31a482255f322d4e71bb6f5db518fd8ba52ec3ca0f89fd8f4ffba39aacb50f71

General

Target

16c154d72e9da9ff6fe534df4907518c.exe
Size

2.0MB
MD5

16c154d72e9da9ff6fe534df4907518c
SHA1

8c8f48c2ad147063a85b6c160612e87f5f2b0b29
SHA256

31a482255f322d4e71bb6f5db518fd8ba52ec3ca0f89fd8f4ffba39aacb50f71
SHA512

8c261f2b422244ec8caec1a8caddaff8458527dd2a23cd58e1e485e483d9c231180da0286b917dc589133f662cedec28b5b8162c81347f210b6349b460c8c33c
SSDEEP

49152:m4zdRcN+9zWFULG+WculXWgEoi4tGN2noQcN+9zWFULG+:fdyA9zyULG+WculXWgEo6Ino1A9zyULp

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2776	16c154d72e9da9ff6fe534df4907518c.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	16c154d72e9da9ff6fe534df4907518c.exe

Loads dropped DLL 1 IoCs

pid	Process
2140	16c154d72e9da9ff6fe534df4907518c.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2140-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012243-11.dat	upx
behavioral1/files/0x000b000000012243-17.dat	upx
behavioral1/memory/2776-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2688	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	16c154d72e9da9ff6fe534df4907518c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	16c154d72e9da9ff6fe534df4907518c.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	16c154d72e9da9ff6fe534df4907518c.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	16c154d72e9da9ff6fe534df4907518c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2140	16c154d72e9da9ff6fe534df4907518c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2140	16c154d72e9da9ff6fe534df4907518c.exe
2776	16c154d72e9da9ff6fe534df4907518c.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2776	2140	16c154d72e9da9ff6fe534df4907518c.exe	29
PID 2140 wrote to memory of 2776	2140	16c154d72e9da9ff6fe534df4907518c.exe	29
PID 2140 wrote to memory of 2776	2140	16c154d72e9da9ff6fe534df4907518c.exe	29
PID 2140 wrote to memory of 2776	2140	16c154d72e9da9ff6fe534df4907518c.exe	29
PID 2776 wrote to memory of 2688	2776	16c154d72e9da9ff6fe534df4907518c.exe	30
PID 2776 wrote to memory of 2688	2776	16c154d72e9da9ff6fe534df4907518c.exe	30
PID 2776 wrote to memory of 2688	2776	16c154d72e9da9ff6fe534df4907518c.exe	30
PID 2776 wrote to memory of 2688	2776	16c154d72e9da9ff6fe534df4907518c.exe	30
PID 2776 wrote to memory of 2924	2776	16c154d72e9da9ff6fe534df4907518c.exe	32
PID 2776 wrote to memory of 2924	2776	16c154d72e9da9ff6fe534df4907518c.exe	32
PID 2776 wrote to memory of 2924	2776	16c154d72e9da9ff6fe534df4907518c.exe	32
PID 2776 wrote to memory of 2924	2776	16c154d72e9da9ff6fe534df4907518c.exe	32
PID 2924 wrote to memory of 2524	2924	cmd.exe	34
PID 2924 wrote to memory of 2524	2924	cmd.exe	34
PID 2924 wrote to memory of 2524	2924	cmd.exe	34
PID 2924 wrote to memory of 2524	2924	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\16c154d72e9da9ff6fe534df4907518c.exe
"C:\Users\Admin\AppData\Local\Temp\16c154d72e9da9ff6fe534df4907518c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\16c154d72e9da9ff6fe534df4907518c.exe
  C:\Users\Admin\AppData\Local\Temp\16c154d72e9da9ff6fe534df4907518c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\16c154d72e9da9ff6fe534df4907518c.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\sDlTl.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16c154d72e9da9ff6fe534df4907518c.exe

Filesize
2.0MB

MD5
971c7747d270403f0eb1e4cc222ba129

SHA1
10a46c3c6286ca4590ee56c1671a80635734f6db

SHA256
ee42d54bcbf7bbaafeec30a2d169d6f78e88d9a9aa6e7c973e1b91675492c1b8

SHA512
cdacb1d630a089198fa0e0fed467d1b0a185da0dc2fd68d19a78c61f30a7f937cfeb4f94841f6a176e7232a8d4fc76de0e467cafab5ac8319690f99bafb0a4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sDlTl.xml

Filesize
1KB

MD5
8ba4c7a6f8c926cc33c2e876173efb78

SHA1
e953f380f2bdebaec065b1836775c19ba8c270d9

SHA256
f39dbc30d188091dff4296519fc8f1768e9b0891aba636bc426ab465e48cd730

SHA512
013c7279d51026687ebc45ed1fde6c155b3af8b14064be2dbd908c3ab23e00f3e67957c5d7e0e55e5037db5698938b46c6bf52d0bdc49d27f82e4d7f2995300f

Download Submit
\Users\Admin\AppData\Local\Temp\16c154d72e9da9ff6fe534df4907518c.exe

Filesize
960KB

MD5
475d10dc194072e98ce48efe676fe6e0

SHA1
6325c20cd90bb78e68525fd979903dc9bb07de64

SHA256
52c4cee566be609d7517bbcfb18bfe1ebbbead79d7f2ee52e0b7ba6d7b6b1f1e

SHA512
194666f32a311a49e83e01e064df1db691a39f85b239a9d3ca0af1b9392767adbab022d562456524acc7fda7445431e158091bbf7ac86bda1c176ffb04451f34

Download Submit
memory/2140-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2140-16-0x00000000235A0000-0x00000000237FC000-memory.dmp

Filesize
2.4MB

Download
memory/2140-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2140-4-0x0000000000290000-0x000000000030E000-memory.dmp

Filesize
504KB

Download
memory/2140-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2776-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2776-20-0x00000000016D0000-0x000000000174E000-memory.dmp

Filesize
504KB

Download
memory/2776-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2776-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2776-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads