f0a0a6604bc590de70dc86cc3f57aa2632a13ecc441524dbd76f663dc1f118c9

General

Target

15bf0db8df64ffcfc1868540f5c715fe.exe
Size

2.6MB
MD5

15bf0db8df64ffcfc1868540f5c715fe
SHA1

3edefc8d0a8a93fa9fe6741a0b29f44c7831bd82
SHA256

f0a0a6604bc590de70dc86cc3f57aa2632a13ecc441524dbd76f663dc1f118c9
SHA512

9349aeffd3e3b107777f7553746d550258f8acf3dcc96b5a47787b6a930aef22ddbcb41b4318b27ceaba9322ec46c6991aede617041d4085abf863d3c8944953
SSDEEP

49152:QAOw99yMgGm0MVitNSe7+1GkhxBBMVM/AMcBay3:QG/JZeGtKy3

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2260	15bf0db8df64ffcfc1868540f5c715fe.exe

Executes dropped EXE 1 IoCs

pid	Process
2260	15bf0db8df64ffcfc1868540f5c715fe.exe

Loads dropped DLL 1 IoCs

pid	Process
1988	15bf0db8df64ffcfc1868540f5c715fe.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1988-0-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x0008000000012270-14.dat	upx
behavioral1/memory/2260-19-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x0008000000012270-11.dat	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	15bf0db8df64ffcfc1868540f5c715fe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	15bf0db8df64ffcfc1868540f5c715fe.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1988	15bf0db8df64ffcfc1868540f5c715fe.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1988	15bf0db8df64ffcfc1868540f5c715fe.exe
2260	15bf0db8df64ffcfc1868540f5c715fe.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2260	1988	15bf0db8df64ffcfc1868540f5c715fe.exe	28
PID 1988 wrote to memory of 2260	1988	15bf0db8df64ffcfc1868540f5c715fe.exe	28
PID 1988 wrote to memory of 2260	1988	15bf0db8df64ffcfc1868540f5c715fe.exe	28
PID 1988 wrote to memory of 2260	1988	15bf0db8df64ffcfc1868540f5c715fe.exe	28

C:\Users\Admin\AppData\Local\Temp\15bf0db8df64ffcfc1868540f5c715fe.exe
"C:\Users\Admin\AppData\Local\Temp\15bf0db8df64ffcfc1868540f5c715fe.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\15bf0db8df64ffcfc1868540f5c715fe.exe
  C:\Users\Admin\AppData\Local\Temp\15bf0db8df64ffcfc1868540f5c715fe.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15bf0db8df64ffcfc1868540f5c715fe.exe

Filesize
1.0MB

MD5
5fb53ff168e69e6b176486e652bc9036

SHA1
6a9ec840ff0c76c90e64301097e89d925b40571b

SHA256
cc03eb3a97bca40c017e7cf6b1b51eced4a13ebebfb5e73f75a3bd3c90bfc856

SHA512
04609631793441f74a4b5a971bc33a0de2ff17a5bc4f68537202d6677de59c93ace18214a81fb9263ccd3fb0e188c7fc1a38cda95734b4ed097e7ba29b0dd67b

Download Submit
\Users\Admin\AppData\Local\Temp\15bf0db8df64ffcfc1868540f5c715fe.exe

Filesize
1.1MB

MD5
8430af4a51f47e70ffa05a3e106a23f7

SHA1
6a2eb2733ee63479a75d6a8b0969bef3edc05d5e

SHA256
c3be3e5149567f9e568e976adbf16ac6470a614adba0217e59b1091cb57816fa

SHA512
08b816eb4219a3334a82714c586e2c8f3044929353773623f2c60f72e4c06d610002c4e68edac7e4e7331ed1a9bcd0986d5fafb302b058333aef3c40858d57e1

Download Submit
memory/1988-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/1988-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1988-2-0x0000000002280000-0x00000000024DA000-memory.dmp

Filesize
2.4MB

Download
memory/1988-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1988-16-0x0000000003B80000-0x000000000451E000-memory.dmp

Filesize
9.6MB

Download
memory/2260-19-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2260-21-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2260-39-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing