83dfced5bb9d1d3719fa8030ca644cde8ecac806260b4cc49140286f2d9c6c6e

General

Target

4ed2c8f39bedfeacecb37d2b46eb4c9d.exe
Size

3.0MB
MD5

4ed2c8f39bedfeacecb37d2b46eb4c9d
SHA1

aac80a0a7aa4d86ce2e89f9e0619009eba3854db
SHA256

83dfced5bb9d1d3719fa8030ca644cde8ecac806260b4cc49140286f2d9c6c6e
SHA512

64426e4cbea7a0ecd5a9241af01af031e732a31ea08c476472213f458b390adb591ea930679c2fb26ddf1306d40836df568d66ac25c4b188ca93c00df340043a
SSDEEP

49152:U7M5g6C6bn+cakLxi71kiJacakLKSQgGiiA8tSjOuk0cakLxi71kiJacakLj:pC6r+cak9i7GiJacakWSQgGZTtSjOuHT

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2680	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe

Loads dropped DLL 1 IoCs

pid	Process
2332	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2332-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012185-11.dat	upx
behavioral1/memory/2680-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2792	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2332	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2332	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe
2680	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2680	2332	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe	29
PID 2332 wrote to memory of 2680	2332	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe	29
PID 2332 wrote to memory of 2680	2332	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe	29
PID 2332 wrote to memory of 2680	2332	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe	29
PID 2680 wrote to memory of 2792	2680	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe	30
PID 2680 wrote to memory of 2792	2680	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe	30
PID 2680 wrote to memory of 2792	2680	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe	30
PID 2680 wrote to memory of 2792	2680	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe	30
PID 2680 wrote to memory of 2784	2680	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe	32
PID 2680 wrote to memory of 2784	2680	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe	32
PID 2680 wrote to memory of 2784	2680	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe	32
PID 2680 wrote to memory of 2784	2680	4ed2c8f39bedfeacecb37d2b46eb4c9d.exe	32
PID 2784 wrote to memory of 2956	2784	cmd.exe	34
PID 2784 wrote to memory of 2956	2784	cmd.exe	34
PID 2784 wrote to memory of 2956	2784	cmd.exe	34
PID 2784 wrote to memory of 2956	2784	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\4ed2c8f39bedfeacecb37d2b46eb4c9d.exe
"C:\Users\Admin\AppData\Local\Temp\4ed2c8f39bedfeacecb37d2b46eb4c9d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\4ed2c8f39bedfeacecb37d2b46eb4c9d.exe
  C:\Users\Admin\AppData\Local\Temp\4ed2c8f39bedfeacecb37d2b46eb4c9d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\4ed2c8f39bedfeacecb37d2b46eb4c9d.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\mEdzMo.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mEdzMo.xml

Filesize
1KB

MD5
d39dd518df89a5249a7be2ff1a3d9fa0

SHA1
a3f5aebd4f2b2fa49287a3df4fa361d6a3ea4fae

SHA256
7e6b7c77d4fd9582727f0614ef246a8bf091708790300c9f4caba949177776ea

SHA512
38ae71a4a7c7b78f02864783dfb4993b70bae386fbc128689cd2352d2ade77a93f67d021c535a8bb225a86730a0a9b4899b29d536294b757531ec8c9b639812c

Download Submit
\Users\Admin\AppData\Local\Temp\4ed2c8f39bedfeacecb37d2b46eb4c9d.exe

Filesize
3.0MB

MD5
bdcad8e2da81d05328e40feae5257722

SHA1
8457c9d06e38343d771e8e4e530463a76b42bbd2

SHA256
c5b671814567e8571ef7af727b863d9346dc5af49e09d5c44ba95380ada0f70a

SHA512
46fd4f032f908da93512cef05fe8886b962772f370afde397149fe3cdb3854488d4dc0547b57951f074e3d01b1b46a6f899909877fac45f1a2ef97aedc3f6d51

Download Submit
memory/2332-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2332-2-0x0000000022E00000-0x0000000022E7E000-memory.dmp

Filesize
504KB

Download
memory/2332-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2332-16-0x00000000234A0000-0x00000000236FC000-memory.dmp

Filesize
2.4MB

Download
memory/2332-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2680-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2680-22-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2680-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2680-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2680-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads