6456f6790463a6291c762f4173425afe57202143dc82ac7af0daee3bad7c24c7

General

Target

3b6834ca71502c89588ef8d8b830a8fa.exe
Size

3.2MB
MD5

3b6834ca71502c89588ef8d8b830a8fa
SHA1

1cf53022f5b572998825a9752b4dc5f52308edc5
SHA256

6456f6790463a6291c762f4173425afe57202143dc82ac7af0daee3bad7c24c7
SHA512

638546a7a565f052d58d96abb8b670a94b4d06c4bb26780bbac7ffba58dd6355c89146b030d045d268b6d2e70ae4d69a688a5b5a4777bb3672e0cfd581872776
SSDEEP

98304:hksUthjEgXFmBeAcakcDpO5I+v1xVnGfgMdDShcakcCvb98pfi0lmQcakcDpO5Ib:+sUt3XFxAdltO5I+vEBudlCz6mQdltOG

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2832	3b6834ca71502c89588ef8d8b830a8fa.exe

Executes dropped EXE 1 IoCs

pid	Process
2832	3b6834ca71502c89588ef8d8b830a8fa.exe

Loads dropped DLL 1 IoCs

pid	Process
2056	3b6834ca71502c89588ef8d8b830a8fa.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2056-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012243-11.dat	upx
behavioral1/files/0x000a000000012243-17.dat	upx
behavioral1/memory/2832-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2768	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	3b6834ca71502c89588ef8d8b830a8fa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	3b6834ca71502c89588ef8d8b830a8fa.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	3b6834ca71502c89588ef8d8b830a8fa.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	3b6834ca71502c89588ef8d8b830a8fa.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2056	3b6834ca71502c89588ef8d8b830a8fa.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2056	3b6834ca71502c89588ef8d8b830a8fa.exe
2832	3b6834ca71502c89588ef8d8b830a8fa.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2832	2056	3b6834ca71502c89588ef8d8b830a8fa.exe	29
PID 2056 wrote to memory of 2832	2056	3b6834ca71502c89588ef8d8b830a8fa.exe	29
PID 2056 wrote to memory of 2832	2056	3b6834ca71502c89588ef8d8b830a8fa.exe	29
PID 2056 wrote to memory of 2832	2056	3b6834ca71502c89588ef8d8b830a8fa.exe	29
PID 2832 wrote to memory of 2768	2832	3b6834ca71502c89588ef8d8b830a8fa.exe	30
PID 2832 wrote to memory of 2768	2832	3b6834ca71502c89588ef8d8b830a8fa.exe	30
PID 2832 wrote to memory of 2768	2832	3b6834ca71502c89588ef8d8b830a8fa.exe	30
PID 2832 wrote to memory of 2768	2832	3b6834ca71502c89588ef8d8b830a8fa.exe	30
PID 2832 wrote to memory of 2960	2832	3b6834ca71502c89588ef8d8b830a8fa.exe	32
PID 2832 wrote to memory of 2960	2832	3b6834ca71502c89588ef8d8b830a8fa.exe	32
PID 2832 wrote to memory of 2960	2832	3b6834ca71502c89588ef8d8b830a8fa.exe	32
PID 2832 wrote to memory of 2960	2832	3b6834ca71502c89588ef8d8b830a8fa.exe	32
PID 2960 wrote to memory of 2948	2960	cmd.exe	34
PID 2960 wrote to memory of 2948	2960	cmd.exe	34
PID 2960 wrote to memory of 2948	2960	cmd.exe	34
PID 2960 wrote to memory of 2948	2960	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\3b6834ca71502c89588ef8d8b830a8fa.exe
"C:\Users\Admin\AppData\Local\Temp\3b6834ca71502c89588ef8d8b830a8fa.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\3b6834ca71502c89588ef8d8b830a8fa.exe
  C:\Users\Admin\AppData\Local\Temp\3b6834ca71502c89588ef8d8b830a8fa.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\3b6834ca71502c89588ef8d8b830a8fa.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\AmjPkfLM.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3b6834ca71502c89588ef8d8b830a8fa.exe

Filesize
3.2MB

MD5
976761bb7654b3ad6576ed9971838188

SHA1
1a1665e0c0304be65637b665e6d69497b0f7e02e

SHA256
c9dd2b1469fced3f29ab6bc23dc73d0fd08edf89344c90152f3eb2b0fddf6fa3

SHA512
ba7b1f57018b699ecdbaa2f9a88daf69b0d8ba9aec42d798222ef52f5e84d21cac1221a0d622b50fb774f0984f705a171f5585f6149b33787e90dd973cdd40f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmjPkfLM.xml

Filesize
1KB

MD5
e6ce72df79adbeea6b1a0f0b101cc70e

SHA1
ac2d83683f7a222dbde7ddce85452f8d949cb91f

SHA256
05b5c5d6b46be3f28109a8052291111e602f4a5a9f4e1877a9a6fa5f5fbe9e82

SHA512
1682bd7965fe7f806315fbf0ee1c2510475b8bba95fbce61a6c500fbd9722e1a2a7667d343528c19df78490daabbb2414c840beb749c19487d192e5de8184760

Download Submit
\Users\Admin\AppData\Local\Temp\3b6834ca71502c89588ef8d8b830a8fa.exe

Filesize
3.2MB

MD5
0ebbfdfc1471898e9fae20dc1cee8867

SHA1
1aa7d20af4e37527370b222addc91af628b8e80b

SHA256
c4d8658c2bc4a43721b2c569590cf47a6d4655945dda69cf0b5bf9bc00d9a38f

SHA512
305673aabaa0086867413b7fa6aa9bcb598c843b2ac60df77763049fa440da59450b7abf12c886f9f4e561ce1b4fbe3aa780035635b8da174be45f9f98b3d452

Download Submit
memory/2056-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2056-16-0x0000000023520000-0x000000002377C000-memory.dmp

Filesize
2.4MB

Download
memory/2056-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2056-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2056-2-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2832-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2832-20-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/2832-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2832-28-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2832-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads