73539d1e34220f32a1dd374f0675d3a178b66d85e97613d770a9d35add8d3236

General

Target

417e58e055b6071e1bc522503d2a36e2.exe
Size

133KB
MD5

417e58e055b6071e1bc522503d2a36e2
SHA1

ab7505f5c9a722e70b88622239232a83edb9f341
SHA256

73539d1e34220f32a1dd374f0675d3a178b66d85e97613d770a9d35add8d3236
SHA512

22fdcceef70bf1cd215acb76283a978d12250b058ec5127ea0eedea7ca50327153945602634a8d49275cc41c9608dcba1e0afd8a1f6af665f4e7d3576f96546e
SSDEEP

3072:NF67Lxa2hbzGARTL2ZlCS0iEvMx55lrJ2uDCL5NQ:N87Na21z9TL7NYxHbC5NQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	417e58e055b6071e1bc522503d2a36e2.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	417e58e055b6071e1bc522503d2a36e2.exe

Loads dropped DLL 1 IoCs

pid	Process
2636	417e58e055b6071e1bc522503d2a36e2.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2636-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000800000001225a-11.dat	upx
behavioral1/memory/2700-17-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000800000001225a-16.dat	upx
behavioral1/memory/2636-13-0x0000000001490000-0x0000000001516000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	417e58e055b6071e1bc522503d2a36e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	417e58e055b6071e1bc522503d2a36e2.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	417e58e055b6071e1bc522503d2a36e2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	417e58e055b6071e1bc522503d2a36e2.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2636	417e58e055b6071e1bc522503d2a36e2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2636	417e58e055b6071e1bc522503d2a36e2.exe
2700	417e58e055b6071e1bc522503d2a36e2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2700	2636	417e58e055b6071e1bc522503d2a36e2.exe	29
PID 2636 wrote to memory of 2700	2636	417e58e055b6071e1bc522503d2a36e2.exe	29
PID 2636 wrote to memory of 2700	2636	417e58e055b6071e1bc522503d2a36e2.exe	29
PID 2636 wrote to memory of 2700	2636	417e58e055b6071e1bc522503d2a36e2.exe	29

C:\Users\Admin\AppData\Local\Temp\417e58e055b6071e1bc522503d2a36e2.exe
"C:\Users\Admin\AppData\Local\Temp\417e58e055b6071e1bc522503d2a36e2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\417e58e055b6071e1bc522503d2a36e2.exe
  C:\Users\Admin\AppData\Local\Temp\417e58e055b6071e1bc522503d2a36e2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\417e58e055b6071e1bc522503d2a36e2.exe

Filesize
133KB

MD5
80d685794cbf615764dba89ddedd0fce

SHA1
da70a77126fedbd1a5b70a6c1d39078da6fca35f

SHA256
ec2199fdbd045c4b9580a3308195036fff22646bc7ca73d27d847c9314346767

SHA512
6c663c571e29acccce5f9f678857cffa0a711bbf75024293e1b61b9ffb7f3d8eaf07d34ed09d4d477e0f86d0d9a50528fae17b63667e130277f95a2405b95c66

Download Submit
\Users\Admin\AppData\Local\Temp\417e58e055b6071e1bc522503d2a36e2.exe

Filesize
53KB

MD5
2dadca5d376bde812400f52eabbe252e

SHA1
66e47b337110645de4d91b98a8bf7cc6e203026b

SHA256
2e27a94b6f19b6e7ce0f8c5bce8b33a2e4cee2f35c55e98ee11bf49021d4339a

SHA512
d715e3ae3c55aae6be555990da1a83fb1d887f6d5caaed984c7aeed2ce74c8fed9a0a0c2173c2e53b2bf5bfa2dc18f4d7efb7215ca96cdb26e88fe9b31399d62

Download Submit
memory/2636-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2636-1-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2636-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2636-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2636-13-0x0000000001490000-0x0000000001516000-memory.dmp

Filesize
536KB

Download
memory/2700-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-18-0x00000000000E0000-0x0000000000101000-memory.dmp

Filesize
132KB

Download
memory/2700-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing