d2302eb1e163569ff8382016f03ac8887ca204447278bfa4c6f25f304f001737

General

Target

5c1e76048e0f191c44de22640166cb47.exe
Size

3.9MB
MD5

5c1e76048e0f191c44de22640166cb47
SHA1

f645771e71b7da721e423ee78cb658601eb8b4c3
SHA256

d2302eb1e163569ff8382016f03ac8887ca204447278bfa4c6f25f304f001737
SHA512

b0192d35993dd92f0bc44e9ee8f71ddf28f688ff0f2453c6d61ad5bffd937a0717d45ed6b83612aef9b6cc551deb64b6ee4dde4e4fc62e4c062d273d5b16ebb6
SSDEEP

98304:5o33UlksEycXy67D2i7D3xkOxYwpKvNpVdbQOD2i7D3xkOxYwpKkRAIwywj92WD7:5oUGsEycCUh7FkNqK5pzh7FkNqKQpSTn

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
964	5c1e76048e0f191c44de22640166cb47.exe

Executes dropped EXE 1 IoCs

pid	Process
964	5c1e76048e0f191c44de22640166cb47.exe

Loads dropped DLL 1 IoCs

pid	Process
2040	5c1e76048e0f191c44de22640166cb47.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2040-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000013a1a-11.dat	upx
behavioral1/files/0x000a000000013a1a-15.dat	upx
behavioral1/files/0x000a000000013a1a-13.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2704	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	5c1e76048e0f191c44de22640166cb47.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	5c1e76048e0f191c44de22640166cb47.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	5c1e76048e0f191c44de22640166cb47.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	5c1e76048e0f191c44de22640166cb47.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2040	5c1e76048e0f191c44de22640166cb47.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2040	5c1e76048e0f191c44de22640166cb47.exe
964	5c1e76048e0f191c44de22640166cb47.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 964	2040	5c1e76048e0f191c44de22640166cb47.exe	29
PID 2040 wrote to memory of 964	2040	5c1e76048e0f191c44de22640166cb47.exe	29
PID 2040 wrote to memory of 964	2040	5c1e76048e0f191c44de22640166cb47.exe	29
PID 2040 wrote to memory of 964	2040	5c1e76048e0f191c44de22640166cb47.exe	29
PID 964 wrote to memory of 2704	964	5c1e76048e0f191c44de22640166cb47.exe	31
PID 964 wrote to memory of 2704	964	5c1e76048e0f191c44de22640166cb47.exe	31
PID 964 wrote to memory of 2704	964	5c1e76048e0f191c44de22640166cb47.exe	31
PID 964 wrote to memory of 2704	964	5c1e76048e0f191c44de22640166cb47.exe	31
PID 964 wrote to memory of 2624	964	5c1e76048e0f191c44de22640166cb47.exe	34
PID 964 wrote to memory of 2624	964	5c1e76048e0f191c44de22640166cb47.exe	34
PID 964 wrote to memory of 2624	964	5c1e76048e0f191c44de22640166cb47.exe	34
PID 964 wrote to memory of 2624	964	5c1e76048e0f191c44de22640166cb47.exe	34
PID 2624 wrote to memory of 2304	2624	cmd.exe	32
PID 2624 wrote to memory of 2304	2624	cmd.exe	32
PID 2624 wrote to memory of 2304	2624	cmd.exe	32
PID 2624 wrote to memory of 2304	2624	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\5c1e76048e0f191c44de22640166cb47.exe
"C:\Users\Admin\AppData\Local\Temp\5c1e76048e0f191c44de22640166cb47.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\5c1e76048e0f191c44de22640166cb47.exe
  C:\Users\Admin\AppData\Local\Temp\5c1e76048e0f191c44de22640166cb47.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5c1e76048e0f191c44de22640166cb47.exe" /TN qm2lmOfce5f6 /F
    3⤵
    - Creates scheduled task(s)
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN qm2lmOfce5f6 > C:\Users\Admin\AppData\Local\Temp\vdgHr.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN qm2lmOfce5f6
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5c1e76048e0f191c44de22640166cb47.exe

Filesize
190KB

MD5
2c0eec3653039887f7e691e7fd5be49f

SHA1
bfcfcb24549c99640e80ff38c59771ca1454e9f2

SHA256
8fbce2d49ab1495ac19a8f8804797a6e960002744ce07541b8c282976bcb17cc

SHA512
c7ebbfa607ff4a71010867fd094adcd89556429f3d35a054e8c6c0cacd2ddab890da76a6ddea5a2033c3adb413810a6399771a2834ab0152bab16609c3ebc97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c1e76048e0f191c44de22640166cb47.exe

Filesize
280KB

MD5
855abb78ad4b64566410fb8331548acf

SHA1
a11d10ee382f1aa252dcb90c26502585c2fd02d1

SHA256
2d3d55b12f32bda6828a0d2a6bf3f14fdc2d6dbcf683e52d5dce41bd0caea4b7

SHA512
6717789a40540287d4000b23aea1a798bdecde441b92acfbe289469ace141a3798700d02bc666b3ef362e2b464b10eab2f8dfacee0f6a25f3618ea8734477e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdgHr.xml

Filesize
1KB

MD5
6e2581413e6be53dcd00ba6450a4abce

SHA1
9944423e53e187c023432b0846eab08f26dc13ec

SHA256
da2a700761ee21555157a49e7065904506cb6a5b098a6ce3102b34a111c16c32

SHA512
ad3cf663bc58ffbe30ccd3a1efeb5b04935fd0d9f7bd177ff4d3fea62220a097e861e64438bd888aee740db178fcabcc146b96f03f8690f2a0be1f4c006eaefd

Download Submit
\Users\Admin\AppData\Local\Temp\5c1e76048e0f191c44de22640166cb47.exe

Filesize
696KB

MD5
dd6f0b6a7dacecbf1368d72f5beb6a6c

SHA1
083e72a0b67e255efde4345befd9fc126a5c2d2c

SHA256
464d30c3ba35f719a5e0dbb6430122ce275c6c1c6196e116108e547dcda493f4

SHA512
53dc138d7f8e44d78fb6fd342a82e7785a294c63df3049db4e9dc2b69812197d53c5a16551033713309fa4ebb01255e8ca2d09e8f38ec7bfc00c0b205b517f1b

Download Submit
memory/964-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/964-21-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/964-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/964-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/964-45-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2040-17-0x0000000023710000-0x000000002396C000-memory.dmp

Filesize
2.4MB

Download
memory/2040-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2040-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2040-8-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2040-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads