dfb7719f732e493a6066bc70b4760722ed74dc6ba7d06af0365ad14ded9e0811

General

Target

3addee1e396acc6e548aec7bb2454b9e.exe
Size

2.6MB
MD5

3addee1e396acc6e548aec7bb2454b9e
SHA1

c70cce7e5421b36bf66b135e05e5ac810760f6f3
SHA256

dfb7719f732e493a6066bc70b4760722ed74dc6ba7d06af0365ad14ded9e0811
SHA512

09d4237e50906082751b0edee91d8a009fa9ef3b0d3fd2da018d5954df6de341e6edb8c526ca379510d4bba463297d5a3f84b355b8c34bb1f34188a8557da098
SSDEEP

49152:JKyYgI7pxBakMhsA7D3XEOGpj9Fhzh5Rml3j93+d3TDkHay3:8pPH4Xu7heNykP3

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1692	3addee1e396acc6e548aec7bb2454b9e.exe

Executes dropped EXE 1 IoCs

pid	Process
1692	3addee1e396acc6e548aec7bb2454b9e.exe

Loads dropped DLL 1 IoCs

pid	Process
2328	3addee1e396acc6e548aec7bb2454b9e.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2328-0-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/memory/1692-18-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x00090000000142c4-14.dat	upx
behavioral1/files/0x00090000000142c4-13.dat	upx
behavioral1/files/0x00090000000142c4-11.dat	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	3addee1e396acc6e548aec7bb2454b9e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	3addee1e396acc6e548aec7bb2454b9e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2328	3addee1e396acc6e548aec7bb2454b9e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2328	3addee1e396acc6e548aec7bb2454b9e.exe
1692	3addee1e396acc6e548aec7bb2454b9e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1692	2328	3addee1e396acc6e548aec7bb2454b9e.exe	28
PID 2328 wrote to memory of 1692	2328	3addee1e396acc6e548aec7bb2454b9e.exe	28
PID 2328 wrote to memory of 1692	2328	3addee1e396acc6e548aec7bb2454b9e.exe	28
PID 2328 wrote to memory of 1692	2328	3addee1e396acc6e548aec7bb2454b9e.exe	28

C:\Users\Admin\AppData\Local\Temp\3addee1e396acc6e548aec7bb2454b9e.exe
"C:\Users\Admin\AppData\Local\Temp\3addee1e396acc6e548aec7bb2454b9e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\3addee1e396acc6e548aec7bb2454b9e.exe
  C:\Users\Admin\AppData\Local\Temp\3addee1e396acc6e548aec7bb2454b9e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3addee1e396acc6e548aec7bb2454b9e.exe

Filesize
199KB

MD5
ba0cccc83afed38bf5e6e1bf9368e42c

SHA1
96993b9e49378f89b93eba4f404b7be4616cf323

SHA256
64b906ec665d35b308d05dba57d0109579372d0974ec6f3157e4d436a77f6698

SHA512
50a3f07cdfc8b16e624b0161a7ae98740343094e620141d98a7c778c3a5c298d0c2f68e9d9cc0506b334a01bc6cea88c2a2ac4c1209c424d265c882a4fec397f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3addee1e396acc6e548aec7bb2454b9e.exe

Filesize
176KB

MD5
4ce18d11df20596efd6046366f32b2b4

SHA1
26e2bfd14fc4fbeb20d0a49b33ac0da06a01cbbb

SHA256
bceb0eff7cf13fb0bd78f499b5558523aa1c2dd91bc3137529bf6ec948308ffd

SHA512
b685e617737a47aa8fb3be5b99d3d20328bc6abe48ea9a90b1a01b6129776fac02295d7c2f91568797dccc518f505c0c007bfd899e414849f26124a905f170ee

Download Submit
\Users\Admin\AppData\Local\Temp\3addee1e396acc6e548aec7bb2454b9e.exe

Filesize
149KB

MD5
8533229853d3aad49cac3bf7c8d5568a

SHA1
beb9e27d31bb6e44d37caae4524dca6925a99855

SHA256
020d54670432599dcdfdfac2399a181f292473c9b8e6bb9e7d9e811a15e063bd

SHA512
d7854416c9892332d2837846cd3eca180ea7397bcbea882081582e8ed98f21bf8b976da8d9469f5b5ddd26a7bc45f54ffd49643b166a47a8332bcb03b8f929db

Download Submit
memory/1692-18-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/1692-20-0x0000000002280000-0x00000000024DA000-memory.dmp

Filesize
2.4MB

Download
memory/1692-34-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2328-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2328-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2328-2-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2328-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2328-16-0x00000000038A0000-0x000000000423E000-memory.dmp

Filesize
9.6MB

Download
memory/2328-33-0x00000000038A0000-0x000000000423E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing