58fefaca6cd2a65f85b0f22e5212e49cd4f549aef33d69bdef0d3142d13287d2

General

Target

572ee1bc03d8a1b97f54bc2c5d0984c6.exe
Size

2.6MB
MD5

572ee1bc03d8a1b97f54bc2c5d0984c6
SHA1

18c7e3286b02114ae82034fa6d9bac5f502a8c45
SHA256

58fefaca6cd2a65f85b0f22e5212e49cd4f549aef33d69bdef0d3142d13287d2
SHA512

caec56fa86b84a7d4eef3468aadadda1f5dacd74e751374062b01e41f6835c4330618e2d1b2d5ae3522b29d01eaea51dc5860c1cf8c74f4c55ba98f363f9e680
SSDEEP

49152:v/venrp7MaAi/vCtan3OKBHw5oLcNcUcTB2r+hNGsypgvtzoQay3:grpHCtg8e0MTKk40R3

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2884	572ee1bc03d8a1b97f54bc2c5d0984c6.exe

Executes dropped EXE 1 IoCs

pid	Process
2884	572ee1bc03d8a1b97f54bc2c5d0984c6.exe

Loads dropped DLL 1 IoCs

pid	Process
2068	572ee1bc03d8a1b97f54bc2c5d0984c6.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2068-0-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000a0000000135c2-11.dat	upx
behavioral1/files/0x000a0000000135c2-14.dat	upx
behavioral1/memory/2884-19-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	572ee1bc03d8a1b97f54bc2c5d0984c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	572ee1bc03d8a1b97f54bc2c5d0984c6.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	572ee1bc03d8a1b97f54bc2c5d0984c6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	572ee1bc03d8a1b97f54bc2c5d0984c6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2068	572ee1bc03d8a1b97f54bc2c5d0984c6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2068	572ee1bc03d8a1b97f54bc2c5d0984c6.exe
2884	572ee1bc03d8a1b97f54bc2c5d0984c6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2884	2068	572ee1bc03d8a1b97f54bc2c5d0984c6.exe	28
PID 2068 wrote to memory of 2884	2068	572ee1bc03d8a1b97f54bc2c5d0984c6.exe	28
PID 2068 wrote to memory of 2884	2068	572ee1bc03d8a1b97f54bc2c5d0984c6.exe	28
PID 2068 wrote to memory of 2884	2068	572ee1bc03d8a1b97f54bc2c5d0984c6.exe	28

C:\Users\Admin\AppData\Local\Temp\572ee1bc03d8a1b97f54bc2c5d0984c6.exe
"C:\Users\Admin\AppData\Local\Temp\572ee1bc03d8a1b97f54bc2c5d0984c6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\572ee1bc03d8a1b97f54bc2c5d0984c6.exe
  C:\Users\Admin\AppData\Local\Temp\572ee1bc03d8a1b97f54bc2c5d0984c6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\572ee1bc03d8a1b97f54bc2c5d0984c6.exe

Filesize
157KB

MD5
6bfcba87a2a462eace9f369d6b233222

SHA1
8694ad46a803688c7eb4f1f34c3c01e36611a77c

SHA256
6759d20ca4a9f414e2b6bdb2597884f31dffa2493367126894a941b31c58b96b

SHA512
2df15e6c1f14a96b65c4611e164cfc696b0c2bae7fdb3b05d5541cad4c8c199fa2c04d81c0ce8053c4517660647fe80a2f14a19edf54e27c71c38f817790d056

Download Submit
\Users\Admin\AppData\Local\Temp\572ee1bc03d8a1b97f54bc2c5d0984c6.exe

Filesize
349KB

MD5
37c385b365b7fb78844f79979913f720

SHA1
5e7f56d19b85cb7291be69bb2a975a402c240694

SHA256
46ba1e83fd0db3bf9564b0c37d0899c643a2cc6532d4ad0c99341d7ed97b9785

SHA512
0be054c77c8f56aad8f7812547b2a9a018558180fb37f9d1f5575c2edee774ccfd4db396a6e4e9349d9a715081d97dd27b290a590583233e1ac3a842dd2af614

Download Submit
memory/2068-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2068-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2068-2-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2068-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2068-16-0x00000000038A0000-0x000000000423E000-memory.dmp

Filesize
9.6MB

Download
memory/2068-43-0x00000000038A0000-0x000000000423E000-memory.dmp

Filesize
9.6MB

Download
memory/2884-19-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2884-21-0x0000000002210000-0x000000000246A000-memory.dmp

Filesize
2.4MB

Download
memory/2884-44-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing