015cce215f5f10a30221580ce52aef40f926feb519e75a313dfd117053bfd1b3

General

Target

5a72fbcb0606a056bba59fd276d356b6.exe
Size

1.6MB
MD5

5a72fbcb0606a056bba59fd276d356b6
SHA1

fe62ec90043fb7e5778b529be9fa72ba54418e49
SHA256

015cce215f5f10a30221580ce52aef40f926feb519e75a313dfd117053bfd1b3
SHA512

929f1d63802c989ef59624b25e0edbff89bbaf356308b8ba2e5bf5f291e2aaa8df4821e41c29af49c3c0c0b43ea0b46168b480746e4ba020b2441c96b93c6020
SSDEEP

49152:58PodLAbxrdr50+N8UGvCcakLz0o1KI1Wn/nKmcakLz0O:58PMAbxZru+N8NacakcQK48/nBcakcO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2184	5a72fbcb0606a056bba59fd276d356b6.exe

Executes dropped EXE 1 IoCs

pid	Process
2184	5a72fbcb0606a056bba59fd276d356b6.exe

Loads dropped DLL 1 IoCs

pid	Process
2548	5a72fbcb0606a056bba59fd276d356b6.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2548-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000015c71-13.dat	upx
behavioral1/files/0x0009000000015c71-11.dat	upx
behavioral1/files/0x0009000000015c71-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2696	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	5a72fbcb0606a056bba59fd276d356b6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	5a72fbcb0606a056bba59fd276d356b6.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	5a72fbcb0606a056bba59fd276d356b6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	5a72fbcb0606a056bba59fd276d356b6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2548	5a72fbcb0606a056bba59fd276d356b6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2548	5a72fbcb0606a056bba59fd276d356b6.exe
2184	5a72fbcb0606a056bba59fd276d356b6.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2184	2548	5a72fbcb0606a056bba59fd276d356b6.exe	15
PID 2548 wrote to memory of 2184	2548	5a72fbcb0606a056bba59fd276d356b6.exe	15
PID 2548 wrote to memory of 2184	2548	5a72fbcb0606a056bba59fd276d356b6.exe	15
PID 2548 wrote to memory of 2184	2548	5a72fbcb0606a056bba59fd276d356b6.exe	15
PID 2184 wrote to memory of 2696	2184	5a72fbcb0606a056bba59fd276d356b6.exe	17
PID 2184 wrote to memory of 2696	2184	5a72fbcb0606a056bba59fd276d356b6.exe	17
PID 2184 wrote to memory of 2696	2184	5a72fbcb0606a056bba59fd276d356b6.exe	17
PID 2184 wrote to memory of 2696	2184	5a72fbcb0606a056bba59fd276d356b6.exe	17
PID 2184 wrote to memory of 2620	2184	5a72fbcb0606a056bba59fd276d356b6.exe	21
PID 2184 wrote to memory of 2620	2184	5a72fbcb0606a056bba59fd276d356b6.exe	21
PID 2184 wrote to memory of 2620	2184	5a72fbcb0606a056bba59fd276d356b6.exe	21
PID 2184 wrote to memory of 2620	2184	5a72fbcb0606a056bba59fd276d356b6.exe	21
PID 2620 wrote to memory of 2684	2620	cmd.exe	19
PID 2620 wrote to memory of 2684	2620	cmd.exe	19
PID 2620 wrote to memory of 2684	2620	cmd.exe	19
PID 2620 wrote to memory of 2684	2620	cmd.exe	19

C:\Users\Admin\AppData\Local\Temp\5a72fbcb0606a056bba59fd276d356b6.exe
C:\Users\Admin\AppData\Local\Temp\5a72fbcb0606a056bba59fd276d356b6.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5a72fbcb0606a056bba59fd276d356b6.exe" /TN qm2lmOfce5f6 /F
  2⤵
  - Creates scheduled task(s)
  PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c schtasks.exe /Query /XML /TN qm2lmOfce5f6 > C:\Users\Admin\AppData\Local\Temp\MJ4scwI.xml
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620

C:\Users\Admin\AppData\Local\Temp\5a72fbcb0606a056bba59fd276d356b6.exe
"C:\Users\Admin\AppData\Local\Temp\5a72fbcb0606a056bba59fd276d356b6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN qm2lmOfce5f6
1⤵
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5a72fbcb0606a056bba59fd276d356b6.exe

Filesize
251KB

MD5
c8695228ce980fd228ba46c9791a114c

SHA1
78285b983fb93ad71b31d10ce46c6f5cc3742ea5

SHA256
4a964c9fd55ac2c415fdca858df6d57cf1d3a8d66720cebc4a646c67d85768e7

SHA512
38b3c173b14439e773f783a9bbfeb2bb185d097440ed9f9c6a80cff3742dceb27e4f7e96b0f0b314d09b858323103a9811a2033d96cc1d2f46c641030ac4fcd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a72fbcb0606a056bba59fd276d356b6.exe

Filesize
217KB

MD5
cf85e9915afbd3d5b22f436ee9d8c24a

SHA1
b1e2946b1f96eac9d26577a1143c9e71b627433c

SHA256
f9d555dbf37a195e66a50064465b6164a41f62c81ee26e0986cf04232f790e60

SHA512
9965476fe61492a5cda29cef4524ae0ed8d8b84e00a16ed1c2719f90c9acb76d0f3dd5b18c59309af39d19aa00ca88e6fba6a0d2b5f8f3de815ce26a6564540e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MJ4scwI.xml

Filesize
1KB

MD5
474ea947bfa4be4aa31678333dfb69a7

SHA1
2653e325b05826a7259a08813885145195874089

SHA256
4085f55e6f2b5036678f6de1e0021b912431d839b4060efba96fb352cc2e93eb

SHA512
36e023067c625d5d02231fcaad49c11f563edd99c69351b781936d7b732bcb993dab56a54f3b579ff3b47c74507ef2899f6eb64b7ee6b1da17bdbe915e6dfa71

Download Submit
\Users\Admin\AppData\Local\Temp\5a72fbcb0606a056bba59fd276d356b6.exe

Filesize
275KB

MD5
69f06d72a00eca64a71348097c4c9435

SHA1
049493a33dc11a114aa31a0b7ff04fdd779442ad

SHA256
c91493e8002c57dd01790ae85044bde7b2fa941228d032e68ecffe49cea8cb3e

SHA512
5d12229603f4a416a4c7bbcf230e20421c163fa0bf6cb36f81e11080353c009631921946392be151c1bd78254bc9d8b6ac398b3e018473fa1c58403c82622a58

Download Submit
memory/2184-18-0x0000000022DC0000-0x0000000022E3E000-memory.dmp

Filesize
504KB

Download
memory/2184-25-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2184-27-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/2184-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2184-43-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2548-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2548-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2548-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2548-3-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads