936f44eb5e61cfd99310ba7ea937d0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13936f44eb5e61cfd99310ba7ea937d0.exe

Filesize
5.1MB

MD5
49fac308095721e73dcb560843643589

SHA1
29729d560527a4ab5c940e73a6e3feb6e19ddabc

SHA256
b2e89886244401d3b889dd7862c4742ab876685eb6eb1a8773532e17e9cfa597

SHA512
593a23fe7c4c59ca2a62278a7f30f2322f1c4d13925ca45e3bb4f5dfbc94f2e377a9dbc773455f06f214d0b44757961dce7a12c937103efb76d9d85761b8d7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dJtM.xml

Filesize
1KB

MD5
40e174a5148fe85b107ccc3dd90426bb

SHA1
a3a0f780c7f7345329574cdb186fba25e5be0d38

SHA256
126b1d7da7eefd5c4b5ec54005bb0244d7c553747c3955e84b182460c6b34e0b

SHA512
27ea3dd37959faaac908b5749102b5776f79963e6d76ea79dff0f4e5c9e2dd8233c50a6890819285b7d596d449c4fb666f9aafcc74f36e47bc562ff0a0921e4f

Download Submit
\Users\Admin\AppData\Local\Temp\13936f44eb5e61cfd99310ba7ea937d0.exe

Filesize
7.8MB

MD5
e4b71ba13759d3fe27a7a589041a7b39

SHA1
7d4464952d2af5f5405d0eb56de80652526548fb

SHA256
70f5feb8a5c93197fa8b11c768116bf643c9d4b66a3e879bc29383ce316fb0cf

SHA512
3329ec52ab700ddb3b92ab78405f581c3077904094731f8d05b3c06ea1ffbb96bad7bcf9df60a755f7ecf2fcb05e2cda5aece6eb5e48d9dc1259f29814d71169

Download Submit
memory/2360-31-0x0000000000220000-0x000000000028B000-memory.dmp

Filesize
428KB

Download
memory/2360-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2360-20-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2360-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2360-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2408-16-0x0000000023E10000-0x000000002406C000-memory.dmp

Filesize
2.4MB

Download
memory/2408-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2408-1-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2408-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2408-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads