b78fc95e0bb5459d19c38f3d1a373b67ea717ead314059d1f20a07bba6b7a142

General

Target

17f87af32489562ebf64946b99e97c00.exe
Size

7.8MB
MD5

17f87af32489562ebf64946b99e97c00
SHA1

69cbe58c6b9e4d2dbc9cf5f0146da2150696a003
SHA256

b78fc95e0bb5459d19c38f3d1a373b67ea717ead314059d1f20a07bba6b7a142
SHA512

2de01fcf73d14435ee96e1a29804b588172f9bc58e04b0e5fa3174aba1bfea788ea5c4bb43209e578aa1fce315239c2440ebb9589862b31145c430506b8b11b1
SSDEEP

196608:A2CiSOdlirbaDQFdlirldVACXoDdlirbaDQFdliryxJdlirbaDQFdlirldVACXoP:yiS4DXdwDQDXdwD

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2716	17f87af32489562ebf64946b99e97c00.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	17f87af32489562ebf64946b99e97c00.exe

Loads dropped DLL 1 IoCs

pid	Process
2860	17f87af32489562ebf64946b99e97c00.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2860-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b00000001494f-11.dat	upx
behavioral1/memory/2716-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b00000001494f-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2592	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	17f87af32489562ebf64946b99e97c00.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	17f87af32489562ebf64946b99e97c00.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	17f87af32489562ebf64946b99e97c00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	17f87af32489562ebf64946b99e97c00.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2860	17f87af32489562ebf64946b99e97c00.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2860	17f87af32489562ebf64946b99e97c00.exe
2716	17f87af32489562ebf64946b99e97c00.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2716	2860	17f87af32489562ebf64946b99e97c00.exe	28
PID 2860 wrote to memory of 2716	2860	17f87af32489562ebf64946b99e97c00.exe	28
PID 2860 wrote to memory of 2716	2860	17f87af32489562ebf64946b99e97c00.exe	28
PID 2860 wrote to memory of 2716	2860	17f87af32489562ebf64946b99e97c00.exe	28
PID 2716 wrote to memory of 2592	2716	17f87af32489562ebf64946b99e97c00.exe	29
PID 2716 wrote to memory of 2592	2716	17f87af32489562ebf64946b99e97c00.exe	29
PID 2716 wrote to memory of 2592	2716	17f87af32489562ebf64946b99e97c00.exe	29
PID 2716 wrote to memory of 2592	2716	17f87af32489562ebf64946b99e97c00.exe	29
PID 2716 wrote to memory of 2636	2716	17f87af32489562ebf64946b99e97c00.exe	32
PID 2716 wrote to memory of 2636	2716	17f87af32489562ebf64946b99e97c00.exe	32
PID 2716 wrote to memory of 2636	2716	17f87af32489562ebf64946b99e97c00.exe	32
PID 2716 wrote to memory of 2636	2716	17f87af32489562ebf64946b99e97c00.exe	32
PID 2636 wrote to memory of 2096	2636	cmd.exe	33
PID 2636 wrote to memory of 2096	2636	cmd.exe	33
PID 2636 wrote to memory of 2096	2636	cmd.exe	33
PID 2636 wrote to memory of 2096	2636	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\17f87af32489562ebf64946b99e97c00.exe
"C:\Users\Admin\AppData\Local\Temp\17f87af32489562ebf64946b99e97c00.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\17f87af32489562ebf64946b99e97c00.exe
  C:\Users\Admin\AppData\Local\Temp\17f87af32489562ebf64946b99e97c00.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\17f87af32489562ebf64946b99e97c00.exe" /TN WAgLRKqP8c0d /F
    3⤵
    - Creates scheduled task(s)
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN WAgLRKqP8c0d > C:\Users\Admin\AppData\Local\Temp\UR4a0RXj.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN WAgLRKqP8c0d
      4⤵
      PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17f87af32489562ebf64946b99e97c00.exe

Filesize
322KB

MD5
1b81d51802e51471e096aa51c3046695

SHA1
328040f240079362eda6ff19d0bc73f652d7e2ff

SHA256
8c7827d1a3b15f6d074c60d839e6a3495115b12b51424f479de784b010606773

SHA512
9f545bdcde7886ef33986d6d23a0b51397abd9e8da665852670c18e9e0957473ff45611290335c203fa54675ad1a1469745464797546426673fb60929c36fff2

Download Submit
\Users\Admin\AppData\Local\Temp\17f87af32489562ebf64946b99e97c00.exe

Filesize
565KB

MD5
9a75db30ce1a6d781ec0e82bec186182

SHA1
c55fa0a8406e1258afcdcad0d6fa6021403d0d9c

SHA256
f5a369986a05340be25c49cc7590d55184ec3ed245005c4299782561d24aabb8

SHA512
2a61b122623ca5c7c3dd5b8c3e325fcafb66ae957932520583177493b8fbb511684062eec62bdd926810c186d2ae32247f2b09a2c59e26b526a1fc1c611c40c0

Download Submit
memory/2716-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2716-19-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2716-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2716-29-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2716-52-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2860-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2860-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2860-3-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2860-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads