ce18fb01774494f934875f6adbeed652659741f33ff6945d9bdce1b5a87f455a

General

Target

3d39c1639f178db1f0f0ee431fade7c4.exe
Size

2.0MB
MD5

3d39c1639f178db1f0f0ee431fade7c4
SHA1

52aa84674cbaa2647584205a8b5eb2d94f1545eb
SHA256

ce18fb01774494f934875f6adbeed652659741f33ff6945d9bdce1b5a87f455a
SHA512

1c0de248c67866cbbbdce5a0fa73c1e9962cbc09c9c400859db8d1ef0e28206cfb4080a2dbac7b64800445e51715c160d56ecae8eba02c87b8ec10da00914302
SSDEEP

49152:Z8ovK0nEZFYbYi9GQ7ai7D3xTgOxYwpKhdWN5uqa/JY814GQ7ai7D3xTgOxYwpK:ZBvK0n4FYbtD2i7D3xkOxYwpKPWPra/L

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2464	3d39c1639f178db1f0f0ee431fade7c4.exe

Executes dropped EXE 1 IoCs

pid	Process
2464	3d39c1639f178db1f0f0ee431fade7c4.exe

Loads dropped DLL 1 IoCs

pid	Process
2176	3d39c1639f178db1f0f0ee431fade7c4.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2176-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012274-11.dat	upx
behavioral1/files/0x000a000000012274-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2836	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	3d39c1639f178db1f0f0ee431fade7c4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	3d39c1639f178db1f0f0ee431fade7c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	3d39c1639f178db1f0f0ee431fade7c4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	3d39c1639f178db1f0f0ee431fade7c4.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2176	3d39c1639f178db1f0f0ee431fade7c4.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2176	3d39c1639f178db1f0f0ee431fade7c4.exe
2464	3d39c1639f178db1f0f0ee431fade7c4.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2464	2176	3d39c1639f178db1f0f0ee431fade7c4.exe	29
PID 2176 wrote to memory of 2464	2176	3d39c1639f178db1f0f0ee431fade7c4.exe	29
PID 2176 wrote to memory of 2464	2176	3d39c1639f178db1f0f0ee431fade7c4.exe	29
PID 2176 wrote to memory of 2464	2176	3d39c1639f178db1f0f0ee431fade7c4.exe	29
PID 2464 wrote to memory of 2836	2464	3d39c1639f178db1f0f0ee431fade7c4.exe	30
PID 2464 wrote to memory of 2836	2464	3d39c1639f178db1f0f0ee431fade7c4.exe	30
PID 2464 wrote to memory of 2836	2464	3d39c1639f178db1f0f0ee431fade7c4.exe	30
PID 2464 wrote to memory of 2836	2464	3d39c1639f178db1f0f0ee431fade7c4.exe	30
PID 2464 wrote to memory of 2864	2464	3d39c1639f178db1f0f0ee431fade7c4.exe	34
PID 2464 wrote to memory of 2864	2464	3d39c1639f178db1f0f0ee431fade7c4.exe	34
PID 2464 wrote to memory of 2864	2464	3d39c1639f178db1f0f0ee431fade7c4.exe	34
PID 2464 wrote to memory of 2864	2464	3d39c1639f178db1f0f0ee431fade7c4.exe	34
PID 2864 wrote to memory of 2472	2864	cmd.exe	36
PID 2864 wrote to memory of 2472	2864	cmd.exe	36
PID 2864 wrote to memory of 2472	2864	cmd.exe	36
PID 2864 wrote to memory of 2472	2864	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\3d39c1639f178db1f0f0ee431fade7c4.exe
"C:\Users\Admin\AppData\Local\Temp\3d39c1639f178db1f0f0ee431fade7c4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\3d39c1639f178db1f0f0ee431fade7c4.exe
  C:\Users\Admin\AppData\Local\Temp\3d39c1639f178db1f0f0ee431fade7c4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\3d39c1639f178db1f0f0ee431fade7c4.exe" /TN m8v9k5kD0c8e /F
    3⤵
    - Creates scheduled task(s)
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN m8v9k5kD0c8e > C:\Users\Admin\AppData\Local\Temp\ZYDj1F.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN m8v9k5kD0c8e
      4⤵
      PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3d39c1639f178db1f0f0ee431fade7c4.exe

Filesize
410KB

MD5
d62331409bc9ea236e980d9f2a012611

SHA1
cd34c0fc59a008fd49927572c98a05d11264a720

SHA256
138a5ac0898e1c5e1f5c1513d8f55c682ef985d65cd978b3889c1edc28e3c0ae

SHA512
0d35c57b5fa91994b8413544c6c4c74fd4643bdf8732f1963be47877361de49d653574cc28c0549e3015c6a6deae9d49781c2639491df93fb29c51fea8133cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYDj1F.xml

Filesize
1KB

MD5
ba1615ea4d5a9971c613c1ddf96d4f5e

SHA1
5a58090774f54b01a1714d05f9b5d5769dfe8fb9

SHA256
8e591f26a1f33fb6d0aded9d4c1a9dd954e5db135a4d9490ae49c10bbd52c765

SHA512
52f570472cf8fce740dbc6c875544c109e0c458f2be3a6c89d10ac1cc70510a395eab0a48aa89bba5c713ec2c6999d2f694a60ba247217e66ee0c56f050c7eeb

Download Submit
\Users\Admin\AppData\Local\Temp\3d39c1639f178db1f0f0ee431fade7c4.exe

Filesize
468KB

MD5
71b409e3bdc7b91a203fae960f136bec

SHA1
b6ab6e6c8923f9cc2e311c26143e791c9b194b0a

SHA256
fbb37fb04fcc252adb79eb9ce8f65e138b21522f2d256e647d466b2cf764e919

SHA512
bad121d3e7b2754ecf2701b65d437c26137bedcc6659afdb74defbd17d0ba01d595307d9d7e380d86efa651a22503fd09c0fc8cbaedc59556ac30df7523cd17c

Download Submit
memory/2176-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2176-16-0x00000000232E0000-0x000000002353C000-memory.dmp

Filesize
2.4MB

Download
memory/2176-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2176-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2176-2-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2176-36-0x00000000232E0000-0x000000002353C000-memory.dmp

Filesize
2.4MB

Download
memory/2464-21-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2464-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2464-23-0x0000000000220000-0x000000000029E000-memory.dmp

Filesize
504KB

Download
memory/2464-27-0x00000000002A0000-0x000000000030B000-memory.dmp

Filesize
428KB

Download
memory/2464-37-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads