926d58fc15937197f51095f53be141c9c59fe29b6e8921625648c698be050e1f

General

Target

4a0408353f5acecfa87a7148c902b69f.exe
Size

11.0MB
MD5

4a0408353f5acecfa87a7148c902b69f
SHA1

07e1586ca467b960e5dfa43c20f121963fd89772
SHA256

926d58fc15937197f51095f53be141c9c59fe29b6e8921625648c698be050e1f
SHA512

749cee3339fb5f9ad919e5b7d18447e77de6864a22a8056fb54fcb101c12fd8e7f59da75f3ccd9b145ef133c307b1fbff9b7d46aeaf7bcee91c39ee7446988ff
SSDEEP

196608:Izo0uKqYU33FR+6crrcwxSccSv9233FR+6c:kTGYU+RrpSq1y+R

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2408	4a0408353f5acecfa87a7148c902b69f.exe

Executes dropped EXE 1 IoCs

pid	Process
2408	4a0408353f5acecfa87a7148c902b69f.exe

Loads dropped DLL 1 IoCs

pid	Process
2308	4a0408353f5acecfa87a7148c902b69f.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-1-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x00070000000122c4-15.dat	upx
behavioral1/files/0x00070000000122c4-11.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4a0408353f5acecfa87a7148c902b69f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4a0408353f5acecfa87a7148c902b69f.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	4a0408353f5acecfa87a7148c902b69f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	4a0408353f5acecfa87a7148c902b69f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2308	4a0408353f5acecfa87a7148c902b69f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2308	4a0408353f5acecfa87a7148c902b69f.exe
2408	4a0408353f5acecfa87a7148c902b69f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2408	2308	4a0408353f5acecfa87a7148c902b69f.exe	25
PID 2308 wrote to memory of 2408	2308	4a0408353f5acecfa87a7148c902b69f.exe	25
PID 2308 wrote to memory of 2408	2308	4a0408353f5acecfa87a7148c902b69f.exe	25
PID 2308 wrote to memory of 2408	2308	4a0408353f5acecfa87a7148c902b69f.exe	25

C:\Users\Admin\AppData\Local\Temp\4a0408353f5acecfa87a7148c902b69f.exe
"C:\Users\Admin\AppData\Local\Temp\4a0408353f5acecfa87a7148c902b69f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\4a0408353f5acecfa87a7148c902b69f.exe
  C:\Users\Admin\AppData\Local\Temp\4a0408353f5acecfa87a7148c902b69f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4a0408353f5acecfa87a7148c902b69f.exe

Filesize
92KB

MD5
2d29bc2740fa3f04e04dc626ff65646f

SHA1
9b450f5213e5b39065a1176c62a4394f27064298

SHA256
431c672a27a8f24e05b178985bec503322e47a96534847824c7d68ad80308acb

SHA512
fe12efddc40e028084afd42fc768821c343a9c642f7ab178f8b9f48e5d983adf7dacae223607ca5e62cff156d9277874f79dcf2dd38f6098be47d43b649a3729

Download Submit
\Users\Admin\AppData\Local\Temp\4a0408353f5acecfa87a7148c902b69f.exe

Filesize
384KB

MD5
86ec405acfc2b87067f0ddd7e62b4348

SHA1
9f8d3ab9e0efdf076cb44413a826dfe095046726

SHA256
394dc442ac970d1132d91c9cdc6bcd53adc883d05d3857316239749e4f18b753

SHA512
f4e342c1a8fc9691b275b77bf3ba8bd2aabfcffb491270144b3b41989ca126833e8e2217687cf41da2421e1a13fb2044b72737d83b948aac6a3827f151d83d3e

Download Submit
memory/2308-0-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2308-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2308-4-0x00000000021F0000-0x000000000244A000-memory.dmp

Filesize
2.4MB

Download
memory/2308-14-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2308-16-0x0000000004E90000-0x000000000582E000-memory.dmp

Filesize
9.6MB

Download
memory/2308-42-0x0000000004E90000-0x000000000582E000-memory.dmp

Filesize
9.6MB

Download
memory/2408-19-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2408-22-0x00000000021B0000-0x000000000240A000-memory.dmp

Filesize
2.4MB

Download
memory/2408-43-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing