bceb4a044eccd32a915854ccbf47593afe1b8fac1d5f81bc24252474902c0d86

General

Target

1be4d9da8728be93c04dc05abcd5a590.exe
Size

1.5MB
MD5

1be4d9da8728be93c04dc05abcd5a590
SHA1

db74a1de7a8bf3a719983dc1298a92a6e8261108
SHA256

bceb4a044eccd32a915854ccbf47593afe1b8fac1d5f81bc24252474902c0d86
SHA512

3febf86397e0fd059ba5ff52454ef1854d9182adfc228b0d082e7f4b8f34c304b41df1db1b6e9a681e009c43a1fead732e155e3cf77cf70ca852c601398b4967
SSDEEP

24576:owLjYUkcl2i7YhJTwQLyhWveB+4goGQoadai7D3uITjIFOxo53ApIj:owLj4clN7YLTwQLyhWveB+4goGQ7ai7s

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2460	1be4d9da8728be93c04dc05abcd5a590.exe

Executes dropped EXE 1 IoCs

pid	Process
2460	1be4d9da8728be93c04dc05abcd5a590.exe

Loads dropped DLL 1 IoCs

pid	Process
2488	1be4d9da8728be93c04dc05abcd5a590.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2488-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a00000001225a-11.dat	upx
behavioral1/memory/2460-19-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a00000001225a-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2736	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	1be4d9da8728be93c04dc05abcd5a590.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	1be4d9da8728be93c04dc05abcd5a590.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	1be4d9da8728be93c04dc05abcd5a590.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	1be4d9da8728be93c04dc05abcd5a590.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2488	1be4d9da8728be93c04dc05abcd5a590.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2488	1be4d9da8728be93c04dc05abcd5a590.exe
2460	1be4d9da8728be93c04dc05abcd5a590.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2460	2488	1be4d9da8728be93c04dc05abcd5a590.exe	29
PID 2488 wrote to memory of 2460	2488	1be4d9da8728be93c04dc05abcd5a590.exe	29
PID 2488 wrote to memory of 2460	2488	1be4d9da8728be93c04dc05abcd5a590.exe	29
PID 2488 wrote to memory of 2460	2488	1be4d9da8728be93c04dc05abcd5a590.exe	29
PID 2460 wrote to memory of 2736	2460	1be4d9da8728be93c04dc05abcd5a590.exe	30
PID 2460 wrote to memory of 2736	2460	1be4d9da8728be93c04dc05abcd5a590.exe	30
PID 2460 wrote to memory of 2736	2460	1be4d9da8728be93c04dc05abcd5a590.exe	30
PID 2460 wrote to memory of 2736	2460	1be4d9da8728be93c04dc05abcd5a590.exe	30
PID 2460 wrote to memory of 2800	2460	1be4d9da8728be93c04dc05abcd5a590.exe	34
PID 2460 wrote to memory of 2800	2460	1be4d9da8728be93c04dc05abcd5a590.exe	34
PID 2460 wrote to memory of 2800	2460	1be4d9da8728be93c04dc05abcd5a590.exe	34
PID 2460 wrote to memory of 2800	2460	1be4d9da8728be93c04dc05abcd5a590.exe	34
PID 2800 wrote to memory of 2808	2800	cmd.exe	33
PID 2800 wrote to memory of 2808	2800	cmd.exe	33
PID 2800 wrote to memory of 2808	2800	cmd.exe	33
PID 2800 wrote to memory of 2808	2800	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\1be4d9da8728be93c04dc05abcd5a590.exe
"C:\Users\Admin\AppData\Local\Temp\1be4d9da8728be93c04dc05abcd5a590.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\1be4d9da8728be93c04dc05abcd5a590.exe
  C:\Users\Admin\AppData\Local\Temp\1be4d9da8728be93c04dc05abcd5a590.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\1be4d9da8728be93c04dc05abcd5a590.exe" /TN MXmKXYLpa01b /F
    3⤵
    - Creates scheduled task(s)
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MXmKXYLpa01b > C:\Users\Admin\AppData\Local\Temp\ozahwd.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN MXmKXYLpa01b
1⤵
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1be4d9da8728be93c04dc05abcd5a590.exe

Filesize
381KB

MD5
a3584cb68be6a65d579ef05d4c5627a2

SHA1
a3eed10306efa7cd5e0795041d6d84c70ef2fc4c

SHA256
c706ae77f98a26125e5941fa3dd04055d88c020182b0a93509bc4f8deb813145

SHA512
c69e4989ac2e5b007caa83f81e1eba0c5011834b0f77cf1ef74eabd78d4f7b9a783696d44bf1478d4b42505bfddb497bb23e15295a8e27f765b03d43accc52df

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozahwd.xml

Filesize
1KB

MD5
1dacef40706d893d8d674f9a2f658614

SHA1
8a2b06de597bc83bdcd597f84cc87b787d8307d3

SHA256
9c17e6d77ec5a9f31878a70486d17a690972d142f44c6f02feeb48cb39e94a9b

SHA512
e3ec3177aad760547183af98d94151f8dcbc94bc93461907dacfca9bae56997bbb10656fccabbbf6802408a71e5ea73dce71b63c752cbcbbfd762e609cfc0097

Download Submit
\Users\Admin\AppData\Local\Temp\1be4d9da8728be93c04dc05abcd5a590.exe

Filesize
382KB

MD5
db0bd8657c61143a342a0fe7a68f5afb

SHA1
d1bd14cf022a62e64efcb4cdcf74484eac49625c

SHA256
466adc6c38279b819d57d7aa9558d884bf60f69e4fb0260f2ce4346cfc83c4ce

SHA512
8b72637d9a08e3b004ba51e35232d7dc9878912e2b8423b308b2a1e317cd72f85a1091259e5d9d64ff8315f0d5e1f349839b6fa3e0355b2fb8a4986a47a7077e

Download Submit
memory/2460-28-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2460-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2460-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2460-21-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/2460-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2488-17-0x0000000022FF0000-0x000000002324C000-memory.dmp

Filesize
2.4MB

Download
memory/2488-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2488-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2488-3-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2488-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads