1e744676eb111d50c3388629b1575004f15c966c81eb72a64906c0273c69dbfe

General

Target

3e97cc82a6bb80cddc09f6ebb32e7e1f.exe
Size

302KB
MD5

3e97cc82a6bb80cddc09f6ebb32e7e1f
SHA1

d8436b96f89d797d1cd751a70febf911ed5042a7
SHA256

1e744676eb111d50c3388629b1575004f15c966c81eb72a64906c0273c69dbfe
SHA512

2d2efc87a396ce158fab4e6e13e9ecc92d6a4ac6c396da401c41a9768c57d1027fa4bbf761b3bae1ccbaa24f4b7b1f3421a329e4a1d1112c689db27a9cb3f8f3
SSDEEP

6144:X73ysZl3osqScXq5PlGXytIMSU2px3Vx1P6n/mQ:r3/l3oGcXqBtIx5xV6/m

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2396	3e97cc82a6bb80cddc09f6ebb32e7e1f.exe

Executes dropped EXE 1 IoCs

pid	Process
2396	3e97cc82a6bb80cddc09f6ebb32e7e1f.exe

Loads dropped DLL 1 IoCs

pid	Process
2012	3e97cc82a6bb80cddc09f6ebb32e7e1f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2012-0-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
behavioral1/files/0x0009000000015d1a-11.dat	upx
behavioral1/files/0x0009000000015d1a-16.dat	upx
behavioral1/memory/2396-17-0x0000000000400000-0x00000000004E0000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	3e97cc82a6bb80cddc09f6ebb32e7e1f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	3e97cc82a6bb80cddc09f6ebb32e7e1f.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	3e97cc82a6bb80cddc09f6ebb32e7e1f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	3e97cc82a6bb80cddc09f6ebb32e7e1f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2012	3e97cc82a6bb80cddc09f6ebb32e7e1f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2012	3e97cc82a6bb80cddc09f6ebb32e7e1f.exe
2396	3e97cc82a6bb80cddc09f6ebb32e7e1f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2396	2012	3e97cc82a6bb80cddc09f6ebb32e7e1f.exe	29
PID 2012 wrote to memory of 2396	2012	3e97cc82a6bb80cddc09f6ebb32e7e1f.exe	29
PID 2012 wrote to memory of 2396	2012	3e97cc82a6bb80cddc09f6ebb32e7e1f.exe	29
PID 2012 wrote to memory of 2396	2012	3e97cc82a6bb80cddc09f6ebb32e7e1f.exe	29

C:\Users\Admin\AppData\Local\Temp\3e97cc82a6bb80cddc09f6ebb32e7e1f.exe
"C:\Users\Admin\AppData\Local\Temp\3e97cc82a6bb80cddc09f6ebb32e7e1f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\3e97cc82a6bb80cddc09f6ebb32e7e1f.exe
  C:\Users\Admin\AppData\Local\Temp\3e97cc82a6bb80cddc09f6ebb32e7e1f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3e97cc82a6bb80cddc09f6ebb32e7e1f.exe

Filesize
92KB

MD5
2c05546f0e8c4fb3f7eb8dba70b320c6

SHA1
af19c10fc3a78b5f9efd393f38006bd679c5c434

SHA256
73d81dcbc8e51c0f9e90d40791890c32b996d7b86e26646f618a1f51768cede9

SHA512
1383f5c70bbcb6b879234778004ca70184f0975dadd2c625b5b9f240f61e67a07b20afe0627e9c478a60aadf537e661d2fc8879904b13e6e80c8ab1908c0be71

Download Submit
\Users\Admin\AppData\Local\Temp\3e97cc82a6bb80cddc09f6ebb32e7e1f.exe

Filesize
302KB

MD5
55c389251994a05248bb7ccf7287d0d8

SHA1
e99bfc83aad621d6d5f35a42b16e8924d2da17d4

SHA256
590394ff99618ed6e5c1c9d47ff192e8587e570da6c8baa5156f0b6df1c58995

SHA512
dc245dcf96307dba0f546bb1c07d2bdfe993a53bfd13c39aad46390462cb9723152b699f2f5ee19428f80c5464c62e79886f5cd6fbc3979b0f81c12fc8f3ebdf

Download Submit
memory/2012-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2012-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-1-0x00000000001F0000-0x0000000000221000-memory.dmp

Filesize
196KB

Download
memory/2012-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-19-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/2396-17-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2396-33-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing