0084b6efe2d6a67272e8d82f4b2193211c03481ec37d82e5191e2a9289f59998

General

Target

173c1c4bc8288b09bf36c84f845030d2.exe
Size

2.6MB
MD5

173c1c4bc8288b09bf36c84f845030d2
SHA1

2a893dbb8dd04579cbdadff737c4e384f7fe897a
SHA256

0084b6efe2d6a67272e8d82f4b2193211c03481ec37d82e5191e2a9289f59998
SHA512

28f1cc7605d0e983fcd01b5a8824b0a5d10dd2dd1fce67f22727bbfc2c9d989faf7a5d070969f65f9a1f088e0862c8b84d5dadc5d1ed935ca9af3b9eea0a9174
SSDEEP

49152:dsoyGEUkf6MKbUPj5D9s3fZJe1+BMb1Fcxay3:66MQgT8W1Mu+3

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2608	173c1c4bc8288b09bf36c84f845030d2.exe

Executes dropped EXE 1 IoCs

pid	Process
2608	173c1c4bc8288b09bf36c84f845030d2.exe

Loads dropped DLL 1 IoCs

pid	Process
2764	173c1c4bc8288b09bf36c84f845030d2.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2764-1-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000c000000015c26-11.dat	upx
behavioral1/files/0x000c000000015c26-14.dat	upx
behavioral1/memory/2764-15-0x00000000038A0000-0x000000000423E000-memory.dmp	upx
behavioral1/memory/2608-17-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	173c1c4bc8288b09bf36c84f845030d2.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	173c1c4bc8288b09bf36c84f845030d2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	173c1c4bc8288b09bf36c84f845030d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	173c1c4bc8288b09bf36c84f845030d2.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2764	173c1c4bc8288b09bf36c84f845030d2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2764	173c1c4bc8288b09bf36c84f845030d2.exe
2608	173c1c4bc8288b09bf36c84f845030d2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2608	2764	173c1c4bc8288b09bf36c84f845030d2.exe	29
PID 2764 wrote to memory of 2608	2764	173c1c4bc8288b09bf36c84f845030d2.exe	29
PID 2764 wrote to memory of 2608	2764	173c1c4bc8288b09bf36c84f845030d2.exe	29
PID 2764 wrote to memory of 2608	2764	173c1c4bc8288b09bf36c84f845030d2.exe	29

C:\Users\Admin\AppData\Local\Temp\173c1c4bc8288b09bf36c84f845030d2.exe
"C:\Users\Admin\AppData\Local\Temp\173c1c4bc8288b09bf36c84f845030d2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\173c1c4bc8288b09bf36c84f845030d2.exe
  C:\Users\Admin\AppData\Local\Temp\173c1c4bc8288b09bf36c84f845030d2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\173c1c4bc8288b09bf36c84f845030d2.exe

Filesize
1.4MB

MD5
9a450ceee9e930584eb4c75084b5acda

SHA1
eeef8d846b2c995973ab12b204313d74cea0c9d7

SHA256
7c5cd8821b85656314b093b9ec75d67d1da54567b37684853464a06a76073498

SHA512
19e80d333bc409c51822292a74e4017e964b04f74fd4d882f7188ef4b95c802eb9edd1d62fdec451258b02b653071d027cccd1f46bb7266e97b04a72dada8287

Download Submit
\Users\Admin\AppData\Local\Temp\173c1c4bc8288b09bf36c84f845030d2.exe

Filesize
1.5MB

MD5
c59d084ac4dfa66a8ae755850ca95841

SHA1
4e608b9a68074656c96ce240d3c670cae470d7b7

SHA256
982cf19aed32bb702a7283be1506d17ab5ab9aa2b0351c83c18e97a069b2aade

SHA512
362dcc8b06d41a75b10495265eabf4e502136f833fdc73bfa850ba246bf474ec39122aefcb8959f2b36a2065c8d998bad526a58645ad1091c60e41ca44a52a28

Download Submit
memory/2608-17-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2608-19-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2608-25-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2764-0-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2764-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2764-3-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2764-15-0x00000000038A0000-0x000000000423E000-memory.dmp

Filesize
9.6MB

Download
memory/2764-16-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing