5dab02009ad92a70c941775f52242da8298fc27379fc408bc62426c8fda33059

General

Target

52e322273c61b1aec8542b729a439f2b.exe
Size

133KB
MD5

52e322273c61b1aec8542b729a439f2b
SHA1

ff53f590983bf17ec00d6aab3f1ad877124fff7d
SHA256

5dab02009ad92a70c941775f52242da8298fc27379fc408bc62426c8fda33059
SHA512

dd35a8c22e5f8c456015dc0aa41d7657dfab99020442a556357e585fc37f685fdb3bb2ccb84363ed7c1304bad01dd6699a5491f21ea6b2a0c5969702e5cf2e2e
SSDEEP

3072:U5CuOGAt6VjMZB+IKhcjja4kE476HWDAwsfAE+8cdZlTHiQ:U5C1GAt66cqjFF3NvfdcblGQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2792	52e322273c61b1aec8542b729a439f2b.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	52e322273c61b1aec8542b729a439f2b.exe

Loads dropped DLL 1 IoCs

pid	Process
2128	52e322273c61b1aec8542b729a439f2b.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e00000001224c-11.dat	upx
behavioral1/memory/2128-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000e00000001224c-16.dat	upx
behavioral1/memory/2128-14-0x0000000000370000-0x00000000003F6000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	52e322273c61b1aec8542b729a439f2b.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	52e322273c61b1aec8542b729a439f2b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	52e322273c61b1aec8542b729a439f2b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	52e322273c61b1aec8542b729a439f2b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2128	52e322273c61b1aec8542b729a439f2b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2128	52e322273c61b1aec8542b729a439f2b.exe
2792	52e322273c61b1aec8542b729a439f2b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2792	2128	52e322273c61b1aec8542b729a439f2b.exe	14
PID 2128 wrote to memory of 2792	2128	52e322273c61b1aec8542b729a439f2b.exe	14
PID 2128 wrote to memory of 2792	2128	52e322273c61b1aec8542b729a439f2b.exe	14
PID 2128 wrote to memory of 2792	2128	52e322273c61b1aec8542b729a439f2b.exe	14

C:\Users\Admin\AppData\Local\Temp\52e322273c61b1aec8542b729a439f2b.exe
C:\Users\Admin\AppData\Local\Temp\52e322273c61b1aec8542b729a439f2b.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2792

C:\Users\Admin\AppData\Local\Temp\52e322273c61b1aec8542b729a439f2b.exe
"C:\Users\Admin\AppData\Local\Temp\52e322273c61b1aec8542b729a439f2b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52e322273c61b1aec8542b729a439f2b.exe

Filesize
17KB

MD5
002ec0a91637a3ce495e4be574e521a5

SHA1
3e7ed6dfc400a56f0158548df68cbd03a81c89bf

SHA256
67f81a7b63d4bc4ac73b0f81c6f34f3e624debe5c22cb542fd6b0a676054c059

SHA512
cc8e8d47f8768ff7497e8277fc9c920110bc58ff1e46d353c4edafdea8860d82141e7ee3df819565a19501e2c19548c4a947036e23943ae25cf8e5797700b74c

Download Submit
\Users\Admin\AppData\Local\Temp\52e322273c61b1aec8542b729a439f2b.exe

Filesize
54KB

MD5
5147b2074c4b6ae654e710cf42b561dd

SHA1
d5786f524282db19060b4b8b68ae46e07e97116b

SHA256
29d6ad784dfcdc9e0f29ffa65d27b3bda993cbdd01521e2548323bbf0fbfdc43

SHA512
500b007c12c2d977cc0a9d8ac7bc323906edb1b44c253b6ad12a23a748e6d4f7086717f5a0b2a16a10e9f9e2bdf6712edbd1f5321deebc3611a9c22066b1f98d

Download Submit
memory/2128-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2128-1-0x0000000000170000-0x0000000000191000-memory.dmp

Filesize
132KB

Download
memory/2128-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2128-14-0x0000000000370000-0x00000000003F6000-memory.dmp

Filesize
536KB

Download
memory/2792-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2792-20-0x00000000000E0000-0x0000000000101000-memory.dmp

Filesize
132KB

Download
memory/2792-43-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing