05b48a098bc38e16ea3725d1a90e4ff2c3341d786aac7d2b66927e0255a96d29

General

Target

41ed7f50d560fd59470daff728c3d7d7.exe
Size

1.6MB
MD5

41ed7f50d560fd59470daff728c3d7d7
SHA1

5f4545111bb14f10e1138812a81aef3211f82fd7
SHA256

05b48a098bc38e16ea3725d1a90e4ff2c3341d786aac7d2b66927e0255a96d29
SHA512

82bd270b8666fdb1d5fce3645ee08f0f90967f69a47282022b717b1139343f7a48ec2ebd206bee1b1e08e7e5d94d6847ab6e032052e8f16094e2590dc5a82f5d
SSDEEP

49152:Dfsz1ychcrWpcakLz0HBDpjg8632wPcakLz0O:7sz1ycyrWpcakchS87ccakcO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2340	41ed7f50d560fd59470daff728c3d7d7.exe

Executes dropped EXE 1 IoCs

pid	Process
2340	41ed7f50d560fd59470daff728c3d7d7.exe

Loads dropped DLL 1 IoCs

pid	Process
2476	41ed7f50d560fd59470daff728c3d7d7.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2476-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b00000001223f-11.dat	upx
behavioral1/memory/2340-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b00000001223f-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2708	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	41ed7f50d560fd59470daff728c3d7d7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	41ed7f50d560fd59470daff728c3d7d7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	41ed7f50d560fd59470daff728c3d7d7.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	41ed7f50d560fd59470daff728c3d7d7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2476	41ed7f50d560fd59470daff728c3d7d7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2476	41ed7f50d560fd59470daff728c3d7d7.exe
2340	41ed7f50d560fd59470daff728c3d7d7.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2340	2476	41ed7f50d560fd59470daff728c3d7d7.exe	29
PID 2476 wrote to memory of 2340	2476	41ed7f50d560fd59470daff728c3d7d7.exe	29
PID 2476 wrote to memory of 2340	2476	41ed7f50d560fd59470daff728c3d7d7.exe	29
PID 2476 wrote to memory of 2340	2476	41ed7f50d560fd59470daff728c3d7d7.exe	29
PID 2340 wrote to memory of 2708	2340	41ed7f50d560fd59470daff728c3d7d7.exe	31
PID 2340 wrote to memory of 2708	2340	41ed7f50d560fd59470daff728c3d7d7.exe	31
PID 2340 wrote to memory of 2708	2340	41ed7f50d560fd59470daff728c3d7d7.exe	31
PID 2340 wrote to memory of 2708	2340	41ed7f50d560fd59470daff728c3d7d7.exe	31
PID 2340 wrote to memory of 2364	2340	41ed7f50d560fd59470daff728c3d7d7.exe	33
PID 2340 wrote to memory of 2364	2340	41ed7f50d560fd59470daff728c3d7d7.exe	33
PID 2340 wrote to memory of 2364	2340	41ed7f50d560fd59470daff728c3d7d7.exe	33
PID 2340 wrote to memory of 2364	2340	41ed7f50d560fd59470daff728c3d7d7.exe	33
PID 2364 wrote to memory of 2792	2364	cmd.exe	34
PID 2364 wrote to memory of 2792	2364	cmd.exe	34
PID 2364 wrote to memory of 2792	2364	cmd.exe	34
PID 2364 wrote to memory of 2792	2364	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\41ed7f50d560fd59470daff728c3d7d7.exe
"C:\Users\Admin\AppData\Local\Temp\41ed7f50d560fd59470daff728c3d7d7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\41ed7f50d560fd59470daff728c3d7d7.exe
  C:\Users\Admin\AppData\Local\Temp\41ed7f50d560fd59470daff728c3d7d7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\41ed7f50d560fd59470daff728c3d7d7.exe" /TN U5Z8sQiHf24d /F
    3⤵
    - Creates scheduled task(s)
    PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\q1UyaOYX.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN U5Z8sQiHf24d
      4⤵
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41ed7f50d560fd59470daff728c3d7d7.exe

Filesize
766KB

MD5
8ee5fbd0c195584093d47393ac794575

SHA1
61264f70b7f7c346fc639a37508b5df6d2f7bbee

SHA256
bc3a976364908dad7c49544afff07c7d2c755efeee078dd211fb7e17603a8fb5

SHA512
9d283cdb37f6c5411ee2e688a5ca6cfc3a1592260ecf75d18f046494ee701d2f5ec33da331678ffa25ade5b9327a2373a125041e74c97d5f2ebd6f01ec2a1bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\q1UyaOYX.xml

Filesize
1KB

MD5
220feab88093a914ad3b4e4c44997639

SHA1
ecb60290bbe9be8b75e50b090994b591cb272679

SHA256
e1ac15662395958679ee280fdb5a3071165e7bb53d2f39d10470a079198f5076

SHA512
b6a144b97ccc03017531a77cccb52b73fa748e4ed4663a1141a41bd18a1b65e2c0c375ac2caf1286e1c89480bf15e8edf1fb48fc4a59696cd877ef130708f007

Download Submit
\Users\Admin\AppData\Local\Temp\41ed7f50d560fd59470daff728c3d7d7.exe

Filesize
620KB

MD5
e2196fa182e23fcabf9fcd4330e79afb

SHA1
62428d849587f96d79b7eb02043e0d688ce345ba

SHA256
922678b4849f4d871af9a2ed8dc09cc2651dc5280d25ac443d670c01b458e316

SHA512
a5641fe083fb0cce294d978b0e69eef5c2deda0165e5e85772ed136ac98cb16a99978cb3f0c315372289b1f1a441fe926917bfcf18ada0669ce0659e2e2f2789

Download Submit
memory/2340-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2340-20-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/2340-26-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2340-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2340-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2476-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2476-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2476-3-0x0000000000220000-0x000000000029E000-memory.dmp

Filesize
504KB

Download
memory/2476-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads