70d7445f02a1e7663fbd99c5054d4fef67b92c498c239246b6f22759e157e8ff

General

Target

591ccd266ed89ececae5ab8cb4a0117c.exe
Size

1.5MB
MD5

591ccd266ed89ececae5ab8cb4a0117c
SHA1

da2160510e6e354672e43b6319588e3d8415d141
SHA256

70d7445f02a1e7663fbd99c5054d4fef67b92c498c239246b6f22759e157e8ff
SHA512

8b844e631da6791bd36a878051393215058cb69e262d430c2830b949e2ec88030867b7e68c1b97cecbe02957ab7f3c94afce6847a8e52a61b23134f525ec14aa
SSDEEP

24576:p/VtJzFcLz2X9ccjukL20QKzd0ZEUZ06X7BLcjukL2Y:p/jJzqLz2tccakLHQK50ZEIrBLcakLj

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2268	591ccd266ed89ececae5ab8cb4a0117c.exe

Executes dropped EXE 1 IoCs

pid	Process
2268	591ccd266ed89ececae5ab8cb4a0117c.exe

Loads dropped DLL 1 IoCs

pid	Process
2204	591ccd266ed89ececae5ab8cb4a0117c.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0008000000012281-17.dat	upx
behavioral1/memory/2204-16-0x0000000023000000-0x000000002325C000-memory.dmp	upx
behavioral1/files/0x0008000000012281-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2684	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	591ccd266ed89ececae5ab8cb4a0117c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	591ccd266ed89ececae5ab8cb4a0117c.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	591ccd266ed89ececae5ab8cb4a0117c.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	591ccd266ed89ececae5ab8cb4a0117c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2204	591ccd266ed89ececae5ab8cb4a0117c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2204	591ccd266ed89ececae5ab8cb4a0117c.exe
2268	591ccd266ed89ececae5ab8cb4a0117c.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2268	2204	591ccd266ed89ececae5ab8cb4a0117c.exe	28
PID 2204 wrote to memory of 2268	2204	591ccd266ed89ececae5ab8cb4a0117c.exe	28
PID 2204 wrote to memory of 2268	2204	591ccd266ed89ececae5ab8cb4a0117c.exe	28
PID 2204 wrote to memory of 2268	2204	591ccd266ed89ececae5ab8cb4a0117c.exe	28
PID 2268 wrote to memory of 2684	2268	591ccd266ed89ececae5ab8cb4a0117c.exe	29
PID 2268 wrote to memory of 2684	2268	591ccd266ed89ececae5ab8cb4a0117c.exe	29
PID 2268 wrote to memory of 2684	2268	591ccd266ed89ececae5ab8cb4a0117c.exe	29
PID 2268 wrote to memory of 2684	2268	591ccd266ed89ececae5ab8cb4a0117c.exe	29
PID 2268 wrote to memory of 2924	2268	591ccd266ed89ececae5ab8cb4a0117c.exe	31
PID 2268 wrote to memory of 2924	2268	591ccd266ed89ececae5ab8cb4a0117c.exe	31
PID 2268 wrote to memory of 2924	2268	591ccd266ed89ececae5ab8cb4a0117c.exe	31
PID 2268 wrote to memory of 2924	2268	591ccd266ed89ececae5ab8cb4a0117c.exe	31
PID 2924 wrote to memory of 2732	2924	cmd.exe	33
PID 2924 wrote to memory of 2732	2924	cmd.exe	33
PID 2924 wrote to memory of 2732	2924	cmd.exe	33
PID 2924 wrote to memory of 2732	2924	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\591ccd266ed89ececae5ab8cb4a0117c.exe
"C:\Users\Admin\AppData\Local\Temp\591ccd266ed89ececae5ab8cb4a0117c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\591ccd266ed89ececae5ab8cb4a0117c.exe
  C:\Users\Admin\AppData\Local\Temp\591ccd266ed89ececae5ab8cb4a0117c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\591ccd266ed89ececae5ab8cb4a0117c.exe" /TN MXmKXYLpa01b /F
    3⤵
    - Creates scheduled task(s)
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MXmKXYLpa01b > C:\Users\Admin\AppData\Local\Temp\xl20Gmw.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN MXmKXYLpa01b
      4⤵
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\591ccd266ed89ececae5ab8cb4a0117c.exe

Filesize
539KB

MD5
7afba5e7e6c0fee5db6ebc4205bbcdf3

SHA1
ed1553f6b0d20fb868e61ba54f86198abcddb5d8

SHA256
6f411f20cc4a0b961bcf83a76fb6d00e63118b7cf287830ccd175bd183de4c45

SHA512
870d051e43997502530eac0ceaa6bede066aff59626bcbdbc36f147afcd1cc0f1c403ce7c328e4c9996d3e9ac23390ba86a6d96e05524ae6eec2389d6153f801

Download Submit
C:\Users\Admin\AppData\Local\Temp\xl20Gmw.xml

Filesize
1KB

MD5
bbfcbce3808a513a15f09f7408384e6c

SHA1
85603be3fdd02964ea15aad54fc306fbdcf2c762

SHA256
f6d16105280d94b49c3e3d1069ab643fdcfa124a49d31e05594945fea6539823

SHA512
00449b3ab5ad8a1e860f29e8e6936ba19e25816732a0ef874cb05010d44d7293db955106abfc701f090a0d6f307f75ba8bb0537ed5261492083c003e7dc09da9

Download Submit
\Users\Admin\AppData\Local\Temp\591ccd266ed89ececae5ab8cb4a0117c.exe

Filesize
632KB

MD5
04daa60398cfb4dbecd6aa9c61d30376

SHA1
fab0c4e080b40f8ed85876c9a5d697997eb06a37

SHA256
5afe96f177019a67f7b6097c76a1d80231805d9706fc3ce82677bde557e710ec

SHA512
f206a2f6dd617bb21974ba371a68d86ea6351fd23cbd3839edab5ab13ea7220e28478172e2a0033a443681cde41f7be2e1e5c3e7f5ff4c44bf89a3fe2a1a8ba3

Download Submit
memory/2204-4-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2204-16-0x0000000023000000-0x000000002325C000-memory.dmp

Filesize
2.4MB

Download
memory/2204-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2204-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2204-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2204-53-0x0000000023000000-0x000000002325C000-memory.dmp

Filesize
2.4MB

Download
memory/2268-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2268-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2268-22-0x0000000000250000-0x00000000002CE000-memory.dmp

Filesize
504KB

Download
memory/2268-29-0x00000000002D0000-0x000000000033B000-memory.dmp

Filesize
428KB

Download
memory/2268-55-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads