dbb563af320c2c9773eb22d497bda9308639eec561d52da829b75bce00d4eb83

General

Target

4e5ed707bd61e6261f529efdbb49df6c.exe
Size

1003KB
MD5

4e5ed707bd61e6261f529efdbb49df6c
SHA1

2657fc2b1621a1453e5b4a2baa586d321084d1d5
SHA256

dbb563af320c2c9773eb22d497bda9308639eec561d52da829b75bce00d4eb83
SHA512

6b093c7b750a676ec90bd565c6be967d8be2a6c6306f7fda31de2f297157454ea1ce8dd55ed5e5b9172dab9dcc8eec54d9f41213e5c3a02be5d4b6e73da0f6af
SSDEEP

24576:4zyDtLN6dkDvzxcjukL2CDYibq6/yqLNaF:4zyDtLNJbzxcakLz0ibq6yqh

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
608	4e5ed707bd61e6261f529efdbb49df6c.exe

Executes dropped EXE 1 IoCs

pid	Process
608	4e5ed707bd61e6261f529efdbb49df6c.exe

Loads dropped DLL 1 IoCs

pid	Process
2000	4e5ed707bd61e6261f529efdbb49df6c.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2000-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x00090000000120e1-11.dat	upx
behavioral1/memory/2000-16-0x0000000022F20000-0x000000002317C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2660	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4e5ed707bd61e6261f529efdbb49df6c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4e5ed707bd61e6261f529efdbb49df6c.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	4e5ed707bd61e6261f529efdbb49df6c.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	4e5ed707bd61e6261f529efdbb49df6c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2000	4e5ed707bd61e6261f529efdbb49df6c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2000	4e5ed707bd61e6261f529efdbb49df6c.exe
608	4e5ed707bd61e6261f529efdbb49df6c.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 608	2000	4e5ed707bd61e6261f529efdbb49df6c.exe	29
PID 2000 wrote to memory of 608	2000	4e5ed707bd61e6261f529efdbb49df6c.exe	29
PID 2000 wrote to memory of 608	2000	4e5ed707bd61e6261f529efdbb49df6c.exe	29
PID 2000 wrote to memory of 608	2000	4e5ed707bd61e6261f529efdbb49df6c.exe	29
PID 608 wrote to memory of 2660	608	4e5ed707bd61e6261f529efdbb49df6c.exe	30
PID 608 wrote to memory of 2660	608	4e5ed707bd61e6261f529efdbb49df6c.exe	30
PID 608 wrote to memory of 2660	608	4e5ed707bd61e6261f529efdbb49df6c.exe	30
PID 608 wrote to memory of 2660	608	4e5ed707bd61e6261f529efdbb49df6c.exe	30
PID 608 wrote to memory of 2092	608	4e5ed707bd61e6261f529efdbb49df6c.exe	32
PID 608 wrote to memory of 2092	608	4e5ed707bd61e6261f529efdbb49df6c.exe	32
PID 608 wrote to memory of 2092	608	4e5ed707bd61e6261f529efdbb49df6c.exe	32
PID 608 wrote to memory of 2092	608	4e5ed707bd61e6261f529efdbb49df6c.exe	32
PID 2092 wrote to memory of 2712	2092	cmd.exe	34
PID 2092 wrote to memory of 2712	2092	cmd.exe	34
PID 2092 wrote to memory of 2712	2092	cmd.exe	34
PID 2092 wrote to memory of 2712	2092	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\4e5ed707bd61e6261f529efdbb49df6c.exe
"C:\Users\Admin\AppData\Local\Temp\4e5ed707bd61e6261f529efdbb49df6c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\4e5ed707bd61e6261f529efdbb49df6c.exe
  C:\Users\Admin\AppData\Local\Temp\4e5ed707bd61e6261f529efdbb49df6c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\4e5ed707bd61e6261f529efdbb49df6c.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\UVNxbFig.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UVNxbFig.xml

Filesize
1KB

MD5
bab457e7e8d362e4ce5053f529f0eb66

SHA1
04e5ca8e104dc7d120798e7a0761f87e391e926f

SHA256
c147964d71bdbdc1ad82f1147a0f0f5d00f8764c33ddf1a67840f417d765eb60

SHA512
82f43e91238e08227028d46a289ffe0cb5b7726be4af014802a6c9bc72fefc1585702bd906042b8042438e5619aaadc4cf5af8a71e1954c2c09be60f7a8ade73

Download Submit
\Users\Admin\AppData\Local\Temp\4e5ed707bd61e6261f529efdbb49df6c.exe

Filesize
1003KB

MD5
9c9c5659b3c4674dbf91715d2b587704

SHA1
fc694f9a4db29d9230d2f6ccda3690144a4f2602

SHA256
09c73f48ddfebe3ce0bb56106844c926811cfc8380cc16fa98fb40d6304982c4

SHA512
4325d156d3e02fe8b2625c5957396211ec258c8a5e6beb1e88255763e77b309670871d62d507fe1079e4c9d60bdb0bbd36ed8c53bec78854e0a8c9b0c87eefa0

Download Submit
memory/608-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/608-21-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/608-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/608-28-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/608-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2000-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2000-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2000-3-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2000-16-0x0000000022F20000-0x000000002317C000-memory.dmp

Filesize
2.4MB

Download
memory/2000-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads