6485d77c3ceec3b7084b9e8da08e274183eaf5c648d357ee105c147731fb1ccf

General

Target

28bca62fd4ac5b94a4698a71d6c266c3.exe
Size

133KB
MD5

28bca62fd4ac5b94a4698a71d6c266c3
SHA1

b748faaf308b2b32f32394c3267508f4c423228f
SHA256

6485d77c3ceec3b7084b9e8da08e274183eaf5c648d357ee105c147731fb1ccf
SHA512

315f91d33156664dc0da59d5d476f912ce0b8091c397b0ba1343ee94434b288f492159ad3f5b3804b5bcaab0959cc403ceaa66abcf13bd1c583c629af59b08f0
SSDEEP

3072:nhgl0mU1f4vaWrAhb7flDG+bFQmv2ine0suQ:nhgl+1fvWaTVfbFLe0suQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2392	28bca62fd4ac5b94a4698a71d6c266c3.exe

Executes dropped EXE 1 IoCs

pid	Process
2392	28bca62fd4ac5b94a4698a71d6c266c3.exe

Loads dropped DLL 1 IoCs

pid	Process
1708	28bca62fd4ac5b94a4698a71d6c266c3.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1708-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000800000001223a-14.dat	upx
behavioral1/files/0x000800000001223a-13.dat	upx
behavioral1/files/0x000800000001223a-11.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	28bca62fd4ac5b94a4698a71d6c266c3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	28bca62fd4ac5b94a4698a71d6c266c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	28bca62fd4ac5b94a4698a71d6c266c3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	28bca62fd4ac5b94a4698a71d6c266c3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1708	28bca62fd4ac5b94a4698a71d6c266c3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1708	28bca62fd4ac5b94a4698a71d6c266c3.exe
2392	28bca62fd4ac5b94a4698a71d6c266c3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2392	1708	28bca62fd4ac5b94a4698a71d6c266c3.exe	18
PID 1708 wrote to memory of 2392	1708	28bca62fd4ac5b94a4698a71d6c266c3.exe	18
PID 1708 wrote to memory of 2392	1708	28bca62fd4ac5b94a4698a71d6c266c3.exe	18
PID 1708 wrote to memory of 2392	1708	28bca62fd4ac5b94a4698a71d6c266c3.exe	18

C:\Users\Admin\AppData\Local\Temp\28bca62fd4ac5b94a4698a71d6c266c3.exe
"C:\Users\Admin\AppData\Local\Temp\28bca62fd4ac5b94a4698a71d6c266c3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\28bca62fd4ac5b94a4698a71d6c266c3.exe
  C:\Users\Admin\AppData\Local\Temp\28bca62fd4ac5b94a4698a71d6c266c3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\28bca62fd4ac5b94a4698a71d6c266c3.exe

Filesize
61KB

MD5
ac99368f982a795033f7bff5e1fe090d

SHA1
6f207943ba1e8a174b7cd3d6c7ef861b741087e1

SHA256
2821ddedb6066be8d58afc46252670efcd873138c1058451410c0b178ab9e901

SHA512
23149da6306d328fb3d5f6d93ce484ca16d0dbfce5a763d5984194af5ac94b283352ec055e25eb47d68047ff12b10508c76f003b6385b89b648fd8bf87a60431

Download Submit
C:\Users\Admin\AppData\Local\Temp\28bca62fd4ac5b94a4698a71d6c266c3.exe

Filesize
42KB

MD5
e9868be7d1ade7e03843b3be2882ec32

SHA1
03d8dc2f9f1afb06d981a7b0d45ffee9fb118da7

SHA256
21705eb47fd5046169a1dc954ec0fbe4c14942e35e35842471dec00e679d5916

SHA512
8df0230516140c5ffbd34479342077f4a40e72458b6fc8a487fd70ad4b3fe3b53e7e937917f406a3192aab78b73c4282e7ce7a04676b6466aa94826808b3f40f

Download Submit
\Users\Admin\AppData\Local\Temp\28bca62fd4ac5b94a4698a71d6c266c3.exe

Filesize
133KB

MD5
ba029d0c9d0b6109eb90077b45ce3e9a

SHA1
e0c786dd013cd5c5c1bc0b78b2c1e6b26c0b54bc

SHA256
cca4ae43e699f435113a36d8b45519f79d6ef716722de2c157b7f6356d7a5dd7

SHA512
ba13d21f79341631341000e2aabd37369f539649458c2bbc650671138ca1d8cf6a3dc01af47634f82b96537fcd1f082b302f3287d846ced62bf24db0b532d883

Download Submit
memory/1708-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1708-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-1-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/1708-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2392-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2392-17-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2392-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing