7b9dd0b7156de5423a0e515f4d3032dd8df231c4c66bd5836375a501e8ed6760

General

Target

399b0e1c544c1b24811cbb5aec996874.exe
Size

7.8MB
MD5

399b0e1c544c1b24811cbb5aec996874
SHA1

6545243f8c03361cc07e835d5750b512f9736c5b
SHA256

7b9dd0b7156de5423a0e515f4d3032dd8df231c4c66bd5836375a501e8ed6760
SHA512

3cb2f57b4cee06e02c78bddc1b0fffd2dfac27520918a011b8637c8c4f659ec5fa36c7c14ce3f8aafc119569da16a2e5b92250aeb3bf9c2bec1b94bf7b279e39
SSDEEP

196608:f0dlirumPMdlirdfbePadlirumPMdlir2hT+cvdlirumPMdlirdfbePadlirumPr:f6m1PmQqcNm1Pm

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2840	399b0e1c544c1b24811cbb5aec996874.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	399b0e1c544c1b24811cbb5aec996874.exe

Loads dropped DLL 1 IoCs

pid	Process
2180	399b0e1c544c1b24811cbb5aec996874.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2180-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000012252-11.dat	upx
behavioral1/memory/2840-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000012252-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2864	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	399b0e1c544c1b24811cbb5aec996874.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	399b0e1c544c1b24811cbb5aec996874.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	399b0e1c544c1b24811cbb5aec996874.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	399b0e1c544c1b24811cbb5aec996874.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2180	399b0e1c544c1b24811cbb5aec996874.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2180	399b0e1c544c1b24811cbb5aec996874.exe
2840	399b0e1c544c1b24811cbb5aec996874.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2840	2180	399b0e1c544c1b24811cbb5aec996874.exe	29
PID 2180 wrote to memory of 2840	2180	399b0e1c544c1b24811cbb5aec996874.exe	29
PID 2180 wrote to memory of 2840	2180	399b0e1c544c1b24811cbb5aec996874.exe	29
PID 2180 wrote to memory of 2840	2180	399b0e1c544c1b24811cbb5aec996874.exe	29
PID 2840 wrote to memory of 2864	2840	399b0e1c544c1b24811cbb5aec996874.exe	30
PID 2840 wrote to memory of 2864	2840	399b0e1c544c1b24811cbb5aec996874.exe	30
PID 2840 wrote to memory of 2864	2840	399b0e1c544c1b24811cbb5aec996874.exe	30
PID 2840 wrote to memory of 2864	2840	399b0e1c544c1b24811cbb5aec996874.exe	30
PID 2840 wrote to memory of 2716	2840	399b0e1c544c1b24811cbb5aec996874.exe	34
PID 2840 wrote to memory of 2716	2840	399b0e1c544c1b24811cbb5aec996874.exe	34
PID 2840 wrote to memory of 2716	2840	399b0e1c544c1b24811cbb5aec996874.exe	34
PID 2840 wrote to memory of 2716	2840	399b0e1c544c1b24811cbb5aec996874.exe	34
PID 2716 wrote to memory of 2692	2716	cmd.exe	33
PID 2716 wrote to memory of 2692	2716	cmd.exe	33
PID 2716 wrote to memory of 2692	2716	cmd.exe	33
PID 2716 wrote to memory of 2692	2716	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\399b0e1c544c1b24811cbb5aec996874.exe
"C:\Users\Admin\AppData\Local\Temp\399b0e1c544c1b24811cbb5aec996874.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\399b0e1c544c1b24811cbb5aec996874.exe
  C:\Users\Admin\AppData\Local\Temp\399b0e1c544c1b24811cbb5aec996874.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\399b0e1c544c1b24811cbb5aec996874.exe" /TN Nnb8kaFf43a4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN Nnb8kaFf43a4 > C:\Users\Admin\AppData\Local\Temp\BkMMc.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN Nnb8kaFf43a4
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\399b0e1c544c1b24811cbb5aec996874.exe

Filesize
36KB

MD5
f060b41ab9da40d55dc8f7ba588e017a

SHA1
03ca329ca518dc2ee8850f6f5c730d5bded6efbf

SHA256
76b2b75ac3daa3c99eeb4c9d24a5279c2f3def449540e0b2fd2f54e543de6776

SHA512
a71c7b899cee2a0789f636a705ed72d11056bce405b241dd016c7b58fd6e3eeb8890133aa072ee5e176a64ec1529c22741d4e48db1c76522f7174168c08d2fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkMMc.xml

Filesize
1KB

MD5
a8314313b55a8058628c8053bceb66c7

SHA1
f57cb3cb98389acb3e0007441586c618a65d55b9

SHA256
6068c925da75646f8676e9bf412110a289e54aa96dd287be372c98cab2bc13c3

SHA512
69c863fbe9493a1f341f70bd049aab92779c15bc24dca1f372a3c7f4f02c2a8abb7721f1f08480a2ceead1a42d971eb935aeefba7389a5cc036934bc4c040181

Download Submit
\Users\Admin\AppData\Local\Temp\399b0e1c544c1b24811cbb5aec996874.exe

Filesize
225KB

MD5
2924a0774bf3b6ebc6de511064b95a41

SHA1
899383f66c18602708c3929cefaf1a02f07108e2

SHA256
ff8fcc79fb720ff72c8ca15e83e8a90ec7d36559536ed6ca9450bd61c33759e1

SHA512
5fe5c89575217949ba46c2dbf8ef3c6117f6fe73c0dc1fe9584c7a626af95c64aee9cd36ab67f6a55f2e3b0a61d6ec347b53de3e700d55753deb84e1e360c528

Download Submit
memory/2180-2-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2180-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2180-16-0x0000000023DF0000-0x000000002404C000-memory.dmp

Filesize
2.4MB

Download
memory/2180-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2180-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2180-36-0x0000000023DF0000-0x000000002404C000-memory.dmp

Filesize
2.4MB

Download
memory/2840-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2840-27-0x0000000000340000-0x00000000003AB000-memory.dmp

Filesize
428KB

Download
memory/2840-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2840-37-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2840-21-0x00000000002C0000-0x000000000033E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads