c882931ae5c852163a86435ff08af41032d63b4dd0b3b802acac5241ba5e450c

General

Target

16bdeaeb70dacd253a67ae0a5663fabf.exe
Size

3.2MB
MD5

16bdeaeb70dacd253a67ae0a5663fabf
SHA1

77170ff59bbff19d4fa8299558bd3c8ca4c65bd6
SHA256

c882931ae5c852163a86435ff08af41032d63b4dd0b3b802acac5241ba5e450c
SHA512

331169c56d0e93b8157d557769294e2cfdf7104cccc4c0b38ce2f01af8d4c5fd31bb8653dd270cee317ec12c2e2dbed5e4b0b4d3c3222d9f1fe8dddec962c023
SSDEEP

98304:dsGa7WMoIScakcvn+RyS+gr7cakco+IomhpzUWbcakcvn+RyS+gr7cakcO:d5a7WMoXdlvn+JX7dlboyWbdlvn+JX72

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2516	16bdeaeb70dacd253a67ae0a5663fabf.exe

Executes dropped EXE 1 IoCs

pid	Process
2516	16bdeaeb70dacd253a67ae0a5663fabf.exe

Loads dropped DLL 1 IoCs

pid	Process
1720	16bdeaeb70dacd253a67ae0a5663fabf.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1720-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000d00000001224a-11.dat	upx
behavioral1/memory/2516-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2128	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	16bdeaeb70dacd253a67ae0a5663fabf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	16bdeaeb70dacd253a67ae0a5663fabf.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	16bdeaeb70dacd253a67ae0a5663fabf.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	16bdeaeb70dacd253a67ae0a5663fabf.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1720	16bdeaeb70dacd253a67ae0a5663fabf.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1720	16bdeaeb70dacd253a67ae0a5663fabf.exe
2516	16bdeaeb70dacd253a67ae0a5663fabf.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2516	1720	16bdeaeb70dacd253a67ae0a5663fabf.exe	29
PID 1720 wrote to memory of 2516	1720	16bdeaeb70dacd253a67ae0a5663fabf.exe	29
PID 1720 wrote to memory of 2516	1720	16bdeaeb70dacd253a67ae0a5663fabf.exe	29
PID 1720 wrote to memory of 2516	1720	16bdeaeb70dacd253a67ae0a5663fabf.exe	29
PID 2516 wrote to memory of 2128	2516	16bdeaeb70dacd253a67ae0a5663fabf.exe	30
PID 2516 wrote to memory of 2128	2516	16bdeaeb70dacd253a67ae0a5663fabf.exe	30
PID 2516 wrote to memory of 2128	2516	16bdeaeb70dacd253a67ae0a5663fabf.exe	30
PID 2516 wrote to memory of 2128	2516	16bdeaeb70dacd253a67ae0a5663fabf.exe	30
PID 2516 wrote to memory of 2808	2516	16bdeaeb70dacd253a67ae0a5663fabf.exe	32
PID 2516 wrote to memory of 2808	2516	16bdeaeb70dacd253a67ae0a5663fabf.exe	32
PID 2516 wrote to memory of 2808	2516	16bdeaeb70dacd253a67ae0a5663fabf.exe	32
PID 2516 wrote to memory of 2808	2516	16bdeaeb70dacd253a67ae0a5663fabf.exe	32
PID 2808 wrote to memory of 2928	2808	cmd.exe	34
PID 2808 wrote to memory of 2928	2808	cmd.exe	34
PID 2808 wrote to memory of 2928	2808	cmd.exe	34
PID 2808 wrote to memory of 2928	2808	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\16bdeaeb70dacd253a67ae0a5663fabf.exe
"C:\Users\Admin\AppData\Local\Temp\16bdeaeb70dacd253a67ae0a5663fabf.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\16bdeaeb70dacd253a67ae0a5663fabf.exe
  C:\Users\Admin\AppData\Local\Temp\16bdeaeb70dacd253a67ae0a5663fabf.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\16bdeaeb70dacd253a67ae0a5663fabf.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\nOMlLxm.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nOMlLxm.xml

Filesize
1KB

MD5
e9bfe32304670e08e901f121a2cb668f

SHA1
82c06fc8c3e671afa92fe39ee86d83838d1869d8

SHA256
9c1053de70d694f42b9b042d20992e1bc497ced437fe174eb790722a5ad5e6e7

SHA512
d89083cec9bfa72c4c7a1becc2388e40a73dfa2cdb8d503018d8c5c7f29eb212f09c69d28016732121218ed8d1231e74a9fcb6935ae2aac013203ecc5ed78e61

Download Submit
\Users\Admin\AppData\Local\Temp\16bdeaeb70dacd253a67ae0a5663fabf.exe

Filesize
3.2MB

MD5
784c7cfed09a4ce7f71bffeaef9efbff

SHA1
fb9882398a31257c63cda19b640c2cd39c6bf4d8

SHA256
e4ecaff5d57f45e97abce987af3e3178011ba408e0e535d5ac0f011e2dee87f9

SHA512
58fb99c1e5e0b1769a534aea9e6c2997fa4c21f1a3b35056248221a2852434f162fb840158367ef207226c2e2b18f1b68edb1a86ef328b6c50afb99534263cac

Download Submit
memory/1720-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1720-2-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/1720-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1720-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2516-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2516-22-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/2516-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2516-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2516-52-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads