e9af1b584b9ed0bddeb605b4e444356719eea83e4724191df90a0f34e2c720a1

General

Target

39f74ebae6375d0c41bd837a75644708.exe
Size

5.1MB
MD5

39f74ebae6375d0c41bd837a75644708
SHA1

55c381fe2d03238989a19044b797c15f5dc55ad1
SHA256

e9af1b584b9ed0bddeb605b4e444356719eea83e4724191df90a0f34e2c720a1
SHA512

c1adcaf8ef8a142185a90390247218912f84c5b5c62b755f014663cf3c99a45c78a5c734b7b0da506b9cba7043ffcecbe0f499ea7a56c200ce8ed8ae4406e40e
SSDEEP

49152:iFrj1z+PuvwmMQozSw8L8OC5wa6JGEWBLkfYsQay3UByeaq3IAgKOuzdV+sRHS0v:EomYRjSlCeqAgf3O48IUTH3

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2400	39f74ebae6375d0c41bd837a75644708.exe

Executes dropped EXE 1 IoCs

pid	Process
2400	39f74ebae6375d0c41bd837a75644708.exe

Loads dropped DLL 1 IoCs

pid	Process
1428	39f74ebae6375d0c41bd837a75644708.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1428-0-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000b000000012251-16.dat	upx
behavioral1/files/0x000b000000012251-11.dat	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	39f74ebae6375d0c41bd837a75644708.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	39f74ebae6375d0c41bd837a75644708.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1428	39f74ebae6375d0c41bd837a75644708.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1428	39f74ebae6375d0c41bd837a75644708.exe
2400	39f74ebae6375d0c41bd837a75644708.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 2400	1428	39f74ebae6375d0c41bd837a75644708.exe	17
PID 1428 wrote to memory of 2400	1428	39f74ebae6375d0c41bd837a75644708.exe	17
PID 1428 wrote to memory of 2400	1428	39f74ebae6375d0c41bd837a75644708.exe	17
PID 1428 wrote to memory of 2400	1428	39f74ebae6375d0c41bd837a75644708.exe	17

C:\Users\Admin\AppData\Local\Temp\39f74ebae6375d0c41bd837a75644708.exe
"C:\Users\Admin\AppData\Local\Temp\39f74ebae6375d0c41bd837a75644708.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\39f74ebae6375d0c41bd837a75644708.exe
  C:\Users\Admin\AppData\Local\Temp\39f74ebae6375d0c41bd837a75644708.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\39f74ebae6375d0c41bd837a75644708.exe

Filesize
96KB

MD5
615051e9a15f0fc9094cf3d9b8db2450

SHA1
f3ec3f88d76af03991e621ee177fc3d63260e632

SHA256
ec01726e1b71d1c11f96f0c10ea704d47fc23cf374df97c0af06f7c76bd4c25f

SHA512
fbc6218349ce71a2efcb00b2d7a7e94361dccf6b80be17636d059629905d6bcd41a86aa279372ad8e94098eba19eb627779767bf2fafb5aa35955dcc60aaa7e2

Download Submit
\Users\Admin\AppData\Local\Temp\39f74ebae6375d0c41bd837a75644708.exe

Filesize
136KB

MD5
1954b92bf460d873ddbab33bbb8e3423

SHA1
575e882db7fb881b1dc5e14a2eaa8261b14615b4

SHA256
b8d34f6a2f9c575fb06c7f790fb89603f2cc8a28784b2224eeb04d095626f81b

SHA512
e8cccd933bd8f3d863e4766cd214e8f6304b34870b6e441c80e261ad0e7bcda597c50a089521f11e89dd52654ff51a24e10ab36683d54d9628da41b0e3cb5d5c

Download Submit
memory/1428-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1428-2-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/1428-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/1428-15-0x0000000004060000-0x00000000049FE000-memory.dmp

Filesize
9.6MB

Download
memory/1428-14-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1428-40-0x0000000004060000-0x00000000049FE000-memory.dmp

Filesize
9.6MB

Download
memory/2400-20-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2400-22-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2400-41-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing