0d001878bd1ffe6afd2cb34563e35d873ab2d3e2b726ceeb2df570376cfb1491

General

Target

6762bf2e2c7bc2eca14742acc48acba3.exe
Size

501KB
MD5

6762bf2e2c7bc2eca14742acc48acba3
SHA1

057d473224aa66aa835ca604f7d040f522dc14f0
SHA256

0d001878bd1ffe6afd2cb34563e35d873ab2d3e2b726ceeb2df570376cfb1491
SHA512

551055a1addabc13a7e8e0de6b53bbdae2e069cd4eabb8ed26767181017acdaa034b1c677c3893580ad7e2b37b1e3d608fe6938a88f185cab4b62ee00f97f7b1
SSDEEP

12288:5kpVmn7nkA/c95IZn84Z8frmfiFSwIZIFpAlr9m0I3+Fv2S5ZiPrH5wx2A:5Jn7w7IZntermvwSIOFeS5UPrHC0

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2800	6762bf2e2c7bc2eca14742acc48acba3.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	6762bf2e2c7bc2eca14742acc48acba3.exe

Loads dropped DLL 1 IoCs

pid	Process
2196	6762bf2e2c7bc2eca14742acc48acba3.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2196-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/memory/2800-16-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000c00000001224c-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2824	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	6762bf2e2c7bc2eca14742acc48acba3.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	6762bf2e2c7bc2eca14742acc48acba3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	6762bf2e2c7bc2eca14742acc48acba3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	6762bf2e2c7bc2eca14742acc48acba3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2196	6762bf2e2c7bc2eca14742acc48acba3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2196	6762bf2e2c7bc2eca14742acc48acba3.exe
2800	6762bf2e2c7bc2eca14742acc48acba3.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2800	2196	6762bf2e2c7bc2eca14742acc48acba3.exe	29
PID 2196 wrote to memory of 2800	2196	6762bf2e2c7bc2eca14742acc48acba3.exe	29
PID 2196 wrote to memory of 2800	2196	6762bf2e2c7bc2eca14742acc48acba3.exe	29
PID 2196 wrote to memory of 2800	2196	6762bf2e2c7bc2eca14742acc48acba3.exe	29
PID 2800 wrote to memory of 2824	2800	6762bf2e2c7bc2eca14742acc48acba3.exe	31
PID 2800 wrote to memory of 2824	2800	6762bf2e2c7bc2eca14742acc48acba3.exe	31
PID 2800 wrote to memory of 2824	2800	6762bf2e2c7bc2eca14742acc48acba3.exe	31
PID 2800 wrote to memory of 2824	2800	6762bf2e2c7bc2eca14742acc48acba3.exe	31
PID 2800 wrote to memory of 2812	2800	6762bf2e2c7bc2eca14742acc48acba3.exe	32
PID 2800 wrote to memory of 2812	2800	6762bf2e2c7bc2eca14742acc48acba3.exe	32
PID 2800 wrote to memory of 2812	2800	6762bf2e2c7bc2eca14742acc48acba3.exe	32
PID 2800 wrote to memory of 2812	2800	6762bf2e2c7bc2eca14742acc48acba3.exe	32
PID 2812 wrote to memory of 2624	2812	cmd.exe	34
PID 2812 wrote to memory of 2624	2812	cmd.exe	34
PID 2812 wrote to memory of 2624	2812	cmd.exe	34
PID 2812 wrote to memory of 2624	2812	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\6762bf2e2c7bc2eca14742acc48acba3.exe
"C:\Users\Admin\AppData\Local\Temp\6762bf2e2c7bc2eca14742acc48acba3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\6762bf2e2c7bc2eca14742acc48acba3.exe
  C:\Users\Admin\AppData\Local\Temp\6762bf2e2c7bc2eca14742acc48acba3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\6762bf2e2c7bc2eca14742acc48acba3.exe" /TN QxutJGth3fd4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN QxutJGth3fd4 > C:\Users\Admin\AppData\Local\Temp\ZvMIE0.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN QxutJGth3fd4
      4⤵
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6762bf2e2c7bc2eca14742acc48acba3.exe

Filesize
501KB

MD5
a147905e60b50f108c68fc266fef3e4f

SHA1
f1452511d06b645d1dcae6533ddc5e7e570c1604

SHA256
5e470e277efa5ce5061204652d576ae764bb8bb3ff5eef5c25c6fd8257a00835

SHA512
2324e0ee7dec87c92c68f6ef770559e622cd58ea41bcd34611e3dff297b456e3bb8b9b414eaf124a6c31f2c5b260f15e637064eda38a792e6ba94619a01a365a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZvMIE0.xml

Filesize
1KB

MD5
a2d33aaff89aef1e64a9f410adf40658

SHA1
440982124fe4685037775b39f222665220fe9ade

SHA256
862aa28aaaad90b961a7c45689e363fe0873ff17085e22a7911d224307f2132d

SHA512
dda5ea11f6d94dd2244f5bdbf26beae63c7d5871f6daa88d549a6c06a277c0b82514eb4f7b815900dff62f8e977011a589219e54537da29a2ee273c192f62683

Download Submit
memory/2196-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2196-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2196-3-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2196-52-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2800-16-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2800-19-0x0000000000290000-0x000000000030E000-memory.dmp

Filesize
504KB

Download
memory/2800-29-0x00000000001A0000-0x000000000020B000-memory.dmp

Filesize
428KB

Download
memory/2800-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2800-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads