7df6f6b40a645e029d3b3b9cdabcd84768d943eabfbc18e620ab7773dc420d07

General

Target

59204a85277f26da6f842f68f7e6880a.exe
Size

821KB
MD5

59204a85277f26da6f842f68f7e6880a
SHA1

158a43af132f076b5887c16ed710d35d3cff2d4d
SHA256

7df6f6b40a645e029d3b3b9cdabcd84768d943eabfbc18e620ab7773dc420d07
SHA512

1795de6eecf73fffe132dc8aad8015014ad0444a3dddc01e4f79981d56631e0c9f9370a9ee7ef96cbb31a8a2b0e48546f134b863d341e2c668eaef17ea4c1b96
SSDEEP

24576:epMoc0xRsno7nM+8MYMennhEnt3HiJ+cjukL2CDYO:IMoc0xKnojrzYrnnhEntRcakLz0O

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2920	59204a85277f26da6f842f68f7e6880a.exe

Executes dropped EXE 1 IoCs

pid	Process
2920	59204a85277f26da6f842f68f7e6880a.exe

Loads dropped DLL 1 IoCs

pid	Process
2028	59204a85277f26da6f842f68f7e6880a.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2028-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012263-11.dat	upx
behavioral1/files/0x000a000000012263-15.dat	upx
behavioral1/memory/2920-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2776	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	59204a85277f26da6f842f68f7e6880a.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	59204a85277f26da6f842f68f7e6880a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	59204a85277f26da6f842f68f7e6880a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	59204a85277f26da6f842f68f7e6880a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2028	59204a85277f26da6f842f68f7e6880a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2028	59204a85277f26da6f842f68f7e6880a.exe
2920	59204a85277f26da6f842f68f7e6880a.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2920	2028	59204a85277f26da6f842f68f7e6880a.exe	29
PID 2028 wrote to memory of 2920	2028	59204a85277f26da6f842f68f7e6880a.exe	29
PID 2028 wrote to memory of 2920	2028	59204a85277f26da6f842f68f7e6880a.exe	29
PID 2028 wrote to memory of 2920	2028	59204a85277f26da6f842f68f7e6880a.exe	29
PID 2920 wrote to memory of 2776	2920	59204a85277f26da6f842f68f7e6880a.exe	30
PID 2920 wrote to memory of 2776	2920	59204a85277f26da6f842f68f7e6880a.exe	30
PID 2920 wrote to memory of 2776	2920	59204a85277f26da6f842f68f7e6880a.exe	30
PID 2920 wrote to memory of 2776	2920	59204a85277f26da6f842f68f7e6880a.exe	30
PID 2920 wrote to memory of 2712	2920	59204a85277f26da6f842f68f7e6880a.exe	32
PID 2920 wrote to memory of 2712	2920	59204a85277f26da6f842f68f7e6880a.exe	32
PID 2920 wrote to memory of 2712	2920	59204a85277f26da6f842f68f7e6880a.exe	32
PID 2920 wrote to memory of 2712	2920	59204a85277f26da6f842f68f7e6880a.exe	32
PID 2712 wrote to memory of 2664	2712	cmd.exe	34
PID 2712 wrote to memory of 2664	2712	cmd.exe	34
PID 2712 wrote to memory of 2664	2712	cmd.exe	34
PID 2712 wrote to memory of 2664	2712	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\59204a85277f26da6f842f68f7e6880a.exe
"C:\Users\Admin\AppData\Local\Temp\59204a85277f26da6f842f68f7e6880a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\59204a85277f26da6f842f68f7e6880a.exe
  C:\Users\Admin\AppData\Local\Temp\59204a85277f26da6f842f68f7e6880a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\59204a85277f26da6f842f68f7e6880a.exe" /TN x1iLRz9v069a /F
    3⤵
    - Creates scheduled task(s)
    PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN x1iLRz9v069a > C:\Users\Admin\AppData\Local\Temp\HMrJwe.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN x1iLRz9v069a
      4⤵
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\59204a85277f26da6f842f68f7e6880a.exe

Filesize
821KB

MD5
c611c788107418e3888d3429be57632c

SHA1
e870c0d91508c81fa4289b42b2e07d8d6365bf51

SHA256
33fa0609de4bb5c4cc73fc0125c73fbf40cfce780e1873e34dd2221401f04cf3

SHA512
bdba053de571ecac5a2469388407bf482936f33b979fedde0880f9853ac197f03ffcb1b60ed9ea13e7caddc83ce97fc365315e7f86a4e24bb895f85ed662bb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMrJwe.xml

Filesize
1KB

MD5
c90895c4db66596b7cb1b91c012ec2a4

SHA1
e95275a1bcfbbe882795cb3ae6beae94464195ad

SHA256
58c035fcab02d2e5e63f0396d34ea95cd45d93c2bebdf14fd0b8de331a2dcbf0

SHA512
bfab7cbf7c8b6124cc42429b63f9a86d96b58a5ea4e12ad2ed8460359860e14e8829c3b18a2c9b08456a675acf4ec55472e181710e41818f82aa81ca85d5930a

Download Submit
\Users\Admin\AppData\Local\Temp\59204a85277f26da6f842f68f7e6880a.exe

Filesize
458KB

MD5
959a939f7ec69e97955e9c88c270ed14

SHA1
62608041b47578dacb12d14444fb730782d74d77

SHA256
97e47f685bd89c77e594c872c15376a0b17c11f2ba7e60f66466aeb7d50c4354

SHA512
0e8172148f77773d20e9d2c3a1b8c9c6cf8d6ebdeb1fac73b2efe59b38b55566a64cea7c783ae76bfe996d3ee843ef22674446f4cb6b8c8d3f4347fb6d114c09

Download Submit
memory/2028-17-0x0000000022F00000-0x000000002315C000-memory.dmp

Filesize
2.4MB

Download
memory/2028-2-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/2028-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2028-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2028-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2920-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2920-20-0x00000000002B0000-0x000000000032E000-memory.dmp

Filesize
504KB

Download
memory/2920-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2920-31-0x00000000001C0000-0x000000000022B000-memory.dmp

Filesize
428KB

Download
memory/2920-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads