f9edc6a48b526e425707c8afd97f305fca229c1c6813a948eb457e79457553e9

General

Target

16c4b0c07c6245ef4e68bf0ec93880b7.exe
Size

1003KB
MD5

16c4b0c07c6245ef4e68bf0ec93880b7
SHA1

4cb01d35a7f13080e6005c41414251ec00d31458
SHA256

f9edc6a48b526e425707c8afd97f305fca229c1c6813a948eb457e79457553e9
SHA512

7cd8531c334b514c363a650f1473845d61d5844731d13698f0881ae11cb3102fbbdc204dc1e97b29be6f10c7450552ca12108809694918ff6aaecc963bdb7b1e
SSDEEP

12288:dwUE7+ljLOnOwi22NmgG0eWx6kaRyfkhCPTJkzFWglZdw/7+Vj8gwKXgrO:dBS+lG172slkaRaP1cFW8Za7+Vj8l4g

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2840	16c4b0c07c6245ef4e68bf0ec93880b7.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	16c4b0c07c6245ef4e68bf0ec93880b7.exe

Loads dropped DLL 1 IoCs

pid	Process
2124	16c4b0c07c6245ef4e68bf0ec93880b7.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2124-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012248-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2696	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	16c4b0c07c6245ef4e68bf0ec93880b7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	16c4b0c07c6245ef4e68bf0ec93880b7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	16c4b0c07c6245ef4e68bf0ec93880b7.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	16c4b0c07c6245ef4e68bf0ec93880b7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2124	16c4b0c07c6245ef4e68bf0ec93880b7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2124	16c4b0c07c6245ef4e68bf0ec93880b7.exe
2840	16c4b0c07c6245ef4e68bf0ec93880b7.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2840	2124	16c4b0c07c6245ef4e68bf0ec93880b7.exe	29
PID 2124 wrote to memory of 2840	2124	16c4b0c07c6245ef4e68bf0ec93880b7.exe	29
PID 2124 wrote to memory of 2840	2124	16c4b0c07c6245ef4e68bf0ec93880b7.exe	29
PID 2124 wrote to memory of 2840	2124	16c4b0c07c6245ef4e68bf0ec93880b7.exe	29
PID 2840 wrote to memory of 2696	2840	16c4b0c07c6245ef4e68bf0ec93880b7.exe	30
PID 2840 wrote to memory of 2696	2840	16c4b0c07c6245ef4e68bf0ec93880b7.exe	30
PID 2840 wrote to memory of 2696	2840	16c4b0c07c6245ef4e68bf0ec93880b7.exe	30
PID 2840 wrote to memory of 2696	2840	16c4b0c07c6245ef4e68bf0ec93880b7.exe	30
PID 2840 wrote to memory of 2732	2840	16c4b0c07c6245ef4e68bf0ec93880b7.exe	32
PID 2840 wrote to memory of 2732	2840	16c4b0c07c6245ef4e68bf0ec93880b7.exe	32
PID 2840 wrote to memory of 2732	2840	16c4b0c07c6245ef4e68bf0ec93880b7.exe	32
PID 2840 wrote to memory of 2732	2840	16c4b0c07c6245ef4e68bf0ec93880b7.exe	32
PID 2732 wrote to memory of 2448	2732	cmd.exe	34
PID 2732 wrote to memory of 2448	2732	cmd.exe	34
PID 2732 wrote to memory of 2448	2732	cmd.exe	34
PID 2732 wrote to memory of 2448	2732	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\16c4b0c07c6245ef4e68bf0ec93880b7.exe
"C:\Users\Admin\AppData\Local\Temp\16c4b0c07c6245ef4e68bf0ec93880b7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\16c4b0c07c6245ef4e68bf0ec93880b7.exe
  C:\Users\Admin\AppData\Local\Temp\16c4b0c07c6245ef4e68bf0ec93880b7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\16c4b0c07c6245ef4e68bf0ec93880b7.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\MY1zg.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MY1zg.xml

Filesize
1KB

MD5
262800d8d53d67eb58fc5fdc6a447fe0

SHA1
89db8090ad1bd9877feef27339deec19328d5844

SHA256
c33ffbcad6c42047c83f10efe4b00efb704a086ebb66001c7fdbe6105046420c

SHA512
1ce5f812701d309f7985241a3a2ecffdc2a1e13bbcdad05184a917340e400d6b4874e70f1701b9767452cbe5c9c4fc0bb597438c62324517dddee6749432f526

Download Submit
\Users\Admin\AppData\Local\Temp\16c4b0c07c6245ef4e68bf0ec93880b7.exe

Filesize
1003KB

MD5
25575132ea8994f94faedfa552b7b2e0

SHA1
428433a2c765eeb9130c44c9409d996679776b0c

SHA256
362e3d75ee300fc8bcffd4521264b5372c29f85c0447d573a049fc913cf79018

SHA512
379067f4c6b6d4e1605edbc3ecb8821491ac3a5a5400cef3542171af45ae5bfaaa783b66878a54ed6853e8719cc4d437934ceebd697cdd8c1a8e49a17aa52e75

Download Submit
memory/2124-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2124-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2124-2-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2124-16-0x0000000022F50000-0x00000000231AC000-memory.dmp

Filesize
2.4MB

Download
memory/2124-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2840-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2840-22-0x0000000000250000-0x00000000002CE000-memory.dmp

Filesize
504KB

Download
memory/2840-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2840-29-0x00000000002D0000-0x000000000033B000-memory.dmp

Filesize
428KB

Download
memory/2840-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads