81642a02d6e6d284a2b5544e0b103beb1f6502de32fd3c0fda7d566f91bebeed

General

Target

5acc57a2096d2dfe306207ace4a79e95.exe
Size

501KB
MD5

5acc57a2096d2dfe306207ace4a79e95
SHA1

a003df091c6769001f32398aa30bf54a5b660568
SHA256

81642a02d6e6d284a2b5544e0b103beb1f6502de32fd3c0fda7d566f91bebeed
SHA512

2ef5fb9e76274bd32c8896c426ae1424811ce12fc2f9e3fb942a9a20d75b033df467453c48fccde4a2adc51dc6bd5e9c3a21be07b8f02ee4f2d240e6eef8956d
SSDEEP

12288:UlpInVSxzFOdaKg1nqqErcRULOfljO0K31:1n0olwtEoK

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2680	5acc57a2096d2dfe306207ace4a79e95.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	5acc57a2096d2dfe306207ace4a79e95.exe

Loads dropped DLL 1 IoCs

pid	Process
2016	5acc57a2096d2dfe306207ace4a79e95.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2016-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000d00000001225c-13.dat	upx
behavioral1/files/0x000d00000001225c-17.dat	upx
behavioral1/memory/2016-16-0x0000000022E20000-0x000000002307C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2684	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	5acc57a2096d2dfe306207ace4a79e95.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	5acc57a2096d2dfe306207ace4a79e95.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	5acc57a2096d2dfe306207ace4a79e95.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	5acc57a2096d2dfe306207ace4a79e95.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2016	5acc57a2096d2dfe306207ace4a79e95.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2016	5acc57a2096d2dfe306207ace4a79e95.exe
2680	5acc57a2096d2dfe306207ace4a79e95.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2680	2016	5acc57a2096d2dfe306207ace4a79e95.exe	29
PID 2016 wrote to memory of 2680	2016	5acc57a2096d2dfe306207ace4a79e95.exe	29
PID 2016 wrote to memory of 2680	2016	5acc57a2096d2dfe306207ace4a79e95.exe	29
PID 2016 wrote to memory of 2680	2016	5acc57a2096d2dfe306207ace4a79e95.exe	29
PID 2680 wrote to memory of 2684	2680	5acc57a2096d2dfe306207ace4a79e95.exe	31
PID 2680 wrote to memory of 2684	2680	5acc57a2096d2dfe306207ace4a79e95.exe	31
PID 2680 wrote to memory of 2684	2680	5acc57a2096d2dfe306207ace4a79e95.exe	31
PID 2680 wrote to memory of 2684	2680	5acc57a2096d2dfe306207ace4a79e95.exe	31
PID 2680 wrote to memory of 2668	2680	5acc57a2096d2dfe306207ace4a79e95.exe	33
PID 2680 wrote to memory of 2668	2680	5acc57a2096d2dfe306207ace4a79e95.exe	33
PID 2680 wrote to memory of 2668	2680	5acc57a2096d2dfe306207ace4a79e95.exe	33
PID 2680 wrote to memory of 2668	2680	5acc57a2096d2dfe306207ace4a79e95.exe	33
PID 2668 wrote to memory of 2396	2668	cmd.exe	34
PID 2668 wrote to memory of 2396	2668	cmd.exe	34
PID 2668 wrote to memory of 2396	2668	cmd.exe	34
PID 2668 wrote to memory of 2396	2668	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\5acc57a2096d2dfe306207ace4a79e95.exe
"C:\Users\Admin\AppData\Local\Temp\5acc57a2096d2dfe306207ace4a79e95.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\5acc57a2096d2dfe306207ace4a79e95.exe
  C:\Users\Admin\AppData\Local\Temp\5acc57a2096d2dfe306207ace4a79e95.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5acc57a2096d2dfe306207ace4a79e95.exe" /TN U5Z8sQiHf24d /F
    3⤵
    - Creates scheduled task(s)
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\27I67nkAR.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN U5Z8sQiHf24d
      4⤵
      PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27I67nkAR.xml

Filesize
1KB

MD5
6af5ade988f6243bf2af9b8b211ea70d

SHA1
451104cc42abb5a69f016adc62afd9b4e9d050f3

SHA256
e5275994f9018d040aebc979d67d5a39928f66f47ae0a8f0a4e611d5063ad57b

SHA512
724b6039a1613fc0cea6f70042da4eef99c29c97a3e4d6b1c225c72c7121dc24fe21232636109a3b0602431b739f9cefda87149f65a0955307ce2b1e7c3a41fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5acc57a2096d2dfe306207ace4a79e95.exe

Filesize
501KB

MD5
c94638a285767ee1db1861eb91d3d2de

SHA1
b7f704bc845f41cee4ac08d5d358649715bdb158

SHA256
f5b5dc55291a03b3843a6826a67deef6854421f68e6efa5b03818efa1e361b78

SHA512
f77af78417c433dea537868127bc952520ef7a2afbccf1e8c573659fc60166d2542e6e634b0232c1dce33a022eb5fecd87bdcaf9faa4d9dde1514959f0dfaf36

Download Submit
C:\Users\Admin\AppData\Local\Temp\5acc57a2096d2dfe306207ace4a79e95.exe

Filesize
382KB

MD5
a3f26b779590f12a0d72c488c7258205

SHA1
c28c62cb96b5a92bd04fa366799416bfbdff99b6

SHA256
71debd483eb3aea9f8159a0d724b27dff22ce8d626bb1c3a0749b098ef52c34d

SHA512
c6274d439d65361138bb583cdeb69a7619c9d9ff412bda6cf8b5b4beb2f8b6f824d92c12ec14980d2d2298d0a84fd66742300223ca10d9c5f84ddaa3b8a7183d

Download Submit
memory/2016-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2016-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2016-3-0x0000000022DA0000-0x0000000022E1E000-memory.dmp

Filesize
504KB

Download
memory/2016-16-0x0000000022E20000-0x000000002307C000-memory.dmp

Filesize
2.4MB

Download
memory/2016-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2680-22-0x0000000000260000-0x00000000002DE000-memory.dmp

Filesize
504KB

Download
memory/2680-31-0x0000000000340000-0x00000000003AB000-memory.dmp

Filesize
428KB

Download
memory/2680-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2680-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2680-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads