d0d15d7fe3686d50fc9a075c24e434ed0cbe72b37f59d36b9474a4e4246d92cb

General

Target

676596fbf69c60cf6c4bc3b5c3ed9b70.exe
Size

133KB
MD5

676596fbf69c60cf6c4bc3b5c3ed9b70
SHA1

0d39a414262e0dd3e4ee5f5480c790671b19fa28
SHA256

d0d15d7fe3686d50fc9a075c24e434ed0cbe72b37f59d36b9474a4e4246d92cb
SHA512

1989a538452436ced3910ef9941960ac8224063a7786526b9864ac644c644cf0c88be8c03e62fa0957f5b804ba77306c3437b8da7e1e6b70af7b6c344a98f17d
SSDEEP

3072:I/++PaDp/zFyC+OgpvI+wSCDeNAAhyaAIox7qZ4dzQ:w+bp/JytBpvI+3UK7hW37bdzQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2684	676596fbf69c60cf6c4bc3b5c3ed9b70.exe

Executes dropped EXE 1 IoCs

pid	Process
2684	676596fbf69c60cf6c4bc3b5c3ed9b70.exe

Loads dropped DLL 1 IoCs

pid	Process
2312	676596fbf69c60cf6c4bc3b5c3ed9b70.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2312-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x000b00000001226e-11.dat	upx
behavioral1/files/0x000b00000001226e-14.dat	upx
behavioral1/memory/2312-13-0x0000000000190000-0x0000000000216000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	676596fbf69c60cf6c4bc3b5c3ed9b70.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	676596fbf69c60cf6c4bc3b5c3ed9b70.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	676596fbf69c60cf6c4bc3b5c3ed9b70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	676596fbf69c60cf6c4bc3b5c3ed9b70.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2312	676596fbf69c60cf6c4bc3b5c3ed9b70.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2312	676596fbf69c60cf6c4bc3b5c3ed9b70.exe
2684	676596fbf69c60cf6c4bc3b5c3ed9b70.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2684	2312	676596fbf69c60cf6c4bc3b5c3ed9b70.exe	27
PID 2312 wrote to memory of 2684	2312	676596fbf69c60cf6c4bc3b5c3ed9b70.exe	27
PID 2312 wrote to memory of 2684	2312	676596fbf69c60cf6c4bc3b5c3ed9b70.exe	27
PID 2312 wrote to memory of 2684	2312	676596fbf69c60cf6c4bc3b5c3ed9b70.exe	27

C:\Users\Admin\AppData\Local\Temp\676596fbf69c60cf6c4bc3b5c3ed9b70.exe
"C:\Users\Admin\AppData\Local\Temp\676596fbf69c60cf6c4bc3b5c3ed9b70.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\676596fbf69c60cf6c4bc3b5c3ed9b70.exe
  C:\Users\Admin\AppData\Local\Temp\676596fbf69c60cf6c4bc3b5c3ed9b70.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\676596fbf69c60cf6c4bc3b5c3ed9b70.exe

Filesize
133KB

MD5
2cbd1cd9338ab5b6604053ee22a91855

SHA1
35bdd7e00bb70bd6ed16fd6e2b236b9e5f2e8af5

SHA256
a93d37ec6391377395b5021756fdc804578e8f8a90e507111d2d800dcf9e6189

SHA512
62f67888e9a4447607b9f3d0bbf409dc8df0689f7426dfcae233546caab0cc2d3682112ac656fcb0797e416a0cfe2ec94c4dab557527b3a82e35c679032dd9d0

Download Submit
\Users\Admin\AppData\Local\Temp\676596fbf69c60cf6c4bc3b5c3ed9b70.exe

Filesize
64KB

MD5
c4d0d1e09d27e22a1a693db0d6558b7e

SHA1
232fa40f4b87abff60b7ed1542740aa260006219

SHA256
82ea6fcee708f36aba2d5e46397b8ee7d2c9f26680b504c57755d948118e2153

SHA512
92d066e4ffbe3f5fe6dc0754b331d8b4569878a0cdc88ef129904cb703526bf18763275351b17c50bd79b7d5a71e7da9fd43d863f0f6d2f2a175a3fd857cc478

Download Submit
memory/2312-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2312-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2312-1-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2312-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2312-13-0x0000000000190000-0x0000000000216000-memory.dmp

Filesize
536KB

Download
memory/2684-17-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2684-42-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing