2ed74e793d4008fd231516f9166179c3854d7be22bdb31fc41a2c3cdaa2441e6

General

Target

2c014fba0c930c2d52f79846d575365c.exe
Size

2.0MB
MD5

2c014fba0c930c2d52f79846d575365c
SHA1

8c49abc37fb7463fbd8cb90b64f617c7be79f14e
SHA256

2ed74e793d4008fd231516f9166179c3854d7be22bdb31fc41a2c3cdaa2441e6
SHA512

22d492cde9074d8b7f76b10a337b5c52de361bac2714daa0a115f811b8befe2106e7e807aeb90789ece6e52e1b3ee1c21e597ef2ad835729ef4cf99b75734711
SSDEEP

49152:jrn0Cn0WqGRMHJEuMlSVj21RaBkoXlqr1YtTpokZ/9/Pj6ADYdHJEuMlSVj21RaN:jrnjn0WqGRMHJEu9Vj214Bkilqr1YtFw

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2332	2c014fba0c930c2d52f79846d575365c.exe

Executes dropped EXE 1 IoCs

pid	Process
2332	2c014fba0c930c2d52f79846d575365c.exe

Loads dropped DLL 1 IoCs

pid	Process
2928	2c014fba0c930c2d52f79846d575365c.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2928-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012234-11.dat	upx
behavioral1/files/0x000b000000012234-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2800	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2c014fba0c930c2d52f79846d575365c.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	2c014fba0c930c2d52f79846d575365c.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	2c014fba0c930c2d52f79846d575365c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2c014fba0c930c2d52f79846d575365c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2928	2c014fba0c930c2d52f79846d575365c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2928	2c014fba0c930c2d52f79846d575365c.exe
2332	2c014fba0c930c2d52f79846d575365c.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2332	2928	2c014fba0c930c2d52f79846d575365c.exe	29
PID 2928 wrote to memory of 2332	2928	2c014fba0c930c2d52f79846d575365c.exe	29
PID 2928 wrote to memory of 2332	2928	2c014fba0c930c2d52f79846d575365c.exe	29
PID 2928 wrote to memory of 2332	2928	2c014fba0c930c2d52f79846d575365c.exe	29
PID 2332 wrote to memory of 2800	2332	2c014fba0c930c2d52f79846d575365c.exe	31
PID 2332 wrote to memory of 2800	2332	2c014fba0c930c2d52f79846d575365c.exe	31
PID 2332 wrote to memory of 2800	2332	2c014fba0c930c2d52f79846d575365c.exe	31
PID 2332 wrote to memory of 2800	2332	2c014fba0c930c2d52f79846d575365c.exe	31
PID 2332 wrote to memory of 2748	2332	2c014fba0c930c2d52f79846d575365c.exe	34
PID 2332 wrote to memory of 2748	2332	2c014fba0c930c2d52f79846d575365c.exe	34
PID 2332 wrote to memory of 2748	2332	2c014fba0c930c2d52f79846d575365c.exe	34
PID 2332 wrote to memory of 2748	2332	2c014fba0c930c2d52f79846d575365c.exe	34
PID 2748 wrote to memory of 2888	2748	cmd.exe	33
PID 2748 wrote to memory of 2888	2748	cmd.exe	33
PID 2748 wrote to memory of 2888	2748	cmd.exe	33
PID 2748 wrote to memory of 2888	2748	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\2c014fba0c930c2d52f79846d575365c.exe
"C:\Users\Admin\AppData\Local\Temp\2c014fba0c930c2d52f79846d575365c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\2c014fba0c930c2d52f79846d575365c.exe
  C:\Users\Admin\AppData\Local\Temp\2c014fba0c930c2d52f79846d575365c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\2c014fba0c930c2d52f79846d575365c.exe" /TN QxutJGth3fd4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN QxutJGth3fd4 > C:\Users\Admin\AppData\Local\Temp\JvWIf.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN QxutJGth3fd4
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2c014fba0c930c2d52f79846d575365c.exe

Filesize
2.0MB

MD5
9f94602f83d48e5c9ed84940e75b302f

SHA1
e5ad4b6ab536b38795833d68c99216a9ed43a00e

SHA256
f5264345ad73eb056eeaaddfa0f4015db9e05f45e3a2ed02267f880d87da4550

SHA512
e764ff4604b3f9f8a8ac56e13ae273535d6c752c0c30be51ff76fb07f12bb252edba8790eb89454911c2a6ab84604f352373e784d1664136d88b13192e3d9896

Download Submit
C:\Users\Admin\AppData\Local\Temp\JvWIf.xml

Filesize
1KB

MD5
f1762e1084e22362b284eb016fdf7df4

SHA1
18d1d66b562c9c10df565378e0a2870ed83beeef

SHA256
2b6bdc8d1c7ea37e44f6e1aff38bfc1a4c21086d43b51c7b1b1c189a2007c0e7

SHA512
8ea7515b6fa12398278024239349e06ed58c944b76c3a2856684793c1b0dcc5359bcf00c06e3e1d6e2810f444e974621bad50b6d9a4684e0625be6059509d386

Download Submit
\Users\Admin\AppData\Local\Temp\2c014fba0c930c2d52f79846d575365c.exe

Filesize
1.2MB

MD5
125905b91e548d307c69997a787dd66f

SHA1
8f085c20a1c1c0473ca7bb98eab24a4180157670

SHA256
4fb93f6d7d3365612b7a1eb884a0a3c068c3e68fcf32a2d3bb176dfbb23fc41b

SHA512
4025d13854f6cef562642779962ede600cbf221ea00fe4609f1610d7bd129539a6fb40c178860a1e32b9c5d9675e4338796cb3cb3d1377ab76ca61a058c8c6fb

Download Submit
memory/2332-18-0x0000000000360000-0x00000000003DE000-memory.dmp

Filesize
504KB

Download
memory/2332-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2332-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2332-24-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2332-52-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2928-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2928-2-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2928-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2928-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads