74f34d3103dba9f0ea8d24840523ad7193e0d85561b948518ebf1721dacbc0ea

General

Target

234ffafb2c56b33d2c8ee4af271fe8e8.exe
Size

1.6MB
MD5

234ffafb2c56b33d2c8ee4af271fe8e8
SHA1

d7f75a61385cbc213cb60337cf9e73cedb2097ce
SHA256

74f34d3103dba9f0ea8d24840523ad7193e0d85561b948518ebf1721dacbc0ea
SHA512

d74a244a7c058f0610d63eb7524b6f0f4bc956da91f089200328fda156f1b1ff2b34b3a3979dde2d7470a86f0d52656d7422bf2e70c3eb45130e9319cae4f9ac
SSDEEP

49152:KFzWnEx0lultenrEAcakLz0/Ev9e+l1GwLSs9stxcakLz0O:UL0lyterrcakc/Ev9e81GwLSs9s3cak7

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1852	234ffafb2c56b33d2c8ee4af271fe8e8.exe

Executes dropped EXE 1 IoCs

pid	Process
1852	234ffafb2c56b33d2c8ee4af271fe8e8.exe

Loads dropped DLL 1 IoCs

pid	Process
2204	234ffafb2c56b33d2c8ee4af271fe8e8.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000014120-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2616	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	234ffafb2c56b33d2c8ee4af271fe8e8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	234ffafb2c56b33d2c8ee4af271fe8e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	234ffafb2c56b33d2c8ee4af271fe8e8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	234ffafb2c56b33d2c8ee4af271fe8e8.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2204	234ffafb2c56b33d2c8ee4af271fe8e8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2204	234ffafb2c56b33d2c8ee4af271fe8e8.exe
1852	234ffafb2c56b33d2c8ee4af271fe8e8.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1852	2204	234ffafb2c56b33d2c8ee4af271fe8e8.exe	21
PID 2204 wrote to memory of 1852	2204	234ffafb2c56b33d2c8ee4af271fe8e8.exe	21
PID 2204 wrote to memory of 1852	2204	234ffafb2c56b33d2c8ee4af271fe8e8.exe	21
PID 2204 wrote to memory of 1852	2204	234ffafb2c56b33d2c8ee4af271fe8e8.exe	21
PID 1852 wrote to memory of 2616	1852	234ffafb2c56b33d2c8ee4af271fe8e8.exe	16
PID 1852 wrote to memory of 2616	1852	234ffafb2c56b33d2c8ee4af271fe8e8.exe	16
PID 1852 wrote to memory of 2616	1852	234ffafb2c56b33d2c8ee4af271fe8e8.exe	16
PID 1852 wrote to memory of 2616	1852	234ffafb2c56b33d2c8ee4af271fe8e8.exe	16
PID 1852 wrote to memory of 2688	1852	234ffafb2c56b33d2c8ee4af271fe8e8.exe	18
PID 1852 wrote to memory of 2688	1852	234ffafb2c56b33d2c8ee4af271fe8e8.exe	18
PID 1852 wrote to memory of 2688	1852	234ffafb2c56b33d2c8ee4af271fe8e8.exe	18
PID 1852 wrote to memory of 2688	1852	234ffafb2c56b33d2c8ee4af271fe8e8.exe	18
PID 2688 wrote to memory of 2612	2688	cmd.exe	19
PID 2688 wrote to memory of 2612	2688	cmd.exe	19
PID 2688 wrote to memory of 2612	2688	cmd.exe	19
PID 2688 wrote to memory of 2612	2688	cmd.exe	19

C:\Users\Admin\AppData\Local\Temp\234ffafb2c56b33d2c8ee4af271fe8e8.exe
"C:\Users\Admin\AppData\Local\Temp\234ffafb2c56b33d2c8ee4af271fe8e8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\234ffafb2c56b33d2c8ee4af271fe8e8.exe
  C:\Users\Admin\AppData\Local\Temp\234ffafb2c56b33d2c8ee4af271fe8e8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1852

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\234ffafb2c56b33d2c8ee4af271fe8e8.exe" /TN 6ek6uOO9da42 /F
1⤵
- Creates scheduled task(s)
PID:2616

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN 6ek6uOO9da42 > C:\Users\Admin\AppData\Local\Temp\djjCi.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Query /XML /TN 6ek6uOO9da42
  2⤵
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\234ffafb2c56b33d2c8ee4af271fe8e8.exe

Filesize
1.6MB

MD5
0ff1c6903b46d0511dbb75ef502ddeca

SHA1
2a761e043c51f704b537bb777a5d154f228d2152

SHA256
16e6c7ef23d489e60f1e4a484685faf9fa726da3d321bee088a2918af04a36c9

SHA512
6158100be7844092c4980e3fa523a3b0d31f1edd3c63c787bb49b0776750ef12c4572bf5f2380b8daf4e68a449d789f3d62e205fbc9456ab534c378fd2975bc4

Download Submit
memory/1852-18-0x00000000001B0000-0x000000000022E000-memory.dmp

Filesize
504KB

Download
memory/1852-25-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1852-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1852-27-0x00000000002D0000-0x000000000033B000-memory.dmp

Filesize
428KB

Download
memory/1852-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2204-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2204-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2204-5-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/2204-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads