0030d57d7f7ccafffa0b54d00ccefed42bdbd7707cf161453b57087e6a322a0e

General

Target

2c6f42139a259a549f2b0dceb59110e0.exe
Size

1003KB
MD5

2c6f42139a259a549f2b0dceb59110e0
SHA1

38b069c2c609e146465bec44c166997e5df0921e
SHA256

0030d57d7f7ccafffa0b54d00ccefed42bdbd7707cf161453b57087e6a322a0e
SHA512

fb2b74129a598744d587ff0fa52d790315eaeca3e6ee30ffa3ecfc127f9c795ffdda5563ee2ab58b4ae6b5d29ec8ecb58f37f84f44f8b29853e0a474e05de488
SSDEEP

24576:CHPWDtQCZlWF/NY30dpcjukL2CDYibq6/yqLNaF:C+5puFNqGpcakLz0ibq6yqh

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2980	2c6f42139a259a549f2b0dceb59110e0.exe

Executes dropped EXE 1 IoCs

pid	Process
2980	2c6f42139a259a549f2b0dceb59110e0.exe

Loads dropped DLL 1 IoCs

pid	Process
2384	2c6f42139a259a549f2b0dceb59110e0.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2384-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000d0000000122c2-11.dat	upx
behavioral1/files/0x000d0000000122c2-17.dat	upx
behavioral1/memory/2384-16-0x0000000022EA0000-0x00000000230FC000-memory.dmp	upx
behavioral1/memory/2980-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2820	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2c6f42139a259a549f2b0dceb59110e0.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	2c6f42139a259a549f2b0dceb59110e0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	2c6f42139a259a549f2b0dceb59110e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2c6f42139a259a549f2b0dceb59110e0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2384	2c6f42139a259a549f2b0dceb59110e0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2384	2c6f42139a259a549f2b0dceb59110e0.exe
2980	2c6f42139a259a549f2b0dceb59110e0.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2980	2384	2c6f42139a259a549f2b0dceb59110e0.exe	29
PID 2384 wrote to memory of 2980	2384	2c6f42139a259a549f2b0dceb59110e0.exe	29
PID 2384 wrote to memory of 2980	2384	2c6f42139a259a549f2b0dceb59110e0.exe	29
PID 2384 wrote to memory of 2980	2384	2c6f42139a259a549f2b0dceb59110e0.exe	29
PID 2980 wrote to memory of 2820	2980	2c6f42139a259a549f2b0dceb59110e0.exe	30
PID 2980 wrote to memory of 2820	2980	2c6f42139a259a549f2b0dceb59110e0.exe	30
PID 2980 wrote to memory of 2820	2980	2c6f42139a259a549f2b0dceb59110e0.exe	30
PID 2980 wrote to memory of 2820	2980	2c6f42139a259a549f2b0dceb59110e0.exe	30
PID 2980 wrote to memory of 2072	2980	2c6f42139a259a549f2b0dceb59110e0.exe	33
PID 2980 wrote to memory of 2072	2980	2c6f42139a259a549f2b0dceb59110e0.exe	33
PID 2980 wrote to memory of 2072	2980	2c6f42139a259a549f2b0dceb59110e0.exe	33
PID 2980 wrote to memory of 2072	2980	2c6f42139a259a549f2b0dceb59110e0.exe	33
PID 2072 wrote to memory of 2696	2072	cmd.exe	34
PID 2072 wrote to memory of 2696	2072	cmd.exe	34
PID 2072 wrote to memory of 2696	2072	cmd.exe	34
PID 2072 wrote to memory of 2696	2072	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\2c6f42139a259a549f2b0dceb59110e0.exe
"C:\Users\Admin\AppData\Local\Temp\2c6f42139a259a549f2b0dceb59110e0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\2c6f42139a259a549f2b0dceb59110e0.exe
  C:\Users\Admin\AppData\Local\Temp\2c6f42139a259a549f2b0dceb59110e0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\2c6f42139a259a549f2b0dceb59110e0.exe" /TN MXmKXYLpa01b /F
    3⤵
    - Creates scheduled task(s)
    PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MXmKXYLpa01b > C:\Users\Admin\AppData\Local\Temp\hyjPu2.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN MXmKXYLpa01b
      4⤵
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2c6f42139a259a549f2b0dceb59110e0.exe

Filesize
92KB

MD5
b75c867dd03d984a9dca15ed2a060faa

SHA1
c1a1c8488ca4d1b94712d4a921c40d30a2279421

SHA256
9886665c3993d003a2e278c01a0ac4a10aa0572c5178a4350b5f46069159c72d

SHA512
3c3ab98c669aa68942e04ea50f441740c0d6a990e93bc96f68e988fa6b955c81d814f92d0979222309c61243f45537b0a04c4fe1a77b73e03c0bed3699648829

Download Submit
memory/2384-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2384-2-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/2384-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2384-16-0x0000000022EA0000-0x00000000230FC000-memory.dmp

Filesize
2.4MB

Download
memory/2384-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2980-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2980-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2980-28-0x0000000000200000-0x000000000026B000-memory.dmp

Filesize
428KB

Download
memory/2980-20-0x00000000002F0000-0x000000000036E000-memory.dmp

Filesize
504KB

Download
memory/2980-41-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads