e17d28bf3522f3531241be03ff2e93a7cb2efa8d0335be8555d6426de3761795

General

Target

66cc0838432b2b0f1334f589739a3da5.exe
Size

5.5MB
MD5

66cc0838432b2b0f1334f589739a3da5
SHA1

1e3b883c44e992b89ba2467a99ad090afc40ab78
SHA256

e17d28bf3522f3531241be03ff2e93a7cb2efa8d0335be8555d6426de3761795
SHA512

50e61218da095830f5fc0e997f0e521e4087a27a75d197eb6daea06dbdfd8c47708c6b3956524bc5ec52e0d80e8d9a42e3155f954ce30c37009efbba09167e2c
SSDEEP

49152:MLkHdpIgiTBOZm8Q+7kJTi9r9L6pH0JL5kzad2ay3vRmCFOGNj8mW4JH53R+wVGf:DvQd+wH0JmGQ35mCckFR+vicS43

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2748	66cc0838432b2b0f1334f589739a3da5.exe

Executes dropped EXE 1 IoCs

pid	Process
2748	66cc0838432b2b0f1334f589739a3da5.exe

Loads dropped DLL 1 IoCs

pid	Process
2420	66cc0838432b2b0f1334f589739a3da5.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2420-1-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x00080000000120f8-11.dat	upx
behavioral1/memory/2748-18-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x00080000000120f8-15.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	66cc0838432b2b0f1334f589739a3da5.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	66cc0838432b2b0f1334f589739a3da5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	66cc0838432b2b0f1334f589739a3da5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	66cc0838432b2b0f1334f589739a3da5.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2420	66cc0838432b2b0f1334f589739a3da5.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2420	66cc0838432b2b0f1334f589739a3da5.exe
2748	66cc0838432b2b0f1334f589739a3da5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2748	2420	66cc0838432b2b0f1334f589739a3da5.exe	28
PID 2420 wrote to memory of 2748	2420	66cc0838432b2b0f1334f589739a3da5.exe	28
PID 2420 wrote to memory of 2748	2420	66cc0838432b2b0f1334f589739a3da5.exe	28
PID 2420 wrote to memory of 2748	2420	66cc0838432b2b0f1334f589739a3da5.exe	28

C:\Users\Admin\AppData\Local\Temp\66cc0838432b2b0f1334f589739a3da5.exe
"C:\Users\Admin\AppData\Local\Temp\66cc0838432b2b0f1334f589739a3da5.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\66cc0838432b2b0f1334f589739a3da5.exe
  C:\Users\Admin\AppData\Local\Temp\66cc0838432b2b0f1334f589739a3da5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\66cc0838432b2b0f1334f589739a3da5.exe

Filesize
1.4MB

MD5
24b8bf71c1f58817b1c57c79f07f5250

SHA1
166bd2d4d7705e5e9a686848ec03388859342058

SHA256
00e05ed9a721a3328330dcfe78fd382b5bc7879b37574ff8539ad64b4b8a4b8f

SHA512
7eb9b1bab872554d44c23e06d8221b63d59c0e791af381555ed45509afc4952667d7c47ce20ae3a979282217cbb82d2a8fd3b96d123194b7abed3a60bd6232f3

Download Submit
\Users\Admin\AppData\Local\Temp\66cc0838432b2b0f1334f589739a3da5.exe

Filesize
1.9MB

MD5
36f8f0fc6515d6877a9ce0c8b032e263

SHA1
15aa253dd5f893aff80ffb24e62ffdd9575b7f7d

SHA256
d025cc1385cb5a9598e5b3f8d1c7ff8c4853ff0b5908d4a5fcef60b09a09e401

SHA512
0e48dbbdb00c622e086f301acbc244e4b4a5f891ed35a15abc1695a8b283af66cfb2b959ed4b8347dcc8f810e4a7d4ca2a79e6faf35111288537bbb4ed8a946e

Download Submit
memory/2420-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2420-0-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2420-3-0x0000000002190000-0x00000000023EA000-memory.dmp

Filesize
2.4MB

Download
memory/2420-16-0x0000000004330000-0x0000000004CCE000-memory.dmp

Filesize
9.6MB

Download
memory/2420-14-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2420-43-0x0000000004330000-0x0000000004CCE000-memory.dmp

Filesize
9.6MB

Download
memory/2748-18-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2748-20-0x0000000002210000-0x000000000246A000-memory.dmp

Filesize
2.4MB

Download
memory/2748-44-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing