02b3305333562da42a63344b303c698000e4fddf8f739fbc7d3bbc961c47d0e2

General

Target

155a830c8edeb2b9c0676104ab68bb8d.exe
Size

7.8MB
MD5

155a830c8edeb2b9c0676104ab68bb8d
SHA1

f179621d9dd9001a3da9a00684961c45015bb091
SHA256

02b3305333562da42a63344b303c698000e4fddf8f739fbc7d3bbc961c47d0e2
SHA512

50c32300b5504f37b0ad11c8538ba5ad11f6336a4bee8d2b17d1dfa53c622b4e66ae3755e87c78985eb3663548992e97eb8744222f7d20db5e938974e090f74c
SSDEEP

196608:EFd/AHdlirybMgOnkdlirPKOfeEdlirybMgOnkdlir68KiSdFddlirybMgOnkdlp:0+bMrnzC2bMrnWZlbMrnzC2bMrn

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	155a830c8edeb2b9c0676104ab68bb8d.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	155a830c8edeb2b9c0676104ab68bb8d.exe

Loads dropped DLL 1 IoCs

pid	Process
2644	155a830c8edeb2b9c0676104ab68bb8d.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2644-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000900000001225c-11.dat	upx
behavioral1/memory/2644-16-0x0000000023DE0000-0x000000002403C000-memory.dmp	upx
behavioral1/memory/2692-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000900000001225c-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2800	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	155a830c8edeb2b9c0676104ab68bb8d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	155a830c8edeb2b9c0676104ab68bb8d.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	155a830c8edeb2b9c0676104ab68bb8d.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	155a830c8edeb2b9c0676104ab68bb8d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2644	155a830c8edeb2b9c0676104ab68bb8d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2644	155a830c8edeb2b9c0676104ab68bb8d.exe
2692	155a830c8edeb2b9c0676104ab68bb8d.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2692	2644	155a830c8edeb2b9c0676104ab68bb8d.exe	29
PID 2644 wrote to memory of 2692	2644	155a830c8edeb2b9c0676104ab68bb8d.exe	29
PID 2644 wrote to memory of 2692	2644	155a830c8edeb2b9c0676104ab68bb8d.exe	29
PID 2644 wrote to memory of 2692	2644	155a830c8edeb2b9c0676104ab68bb8d.exe	29
PID 2692 wrote to memory of 2800	2692	155a830c8edeb2b9c0676104ab68bb8d.exe	30
PID 2692 wrote to memory of 2800	2692	155a830c8edeb2b9c0676104ab68bb8d.exe	30
PID 2692 wrote to memory of 2800	2692	155a830c8edeb2b9c0676104ab68bb8d.exe	30
PID 2692 wrote to memory of 2800	2692	155a830c8edeb2b9c0676104ab68bb8d.exe	30
PID 2692 wrote to memory of 2392	2692	155a830c8edeb2b9c0676104ab68bb8d.exe	32
PID 2692 wrote to memory of 2392	2692	155a830c8edeb2b9c0676104ab68bb8d.exe	32
PID 2692 wrote to memory of 2392	2692	155a830c8edeb2b9c0676104ab68bb8d.exe	32
PID 2692 wrote to memory of 2392	2692	155a830c8edeb2b9c0676104ab68bb8d.exe	32
PID 2392 wrote to memory of 2652	2392	cmd.exe	34
PID 2392 wrote to memory of 2652	2392	cmd.exe	34
PID 2392 wrote to memory of 2652	2392	cmd.exe	34
PID 2392 wrote to memory of 2652	2392	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\155a830c8edeb2b9c0676104ab68bb8d.exe
"C:\Users\Admin\AppData\Local\Temp\155a830c8edeb2b9c0676104ab68bb8d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\155a830c8edeb2b9c0676104ab68bb8d.exe
  C:\Users\Admin\AppData\Local\Temp\155a830c8edeb2b9c0676104ab68bb8d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\155a830c8edeb2b9c0676104ab68bb8d.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\tb8QT.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\155a830c8edeb2b9c0676104ab68bb8d.exe

Filesize
7.8MB

MD5
330201331a47ead3eee2b589094b8872

SHA1
d30e40bb0310304a2c7cdc9bade38004ce7491f1

SHA256
3027434dc8c0d885f0be54b568ebe581441eb19518633a116d18ea37d0948469

SHA512
21e51a2fa0d3eb98a27490667482543173bb075b477260080aecd25878c600d07830ba90b1a375470a0c76cbc988b247f23b76dead82bc3731a9d129d7ece5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tb8QT.xml

Filesize
1KB

MD5
5f209d9d43d7419b5521af296f289e24

SHA1
962df1728e1602b96b1a9e6bfc25aec858b15629

SHA256
e36cab5c2657748c053fba48b0f3c0256cd7cebcde81ba296246631a7c322f8e

SHA512
4fc21189de88f978bc6046587fa85d5d35d598210d744cb8c84cd27d445b55fc0ebf52fb684a26f6e7ecc329891a51c7f007b43bb747eaa6605dbb3bc0d9b75e

Download Submit
\Users\Admin\AppData\Local\Temp\155a830c8edeb2b9c0676104ab68bb8d.exe

Filesize
1.2MB

MD5
95d588190c495d64da108d92063d9d76

SHA1
157f3068e95d1e1d911d6a07a112975c7c072996

SHA256
84fe9bcccd127267850612aa556af87f6d138391a3649532df981ac50fa0bb1d

SHA512
57432a2fcf6d612ceb2651876534ae46e23c2be12994be26f316ae5d4d220e19dfd4d7406d32000d96e41efb0e9bd31b1c399b178c2c8b9746e8559b4c782e3b

Download Submit
memory/2644-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2644-3-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/2644-16-0x0000000023DE0000-0x000000002403C000-memory.dmp

Filesize
2.4MB

Download
memory/2644-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2644-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2692-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2692-27-0x0000000000220000-0x000000000028B000-memory.dmp

Filesize
428KB

Download
memory/2692-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2692-22-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2692-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads