856d777cd1a661ee404f45a9e84b107315eebe660110e69a0c2bea203be71442

General

Target

4722d2f97702c2661b91c5765bc2cf0c.exe
Size

1.5MB
MD5

4722d2f97702c2661b91c5765bc2cf0c
SHA1

f2c02ba410c46ae5a4d131c6ba1db99fcf4c7b95
SHA256

856d777cd1a661ee404f45a9e84b107315eebe660110e69a0c2bea203be71442
SHA512

2b22c5e4a7dcd1459a592c328ceb07fe4b50a86dfc44ff83f574e60aaf1b4a8e9aeda374146a47842ff06196fef2d08ad4c3de07d7e85446b5f17d9bd3204050
SSDEEP

24576:QnsP5FTw6GlqlkqC3CJihExIjTwQLyhWveB+4goGQoadai7D3uITjIFOxo53ApIj:QnsPLTw6CqqqCUihExIjTwQLyhWveB+Z

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2740	4722d2f97702c2661b91c5765bc2cf0c.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	4722d2f97702c2661b91c5765bc2cf0c.exe

Loads dropped DLL 1 IoCs

pid	Process
1716	4722d2f97702c2661b91c5765bc2cf0c.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1716-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0003000000004ed5-11.dat	upx
behavioral1/files/0x0003000000004ed5-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2852	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4722d2f97702c2661b91c5765bc2cf0c.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	4722d2f97702c2661b91c5765bc2cf0c.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	4722d2f97702c2661b91c5765bc2cf0c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4722d2f97702c2661b91c5765bc2cf0c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1716	4722d2f97702c2661b91c5765bc2cf0c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1716	4722d2f97702c2661b91c5765bc2cf0c.exe
2740	4722d2f97702c2661b91c5765bc2cf0c.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2740	1716	4722d2f97702c2661b91c5765bc2cf0c.exe	30
PID 1716 wrote to memory of 2740	1716	4722d2f97702c2661b91c5765bc2cf0c.exe	30
PID 1716 wrote to memory of 2740	1716	4722d2f97702c2661b91c5765bc2cf0c.exe	30
PID 1716 wrote to memory of 2740	1716	4722d2f97702c2661b91c5765bc2cf0c.exe	30
PID 2740 wrote to memory of 2852	2740	4722d2f97702c2661b91c5765bc2cf0c.exe	32
PID 2740 wrote to memory of 2852	2740	4722d2f97702c2661b91c5765bc2cf0c.exe	32
PID 2740 wrote to memory of 2852	2740	4722d2f97702c2661b91c5765bc2cf0c.exe	32
PID 2740 wrote to memory of 2852	2740	4722d2f97702c2661b91c5765bc2cf0c.exe	32
PID 2740 wrote to memory of 2752	2740	4722d2f97702c2661b91c5765bc2cf0c.exe	33
PID 2740 wrote to memory of 2752	2740	4722d2f97702c2661b91c5765bc2cf0c.exe	33
PID 2740 wrote to memory of 2752	2740	4722d2f97702c2661b91c5765bc2cf0c.exe	33
PID 2740 wrote to memory of 2752	2740	4722d2f97702c2661b91c5765bc2cf0c.exe	33
PID 2752 wrote to memory of 112	2752	cmd.exe	35
PID 2752 wrote to memory of 112	2752	cmd.exe	35
PID 2752 wrote to memory of 112	2752	cmd.exe	35
PID 2752 wrote to memory of 112	2752	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\4722d2f97702c2661b91c5765bc2cf0c.exe
"C:\Users\Admin\AppData\Local\Temp\4722d2f97702c2661b91c5765bc2cf0c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\4722d2f97702c2661b91c5765bc2cf0c.exe
  C:\Users\Admin\AppData\Local\Temp\4722d2f97702c2661b91c5765bc2cf0c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\4722d2f97702c2661b91c5765bc2cf0c.exe" /TN m8v9k5kD0c8e /F
    3⤵
    - Creates scheduled task(s)
    PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN m8v9k5kD0c8e > C:\Users\Admin\AppData\Local\Temp\2Ms4TJ.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN m8v9k5kD0c8e
      4⤵
      PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2Ms4TJ.xml

Filesize
1KB

MD5
2a1657c81f189a1024286d46c4ccb2de

SHA1
43358f4b74fe837d8d8ffec40ab5f1350d86aae4

SHA256
5fd56dd6466c3d55f3270efcab4dc2f1b14e5fc86e7e991255c92af0f5fecf92

SHA512
f970cc1c656b77786d9709c3faf42e2dd19230a4dbf563495838300a885e9fead6d6022fe18ac2d6ccc643cb1c7fe21fcd343210580ce8a224d99f962d3ec0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\4722d2f97702c2661b91c5765bc2cf0c.exe

Filesize
54KB

MD5
14c0e70af6940f59d80f68c5c8c39df1

SHA1
5ac76be55342cd4fa25c31611e3a80611c5607f7

SHA256
e4c17c48d73829e6daac7e2a835c823b858f0c7bd7145aca5b51db8cbc76669c

SHA512
947faa899aeacc5ac9ee6ad2c1c070579c18c1a7874ecb4adce9e2baa35dcb420cf701f8414fff555bb104ee18dbc549ccc47b558ded520cb10b7e30a5ccf82a

Download Submit
\Users\Admin\AppData\Local\Temp\4722d2f97702c2661b91c5765bc2cf0c.exe

Filesize
146KB

MD5
c07406f3f42081082e05a8b73c0474a2

SHA1
1e893805b06610dc0827c5767babed6d23395646

SHA256
84ad8f538434f11a8e60f01dbd71af1a72de6f7b565782643d9b2f3aa148d1da

SHA512
e5ab0efe0d902b94ecff50e3d93e921e4c45606a711822a5649240b6576726fde67a7f31c33d1e0945a659e5dbeab442898de81514d786a519bddadc97850ae9

Download Submit
memory/1716-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1716-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1716-3-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/1716-16-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2740-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2740-28-0x00000000002E0000-0x000000000034B000-memory.dmp

Filesize
428KB

Download
memory/2740-26-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2740-23-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2740-31-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads