1a97269d381b1b47c0ebb681ecdb8968b6dd53d9fb3d793be392ecea6ba7d7c7

General

Target

4eb0cbbad26ef5269609d9a4a0fbc027.exe
Size

302KB
MD5

4eb0cbbad26ef5269609d9a4a0fbc027
SHA1

5eb9b6edd156e8e9846880f4506958fd4356bf3c
SHA256

1a97269d381b1b47c0ebb681ecdb8968b6dd53d9fb3d793be392ecea6ba7d7c7
SHA512

0955cde2b834d20131f49ae2046d33749fc12f0a8f6eeb530621a593a8706b253790ac0832228aeee4034c61139ffbf9148f931253ae9da325f13caefc22a06b
SSDEEP

6144:e00UisYRbbpk4hHOPlFtbGO0439G2NMmQ:90UtYRbbp3tOPZbDem

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2272	4eb0cbbad26ef5269609d9a4a0fbc027.exe

Executes dropped EXE 1 IoCs

pid	Process
2272	4eb0cbbad26ef5269609d9a4a0fbc027.exe

Loads dropped DLL 1 IoCs

pid	Process
2648	4eb0cbbad26ef5269609d9a4a0fbc027.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2648-0-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
behavioral1/files/0x000a000000012257-11.dat	upx
behavioral1/files/0x000a000000012257-17.dat	upx

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4eb0cbbad26ef5269609d9a4a0fbc027.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4eb0cbbad26ef5269609d9a4a0fbc027.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2648	4eb0cbbad26ef5269609d9a4a0fbc027.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2648	4eb0cbbad26ef5269609d9a4a0fbc027.exe
2272	4eb0cbbad26ef5269609d9a4a0fbc027.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2272	2648	4eb0cbbad26ef5269609d9a4a0fbc027.exe	14
PID 2648 wrote to memory of 2272	2648	4eb0cbbad26ef5269609d9a4a0fbc027.exe	14
PID 2648 wrote to memory of 2272	2648	4eb0cbbad26ef5269609d9a4a0fbc027.exe	14
PID 2648 wrote to memory of 2272	2648	4eb0cbbad26ef5269609d9a4a0fbc027.exe	14

C:\Users\Admin\AppData\Local\Temp\4eb0cbbad26ef5269609d9a4a0fbc027.exe
C:\Users\Admin\AppData\Local\Temp\4eb0cbbad26ef5269609d9a4a0fbc027.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2272

C:\Users\Admin\AppData\Local\Temp\4eb0cbbad26ef5269609d9a4a0fbc027.exe
"C:\Users\Admin\AppData\Local\Temp\4eb0cbbad26ef5269609d9a4a0fbc027.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4eb0cbbad26ef5269609d9a4a0fbc027.exe

Filesize
59KB

MD5
297c08adf684b4d1d76abbe44be75d72

SHA1
1e578eff8690fd80eea4cefef9d01ceea4e75421

SHA256
a5c54a4e4899a720a156fd2df14b47d68a4a83e882319d245edb61ba61b5789f

SHA512
319d417c831e7cb23a18240c52ea243c820c9371e68f384aaa8790a0a2d2dc93355bd2eb81f1d4a91de7601ec6dd7187b0d63c357335f0c96adbecebff80e5ea

Download Submit
\Users\Admin\AppData\Local\Temp\4eb0cbbad26ef5269609d9a4a0fbc027.exe

Filesize
72KB

MD5
5f2df65886792789eb93906cdd3b62d3

SHA1
1912f6e82700b26a38446b2755cfc3c16fbd2511

SHA256
e26254b6b150252ba5a69e5e95e16cf8501fdca704d9220e97339ff2efba291c

SHA512
f972891c9a718c272a7ec3e47a4bc750a1deb87358e19b396976b2dbd5e91787c52ce0aa12085c759cc6229a9bdc58f56ed8826f37a81a8db8125c05387a1abf

Download Submit
memory/2272-20-0x0000000000170000-0x00000000001A1000-memory.dmp

Filesize
196KB

Download
memory/2272-43-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2648-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2648-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-1-0x0000000000310000-0x0000000000341000-memory.dmp

Filesize
196KB

Download
memory/2648-16-0x0000000022D70000-0x0000000022E50000-memory.dmp

Filesize
896KB

Download
memory/2648-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-42-0x0000000022D70000-0x0000000022E50000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing