a2dcef726bbda97be81d45f10f5683bbdb9ef211ee62b4b5583683c8b4200e68

General

Target

2be04d00448e8c15873d4cf1602e986f.exe
Size

2.0MB
MD5

2be04d00448e8c15873d4cf1602e986f
SHA1

267ff129215135aab65b15d2511470734f3c8e36
SHA256

a2dcef726bbda97be81d45f10f5683bbdb9ef211ee62b4b5583683c8b4200e68
SHA512

1df3740a61dd03b10c3b456ec0f08735ecdd2615a9ee81915d70c1918d398d87aca44e8ae1b8732435cdaf94a53089916e350b0305fc3a048e809d65a90f1e0d
SSDEEP

49152:rzSg5z44vVuncakLz0ibq6yqhkWvJ7dcmq7S32d8lN9cakLz0ibq6yqh:rGg5z449uncakcibiqhkWvJ7dcmq7S3+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3064	2be04d00448e8c15873d4cf1602e986f.exe

Executes dropped EXE 1 IoCs

pid	Process
3064	2be04d00448e8c15873d4cf1602e986f.exe

Loads dropped DLL 1 IoCs

pid	Process
2928	2be04d00448e8c15873d4cf1602e986f.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2928-3-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000012203-11.dat	upx
behavioral1/files/0x0009000000012203-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2660	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2be04d00448e8c15873d4cf1602e986f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2be04d00448e8c15873d4cf1602e986f.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	2be04d00448e8c15873d4cf1602e986f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	2be04d00448e8c15873d4cf1602e986f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2928	2be04d00448e8c15873d4cf1602e986f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2928	2be04d00448e8c15873d4cf1602e986f.exe
3064	2be04d00448e8c15873d4cf1602e986f.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 3064	2928	2be04d00448e8c15873d4cf1602e986f.exe	29
PID 2928 wrote to memory of 3064	2928	2be04d00448e8c15873d4cf1602e986f.exe	29
PID 2928 wrote to memory of 3064	2928	2be04d00448e8c15873d4cf1602e986f.exe	29
PID 2928 wrote to memory of 3064	2928	2be04d00448e8c15873d4cf1602e986f.exe	29
PID 3064 wrote to memory of 2660	3064	2be04d00448e8c15873d4cf1602e986f.exe	31
PID 3064 wrote to memory of 2660	3064	2be04d00448e8c15873d4cf1602e986f.exe	31
PID 3064 wrote to memory of 2660	3064	2be04d00448e8c15873d4cf1602e986f.exe	31
PID 3064 wrote to memory of 2660	3064	2be04d00448e8c15873d4cf1602e986f.exe	31
PID 3064 wrote to memory of 2748	3064	2be04d00448e8c15873d4cf1602e986f.exe	32
PID 3064 wrote to memory of 2748	3064	2be04d00448e8c15873d4cf1602e986f.exe	32
PID 3064 wrote to memory of 2748	3064	2be04d00448e8c15873d4cf1602e986f.exe	32
PID 3064 wrote to memory of 2748	3064	2be04d00448e8c15873d4cf1602e986f.exe	32
PID 2748 wrote to memory of 2892	2748	cmd.exe	33
PID 2748 wrote to memory of 2892	2748	cmd.exe	33
PID 2748 wrote to memory of 2892	2748	cmd.exe	33
PID 2748 wrote to memory of 2892	2748	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\2be04d00448e8c15873d4cf1602e986f.exe
"C:\Users\Admin\AppData\Local\Temp\2be04d00448e8c15873d4cf1602e986f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\2be04d00448e8c15873d4cf1602e986f.exe
  C:\Users\Admin\AppData\Local\Temp\2be04d00448e8c15873d4cf1602e986f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\2be04d00448e8c15873d4cf1602e986f.exe" /TN qm2lmOfce5f6 /F
    3⤵
    - Creates scheduled task(s)
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN qm2lmOfce5f6 > C:\Users\Admin\AppData\Local\Temp\GoIADJ.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN qm2lmOfce5f6
      4⤵
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2be04d00448e8c15873d4cf1602e986f.exe

Filesize
1.9MB

MD5
c778ba4c4aeada1afa0ed82b0369edca

SHA1
abe9946364a5862f044140554f7fed199a9ec59e

SHA256
e4c1c8205690ecf43b6b6e5e40d27543f467395620e864810262004cf197a8d8

SHA512
15b3cce0ac0b305b4c2dcbc52d0c04b90459c492d99691726c43990d3a20d1824860c8abeb0b4610436bf79b2722e227b7b03422c89107794ada2f2bcfc7ec92

Download Submit
\Users\Admin\AppData\Local\Temp\2be04d00448e8c15873d4cf1602e986f.exe

Filesize
642KB

MD5
68649d819275ced7976e07bb47c64e98

SHA1
43643348ea1326e85936483cfe2402626a566841

SHA256
7443352ab1c416f2934f82c7747e88b143156ee463099fde2633cb7eb89e1464

SHA512
76b12d3e47a3af6dd2da19fe2af67a13c65b2fb09e4a071ecebbad9b296a403e7ed43cd5f8077049930a6973a91cb81d811b50fdbb82d020351b79f4dea65bfc

Download Submit
memory/2928-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2928-3-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2928-6-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2928-17-0x0000000023340000-0x000000002359C000-memory.dmp

Filesize
2.4MB

Download
memory/2928-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3064-21-0x0000000000320000-0x000000000039E000-memory.dmp

Filesize
504KB

Download
memory/3064-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/3064-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3064-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3064-45-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads