452684513f8aae23868e37b6fde77acace76e1c67ae715c3a918c694317b7e72

General

Target

6392e2352ecb4dadff36f00985b285bb.exe
Size

10.2MB
MD5

6392e2352ecb4dadff36f00985b285bb
SHA1

f206077e8341828dd3493aebb282a5eb1f9ff20d
SHA256

452684513f8aae23868e37b6fde77acace76e1c67ae715c3a918c694317b7e72
SHA512

c2d85908e3a1e46975c17e917275ea8f49ce24e0bf6ee8e4423ca26ecec63a535de526282b0479a69119f38b8e738aa872ca9847eb9f2c723016e3e3bca92511
SSDEEP

98304:6mm39TxSwgnMVbthz3S11qronI0Iy5fKP7grvYLS3O9iRi9Np3S11qronI0Iy5fJ:6mm9x+MVbua0j9WQk9NUa0j9

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1692	6392e2352ecb4dadff36f00985b285bb.exe

Executes dropped EXE 1 IoCs

pid	Process
1692	6392e2352ecb4dadff36f00985b285bb.exe

Loads dropped DLL 1 IoCs

pid	Process
2328	6392e2352ecb4dadff36f00985b285bb.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2328-1-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x00090000000142c4-11.dat	upx
behavioral1/files/0x00090000000142c4-14.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	6392e2352ecb4dadff36f00985b285bb.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	6392e2352ecb4dadff36f00985b285bb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	6392e2352ecb4dadff36f00985b285bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	6392e2352ecb4dadff36f00985b285bb.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2328	6392e2352ecb4dadff36f00985b285bb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2328	6392e2352ecb4dadff36f00985b285bb.exe
1692	6392e2352ecb4dadff36f00985b285bb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1692	2328	6392e2352ecb4dadff36f00985b285bb.exe	28
PID 2328 wrote to memory of 1692	2328	6392e2352ecb4dadff36f00985b285bb.exe	28
PID 2328 wrote to memory of 1692	2328	6392e2352ecb4dadff36f00985b285bb.exe	28
PID 2328 wrote to memory of 1692	2328	6392e2352ecb4dadff36f00985b285bb.exe	28

C:\Users\Admin\AppData\Local\Temp\6392e2352ecb4dadff36f00985b285bb.exe
"C:\Users\Admin\AppData\Local\Temp\6392e2352ecb4dadff36f00985b285bb.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\6392e2352ecb4dadff36f00985b285bb.exe
  C:\Users\Admin\AppData\Local\Temp\6392e2352ecb4dadff36f00985b285bb.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6392e2352ecb4dadff36f00985b285bb.exe

Filesize
216KB

MD5
dfa0430bce10f16b8194ea4f9f7b413e

SHA1
c5ffc456c2281ca32486bb7d320048a517d2a567

SHA256
8c7b6405086240f02cfca1877889f57462719ba511228866ef4e0287f705aeb4

SHA512
ba18c71050a1ec568a069553feb807e4d018fea7ec63e39d0c347c97eb95fb045f3643dce4d1f1ac76c777da58cb3cdfdb31683f80e265b38c8a3b418e92e39f

Download Submit
\Users\Admin\AppData\Local\Temp\6392e2352ecb4dadff36f00985b285bb.exe

Filesize
274KB

MD5
cf4b1fcc84fccc5c1f6fc168274cddc5

SHA1
86452dbbfdefc14dd387b8e68d78ca02091c00a1

SHA256
c6aa024ee611700e6aa3c66ba3a1f1a7fe91a050836341d6aaa83273b9c8cd1b

SHA512
0886cf493833c59f4c78b6e12d209ca3707a1d0363238a65f7de9d9e00a18ddcc27c0bca242b478661d982469f45c44c480b1afa03a98bc37468e776573e4b6c

Download Submit
memory/1692-17-0x0000000002250000-0x00000000024AA000-memory.dmp

Filesize
2.4MB

Download
memory/1692-19-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/1692-33-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2328-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2328-0-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2328-2-0x0000000002230000-0x000000000248A000-memory.dmp

Filesize
2.4MB

Download
memory/2328-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing