7d93020d62d2ab16e4b863013816efa0452873c50ad6519d0ce448fae4563b23

General

Target

63a87f3d8a90c87da4488667eb710c96.exe
Size

1.6MB
MD5

63a87f3d8a90c87da4488667eb710c96
SHA1

f49f6997ee73a73e7166e76cef31efce10ba1ebf
SHA256

7d93020d62d2ab16e4b863013816efa0452873c50ad6519d0ce448fae4563b23
SHA512

47ed3cf3c59b888caa92f4e6fda5d40fef406e4a5619960e6d2c009cc3035aef484d293a1a27ee3e4000d9cd265085a90ca9f708ee7eb2fa08ed68f64a489602
SSDEEP

49152:ENKmDynHE0g+qWMeOdcakLz0LjHvnkgsCl2T+66UDcakLz0O:ENKab0fqWMe4cakcLjHvnk/CkT+66UD2

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2652	63a87f3d8a90c87da4488667eb710c96.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	63a87f3d8a90c87da4488667eb710c96.exe

Loads dropped DLL 1 IoCs

pid	Process
3012	63a87f3d8a90c87da4488667eb710c96.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000c000000012327-11.dat	upx
behavioral1/files/0x000c000000012327-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2820	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	63a87f3d8a90c87da4488667eb710c96.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	63a87f3d8a90c87da4488667eb710c96.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	63a87f3d8a90c87da4488667eb710c96.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	63a87f3d8a90c87da4488667eb710c96.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3012	63a87f3d8a90c87da4488667eb710c96.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3012	63a87f3d8a90c87da4488667eb710c96.exe
2652	63a87f3d8a90c87da4488667eb710c96.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2652	3012	63a87f3d8a90c87da4488667eb710c96.exe	29
PID 3012 wrote to memory of 2652	3012	63a87f3d8a90c87da4488667eb710c96.exe	29
PID 3012 wrote to memory of 2652	3012	63a87f3d8a90c87da4488667eb710c96.exe	29
PID 3012 wrote to memory of 2652	3012	63a87f3d8a90c87da4488667eb710c96.exe	29
PID 2652 wrote to memory of 2820	2652	63a87f3d8a90c87da4488667eb710c96.exe	30
PID 2652 wrote to memory of 2820	2652	63a87f3d8a90c87da4488667eb710c96.exe	30
PID 2652 wrote to memory of 2820	2652	63a87f3d8a90c87da4488667eb710c96.exe	30
PID 2652 wrote to memory of 2820	2652	63a87f3d8a90c87da4488667eb710c96.exe	30
PID 2652 wrote to memory of 2692	2652	63a87f3d8a90c87da4488667eb710c96.exe	33
PID 2652 wrote to memory of 2692	2652	63a87f3d8a90c87da4488667eb710c96.exe	33
PID 2652 wrote to memory of 2692	2652	63a87f3d8a90c87da4488667eb710c96.exe	33
PID 2652 wrote to memory of 2692	2652	63a87f3d8a90c87da4488667eb710c96.exe	33
PID 2692 wrote to memory of 2856	2692	cmd.exe	34
PID 2692 wrote to memory of 2856	2692	cmd.exe	34
PID 2692 wrote to memory of 2856	2692	cmd.exe	34
PID 2692 wrote to memory of 2856	2692	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\63a87f3d8a90c87da4488667eb710c96.exe
"C:\Users\Admin\AppData\Local\Temp\63a87f3d8a90c87da4488667eb710c96.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\63a87f3d8a90c87da4488667eb710c96.exe
  C:\Users\Admin\AppData\Local\Temp\63a87f3d8a90c87da4488667eb710c96.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\63a87f3d8a90c87da4488667eb710c96.exe" /TN U5Z8sQiHf24d /F
    3⤵
    - Creates scheduled task(s)
    PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\xT5Qyo.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN U5Z8sQiHf24d
      4⤵
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\63a87f3d8a90c87da4488667eb710c96.exe

Filesize
224KB

MD5
68c689043df6080ef326933f449cebdb

SHA1
cc9227027fd5b9fbd6ac41ba4e43e3ce218c93ff

SHA256
03d2699b278ce92f7bac12806ecc912ca0a3ccf29d41eeadc5933b16aeb549a7

SHA512
3b1afcfed31e4eedf329f9d095e5409d98615a3c5e6ef4b9ef93d2c47a8a5716bdd6d676769051a1c294babbd7084767efdc97c1e1a4fa4c29d2766f410cfc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\xT5Qyo.xml

Filesize
1KB

MD5
095840c61964aa11a759aa3631bc59f0

SHA1
563c5d22608e0e35837b83a4cbecb6b97d06ffcb

SHA256
b9c9913d65e3ebc8262015147beccd7600e06bebb46a3e0eac6e8232606d3882

SHA512
16ead25b43a1bf058318a0c31c689578dcf9e8c0c2938ef75b20da52bf05503a7814bdc96e0a0cf034b71784b2eb5184cd5173f25ce1d26544e69b1562e8b52e

Download Submit
\Users\Admin\AppData\Local\Temp\63a87f3d8a90c87da4488667eb710c96.exe

Filesize
367KB

MD5
dc14f5c176fa2c1a6436578b9ea60383

SHA1
12290a51038c31ee75c2b62d9cb6d443b623aa7c

SHA256
01014d68602116ccb1583f2b1e7cab588215b806fa9a90d40bbbee87688491ad

SHA512
69beb047a2aca7d3a44e60e05cb9d985b59f382868608df0c0ac71e54326a24e95ff963a37e648b1aaff0d5cda3ce138f2876ff85cacd202962f8520af6e5f6b

Download Submit
memory/2652-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2652-21-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2652-31-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/2652-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2652-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3012-3-0x0000000000340000-0x00000000003BE000-memory.dmp

Filesize
504KB

Download
memory/3012-17-0x0000000022F40000-0x000000002319C000-memory.dmp

Filesize
2.4MB

Download
memory/3012-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3012-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3012-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads