be78ed93c0b8fb0c460afb1604005133fed382882c96e595871fc1f1912e1022

General

Target

2b17470773a37eee571c0d3e0127e9ab.exe
Size

605KB
MD5

2b17470773a37eee571c0d3e0127e9ab
SHA1

ee12bee96ffc0287d86f4f5a8ae8a52afa6057c3
SHA256

be78ed93c0b8fb0c460afb1604005133fed382882c96e595871fc1f1912e1022
SHA512

7aa6f32fd9970b43b2fb32ec91867602f7f75ae4f26bc55bdbce342402e2d2e4e03cefd3bfb789f8c2ac76530b9eae0f81bdb37594d2848acef63a320e378b83
SSDEEP

12288:ltikRXAEp0Uajmba4wvPqTzz++xPeWQm:ltfXAEW4tTzqjWX

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2828	2b17470773a37eee571c0d3e0127e9ab.exe

Executes dropped EXE 1 IoCs

pid	Process
2828	2b17470773a37eee571c0d3e0127e9ab.exe

Loads dropped DLL 1 IoCs

pid	Process
2480	2b17470773a37eee571c0d3e0127e9ab.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2480-0-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
behavioral1/files/0x000c000000012262-11.dat	upx
behavioral1/files/0x000c000000012262-17.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2b17470773a37eee571c0d3e0127e9ab.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2b17470773a37eee571c0d3e0127e9ab.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	2b17470773a37eee571c0d3e0127e9ab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	2b17470773a37eee571c0d3e0127e9ab.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2480	2b17470773a37eee571c0d3e0127e9ab.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2480	2b17470773a37eee571c0d3e0127e9ab.exe
2828	2b17470773a37eee571c0d3e0127e9ab.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2828	2480	2b17470773a37eee571c0d3e0127e9ab.exe	29
PID 2480 wrote to memory of 2828	2480	2b17470773a37eee571c0d3e0127e9ab.exe	29
PID 2480 wrote to memory of 2828	2480	2b17470773a37eee571c0d3e0127e9ab.exe	29
PID 2480 wrote to memory of 2828	2480	2b17470773a37eee571c0d3e0127e9ab.exe	29

C:\Users\Admin\AppData\Local\Temp\2b17470773a37eee571c0d3e0127e9ab.exe
"C:\Users\Admin\AppData\Local\Temp\2b17470773a37eee571c0d3e0127e9ab.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\2b17470773a37eee571c0d3e0127e9ab.exe
  C:\Users\Admin\AppData\Local\Temp\2b17470773a37eee571c0d3e0127e9ab.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2b17470773a37eee571c0d3e0127e9ab.exe

Filesize
605KB

MD5
d1b0819fa9ff8509c24d5b7a39674dc9

SHA1
9076f8f3bb722567075f597790951bc3a21df57a

SHA256
35ba9de4e195597e0705942357598aa1ce4b40b6297f3475b0d9a194714c6555

SHA512
7c02ca111c1abb3e85cc942de58acf036b64b84255c6012f4ccf0b7b6c456820a3bdb2764d86802378f6fe3e38c0e8c44c953bf1c9d773ed6683674256674e87

Download Submit
\Users\Admin\AppData\Local\Temp\2b17470773a37eee571c0d3e0127e9ab.exe

Filesize
64KB

MD5
cb0cd721ec172c432e219ad436dbdec2

SHA1
bc21777f57e9a25d3c0f8b8f3d3742aec1e18368

SHA256
cd1c56565b9e0efefa993abde379657e1c801ad39f4dbaefb8d67b0f66f76c8c

SHA512
eca268d058686777fb9f1da8ec029adcdc56873247614de8584ba3f1c46c4636d3d3073c5e5ee47c2af6b02bae83d4ec0b06deb0f1e4f30e963ffc1a3590b40c

Download Submit
memory/2480-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2480-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2480-1-0x00000000002E0000-0x0000000000311000-memory.dmp

Filesize
196KB

Download
memory/2480-16-0x0000000022E50000-0x0000000022F30000-memory.dmp

Filesize
896KB

Download
memory/2480-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2828-19-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2828-21-0x0000000000210000-0x0000000000241000-memory.dmp

Filesize
196KB

Download
memory/2828-44-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing