3ff2aa6bce37af4268506ccec8e6e226fdae66f1b3a9ed1c51cb9a30038b3cec

General

Target

70330eab735f4331f9644dd24a264e4e.exe
Size

821KB
MD5

70330eab735f4331f9644dd24a264e4e
SHA1

81f3dd4de70fccb4c5075ad5a482e443f19dac9f
SHA256

3ff2aa6bce37af4268506ccec8e6e226fdae66f1b3a9ed1c51cb9a30038b3cec
SHA512

bd59ad2daddf7cbde7a2e95f400d12e0feafd84d8920a2f15440c669045db178dc30b42abbfe00b9c2bf3f1b0b8bf4cc525204aa1978c5f52db81197427aff66
SSDEEP

12288:iUzMiJ4IuYHK5w34Pi2Am8VPCYfhJ9a/kkFAf9Mqbl1mbFWdflO9dJ5IECpxOok7:F4IuJ5Tq2wCY8Tq9CbKcjukL2CDYO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2796	70330eab735f4331f9644dd24a264e4e.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	70330eab735f4331f9644dd24a264e4e.exe

Loads dropped DLL 1 IoCs

pid	Process
2756	70330eab735f4331f9644dd24a264e4e.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2756-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012242-11.dat	upx
behavioral1/files/0x000b000000012242-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2764	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	70330eab735f4331f9644dd24a264e4e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	70330eab735f4331f9644dd24a264e4e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2756	70330eab735f4331f9644dd24a264e4e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2756	70330eab735f4331f9644dd24a264e4e.exe
2796	70330eab735f4331f9644dd24a264e4e.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2796	2756	70330eab735f4331f9644dd24a264e4e.exe	21
PID 2756 wrote to memory of 2796	2756	70330eab735f4331f9644dd24a264e4e.exe	21
PID 2756 wrote to memory of 2796	2756	70330eab735f4331f9644dd24a264e4e.exe	21
PID 2756 wrote to memory of 2796	2756	70330eab735f4331f9644dd24a264e4e.exe	21
PID 2796 wrote to memory of 2764	2796	70330eab735f4331f9644dd24a264e4e.exe	26
PID 2796 wrote to memory of 2764	2796	70330eab735f4331f9644dd24a264e4e.exe	26
PID 2796 wrote to memory of 2764	2796	70330eab735f4331f9644dd24a264e4e.exe	26
PID 2796 wrote to memory of 2764	2796	70330eab735f4331f9644dd24a264e4e.exe	26
PID 2796 wrote to memory of 3028	2796	70330eab735f4331f9644dd24a264e4e.exe	34
PID 2796 wrote to memory of 3028	2796	70330eab735f4331f9644dd24a264e4e.exe	34
PID 2796 wrote to memory of 3028	2796	70330eab735f4331f9644dd24a264e4e.exe	34
PID 2796 wrote to memory of 3028	2796	70330eab735f4331f9644dd24a264e4e.exe	34
PID 3028 wrote to memory of 2188	3028	cmd.exe	32
PID 3028 wrote to memory of 2188	3028	cmd.exe	32
PID 3028 wrote to memory of 2188	3028	cmd.exe	32
PID 3028 wrote to memory of 2188	3028	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\70330eab735f4331f9644dd24a264e4e.exe
"C:\Users\Admin\AppData\Local\Temp\70330eab735f4331f9644dd24a264e4e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\70330eab735f4331f9644dd24a264e4e.exe
  C:\Users\Admin\AppData\Local\Temp\70330eab735f4331f9644dd24a264e4e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\70330eab735f4331f9644dd24a264e4e.exe" /TN QxutJGth3fd4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN QxutJGth3fd4 > C:\Users\Admin\AppData\Local\Temp\cpKHVG.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3028

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN QxutJGth3fd4
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\70330eab735f4331f9644dd24a264e4e.exe

Filesize
323KB

MD5
a6d7f9bc52595015ea8fc1c217e6e572

SHA1
90da063fc9b4b9b3b353fc97ce51359b9704af3b

SHA256
23c47d3296b332f2168acf82d595c62fa06a217906321369ffcaa21c59bf3698

SHA512
65117adb4782d08ecee5301ad599529ec766f252e9085629443ea6dbcd98c6499ec4f6252d2e75a02fad6e3d5343d37052621471a295e3a3d01dc3e8ca81756d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpKHVG.xml

Filesize
1KB

MD5
4b4e303286683e166f21d20bec8b75e1

SHA1
2000e372f5e9974b13c297c6f7ffbb556a539a13

SHA256
9633c415d4e8b902e0b390c085de3db1169852339c4ac114f9d759f4edf2f6e9

SHA512
c2336b90765c773c646d9bf58fc5b7a6ce58f1c79f1677bf989bc20ad7d3d8b3688558af4299cfafc351f1432b14f01b21477fe9c7785a5b3da39ac912014f1b

Download Submit
\Users\Admin\AppData\Local\Temp\70330eab735f4331f9644dd24a264e4e.exe

Filesize
65KB

MD5
4def602f0e6162a0d33802fd6df95e45

SHA1
d089369777d8d949ccd3299492dc116c5d81fdcd

SHA256
8fc7d82179ab064c622ca9651a32fdbfe513cab963a2174ad33a76fa627171fd

SHA512
e230ade47fedb02e04af6be6bfe50cb3e7c99f8aae630b1b0b60ad1f471aed2e96bcc17612296d62fbce91df088142fc7e532b445e93b952300723207d7bc017

Download Submit
memory/2756-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2756-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2756-17-0x0000000022F60000-0x00000000231BC000-memory.dmp

Filesize
2.4MB

Download
memory/2756-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2756-2-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/2756-54-0x0000000022F60000-0x00000000231BC000-memory.dmp

Filesize
2.4MB

Download
memory/2796-23-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2796-25-0x0000000000220000-0x000000000029E000-memory.dmp

Filesize
504KB

Download
memory/2796-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2796-28-0x00000000002A0000-0x000000000030B000-memory.dmp

Filesize
428KB

Download
memory/2796-55-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads