351f7a26dbebad308b85b0d33298afa63e9f1ffbdcd3a7fbab60100881dc9139

General

Target

5744bafcc0d51f626027874d4f982664.exe
Size

3.2MB
MD5

5744bafcc0d51f626027874d4f982664
SHA1

b0465500c6784eee5a1334da628a83653be5ea67
SHA256

351f7a26dbebad308b85b0d33298afa63e9f1ffbdcd3a7fbab60100881dc9139
SHA512

5e9b5b15a58fb7acaa4fcbb5f4f827abe0d6c37c487fcdae9cfa4f14cd422b1f5595c4c3d55d1cb5ce5250ec3f8da72f408e11cf4ceb67af22b1a3bc5b2d933a
SSDEEP

98304:qvI8wdjicakcmzU581lcakcwUrHLofycakcmzU581lcakcO:6I8wMdlmg587dlwqkfydlmg587dlO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3068	5744bafcc0d51f626027874d4f982664.exe

Executes dropped EXE 1 IoCs

pid	Process
3068	5744bafcc0d51f626027874d4f982664.exe

Loads dropped DLL 1 IoCs

pid	Process
2252	5744bafcc0d51f626027874d4f982664.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2252-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b0000000122dc-11.dat	upx
behavioral1/files/0x000b0000000122dc-17.dat	upx
behavioral1/memory/2252-16-0x00000000234A0000-0x00000000236FC000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2624	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	5744bafcc0d51f626027874d4f982664.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	5744bafcc0d51f626027874d4f982664.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	5744bafcc0d51f626027874d4f982664.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	5744bafcc0d51f626027874d4f982664.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2252	5744bafcc0d51f626027874d4f982664.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2252	5744bafcc0d51f626027874d4f982664.exe
3068	5744bafcc0d51f626027874d4f982664.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 3068	2252	5744bafcc0d51f626027874d4f982664.exe	29
PID 2252 wrote to memory of 3068	2252	5744bafcc0d51f626027874d4f982664.exe	29
PID 2252 wrote to memory of 3068	2252	5744bafcc0d51f626027874d4f982664.exe	29
PID 2252 wrote to memory of 3068	2252	5744bafcc0d51f626027874d4f982664.exe	29
PID 3068 wrote to memory of 2624	3068	5744bafcc0d51f626027874d4f982664.exe	30
PID 3068 wrote to memory of 2624	3068	5744bafcc0d51f626027874d4f982664.exe	30
PID 3068 wrote to memory of 2624	3068	5744bafcc0d51f626027874d4f982664.exe	30
PID 3068 wrote to memory of 2624	3068	5744bafcc0d51f626027874d4f982664.exe	30
PID 3068 wrote to memory of 2724	3068	5744bafcc0d51f626027874d4f982664.exe	32
PID 3068 wrote to memory of 2724	3068	5744bafcc0d51f626027874d4f982664.exe	32
PID 3068 wrote to memory of 2724	3068	5744bafcc0d51f626027874d4f982664.exe	32
PID 3068 wrote to memory of 2724	3068	5744bafcc0d51f626027874d4f982664.exe	32
PID 2724 wrote to memory of 2748	2724	cmd.exe	33
PID 2724 wrote to memory of 2748	2724	cmd.exe	33
PID 2724 wrote to memory of 2748	2724	cmd.exe	33
PID 2724 wrote to memory of 2748	2724	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\5744bafcc0d51f626027874d4f982664.exe
"C:\Users\Admin\AppData\Local\Temp\5744bafcc0d51f626027874d4f982664.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\5744bafcc0d51f626027874d4f982664.exe
  C:\Users\Admin\AppData\Local\Temp\5744bafcc0d51f626027874d4f982664.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5744bafcc0d51f626027874d4f982664.exe" /TN qm2lmOfce5f6 /F
    3⤵
    - Creates scheduled task(s)
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN qm2lmOfce5f6 > C:\Users\Admin\AppData\Local\Temp\xLPcTqJ.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN qm2lmOfce5f6
      4⤵
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5744bafcc0d51f626027874d4f982664.exe

Filesize
1.7MB

MD5
b87a89ef5dd6bed4f29f9a3d1162ccca

SHA1
2291e4982f9e1dc9c0fdec23a6daca4b0bd85c73

SHA256
1270b38673843f1b83fe66bb9072a12ec10e47f7a7912dc02e728b2c6aaed3b9

SHA512
fd24e4c20e5fcab3e281d46bdaacd74c1c531ef224400d55a38c5fa2ecd97764396a00a57249560ada352e0db39ff6ffd4ac35f25f97e531c6ab022dc557f94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xLPcTqJ.xml

Filesize
1KB

MD5
0a381c1f129e168dab055f0e55b573df

SHA1
339fb091f1b9155924c2ddc4b5da356f1db34bb5

SHA256
6f725f8b2faa8a79528b2135ea2b17e9079145909d832374a41c2db45cb94c6d

SHA512
e8e5927fd0eb78a6155ff6dc1679a044c22c859be9f0838a57039bcfbc7e3e1b5c5b356920226fa3f25085530f6876df43a3d9dc6718a80f530519609aafb317

Download Submit
\Users\Admin\AppData\Local\Temp\5744bafcc0d51f626027874d4f982664.exe

Filesize
1.2MB

MD5
6022c63a4dc138d7fb4776a38fe045aa

SHA1
54ae9d794638f7dc8d5c8ee5badc4158c1708a8b

SHA256
7eaeb80dd151360784035806010bd7be31cd13baf9863719ade466762b5b6255

SHA512
545fe6963b660d1d0a1efd2009691c26357add58b1b3e0a4cd296e13ccdf2e9fc6a2b753a67d4128601670a29cba05c2666af88adcfcfe5a87ddd9cdc8b5d500

Download Submit
memory/2252-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2252-2-0x00000000016D0000-0x000000000174E000-memory.dmp

Filesize
504KB

Download
memory/2252-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2252-16-0x00000000234A0000-0x00000000236FC000-memory.dmp

Filesize
2.4MB

Download
memory/2252-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3068-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3068-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3068-27-0x00000000002A0000-0x000000000030B000-memory.dmp

Filesize
428KB

Download
memory/3068-21-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/3068-42-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads