a22e115a6dc0ffef3d3992a5eda745beb5447b11857ae726db70e79d35e8d67f

General

Target

196bc95623bbbee1c74512fbf8fcb758.exe
Size

5.5MB
MD5

196bc95623bbbee1c74512fbf8fcb758
SHA1

cc06c3fd518a760f63a832489a3ba8fb236e053d
SHA256

a22e115a6dc0ffef3d3992a5eda745beb5447b11857ae726db70e79d35e8d67f
SHA512

b70da3d27acbb6fbe693e2ab2837984ec4a851f34ee7d6df709d24154266a241e67dee4430407f18980a78baf359eed6e73b166ee9b626a6c4a5925410b37df3
SSDEEP

49152:fhixO/+rkAkuoM4XEAPtO88ShKOvy1SPay3vRmCFOGNj8mW4JH53R+wVG+l0yd/W:wADjtv35mCckFR+vicS43

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2780	196bc95623bbbee1c74512fbf8fcb758.exe

Executes dropped EXE 1 IoCs

pid	Process
2780	196bc95623bbbee1c74512fbf8fcb758.exe

Loads dropped DLL 1 IoCs

pid	Process
2772	196bc95623bbbee1c74512fbf8fcb758.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2772-0-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000d0000000122bf-11.dat	upx
behavioral1/files/0x000d0000000122bf-13.dat	upx
behavioral1/files/0x000d0000000122bf-15.dat	upx
behavioral1/memory/2780-17-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	196bc95623bbbee1c74512fbf8fcb758.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	196bc95623bbbee1c74512fbf8fcb758.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	196bc95623bbbee1c74512fbf8fcb758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	196bc95623bbbee1c74512fbf8fcb758.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2772	196bc95623bbbee1c74512fbf8fcb758.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2772	196bc95623bbbee1c74512fbf8fcb758.exe
2780	196bc95623bbbee1c74512fbf8fcb758.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2780	2772	196bc95623bbbee1c74512fbf8fcb758.exe	28
PID 2772 wrote to memory of 2780	2772	196bc95623bbbee1c74512fbf8fcb758.exe	28
PID 2772 wrote to memory of 2780	2772	196bc95623bbbee1c74512fbf8fcb758.exe	28
PID 2772 wrote to memory of 2780	2772	196bc95623bbbee1c74512fbf8fcb758.exe	28

C:\Users\Admin\AppData\Local\Temp\196bc95623bbbee1c74512fbf8fcb758.exe
"C:\Users\Admin\AppData\Local\Temp\196bc95623bbbee1c74512fbf8fcb758.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\196bc95623bbbee1c74512fbf8fcb758.exe
  C:\Users\Admin\AppData\Local\Temp\196bc95623bbbee1c74512fbf8fcb758.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\196bc95623bbbee1c74512fbf8fcb758.exe

Filesize
4.6MB

MD5
4bedc6c4d144b5da85044ed7fc3fa068

SHA1
199856c2075ad931cd77b0594810499529139c2b

SHA256
892c4be25f259cf6366a9422e76379a82959294d9fb91f4b7e940e6a5ff8c7c3

SHA512
33f87eadd82ac2952f74049d659f02ea8782ddb4845a6cea7b8bd6f9cd4c697df78cfc35d6ddfdaef55ab5bbb827c83665f1a96382404271c030fb2307b2f491

Download Submit
C:\Users\Admin\AppData\Local\Temp\196bc95623bbbee1c74512fbf8fcb758.exe

Filesize
5.5MB

MD5
12d6195d383703f341bb5ab7a90b8402

SHA1
3962539ba91d058134c9360f9ee8e58c8fc747fb

SHA256
17abb380f6f8824824190890678726a3211e269baeb10a522152a5a2e3ee5eac

SHA512
9779b8d0b92612f06ef105b78969dba2d54efaab5f490e4c6989d0b5e95e1e1ef159e2904abd7f1beb9a628e41a2ebe862eafbac4b0cca4ef223ac9894a2880d

Download Submit
\Users\Admin\AppData\Local\Temp\196bc95623bbbee1c74512fbf8fcb758.exe

Filesize
4.1MB

MD5
f7e8130eb3728af7d7f58a0f62d0c201

SHA1
7ad047e7b4d6d5b6b0a2189102b0b06be7d118a6

SHA256
44d35b4ba8fae80ad6066c4d00536f9bd4fbd523afca0635801ccdb0663e5189

SHA512
e56116864a0e6e8993bc481c41280c7381cb5fdb0cc78f61f9661874e3c3811bf5d1e631b29bf7200e774b1fd0068e876130d0a488dd193118e1e5a0e2c83468

Download Submit
memory/2772-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2772-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2772-2-0x0000000002280000-0x00000000024DA000-memory.dmp

Filesize
2.4MB

Download
memory/2772-14-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2772-16-0x0000000004420000-0x0000000004DBE000-memory.dmp

Filesize
9.6MB

Download
memory/2772-42-0x0000000004420000-0x0000000004DBE000-memory.dmp

Filesize
9.6MB

Download
memory/2780-17-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2780-18-0x0000000002270000-0x00000000024CA000-memory.dmp

Filesize
2.4MB

Download
memory/2780-43-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing