b026f6927f8c42b2db3fcf7ac66815487bf9de1ce6fb367c7670cc665c225487

General

Target

74282be516f848ef05f43fe060b8755f.exe
Size

7.8MB
MD5

74282be516f848ef05f43fe060b8755f
SHA1

00c1b2144410cff879cd42c9d083b00397b40bcd
SHA256

b026f6927f8c42b2db3fcf7ac66815487bf9de1ce6fb367c7670cc665c225487
SHA512

a9d9d312aadd716c44f5efb57a93ad17bb18ede4941fabc3efcea452fa995581415c31e2d013113f7e3ecb2444da676f9a8fc563c99e321cc1f7c2ee270bc369
SSDEEP

196608:Z0ydlir3sLwDmdlirmqAoyGXdlir3sLwDmdlirgC95Udlir3sLwDmdlirmqAoyGW:ZHvGLndCvyvGLn

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1972	74282be516f848ef05f43fe060b8755f.exe

Executes dropped EXE 1 IoCs

pid	Process
1972	74282be516f848ef05f43fe060b8755f.exe

Loads dropped DLL 1 IoCs

pid	Process
2500	74282be516f848ef05f43fe060b8755f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2500-1-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000d00000001224c-11.dat	upx
behavioral1/memory/2500-16-0x0000000023E50000-0x00000000240AC000-memory.dmp	upx
behavioral1/files/0x000d00000001224c-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2796	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	74282be516f848ef05f43fe060b8755f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	74282be516f848ef05f43fe060b8755f.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	74282be516f848ef05f43fe060b8755f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	74282be516f848ef05f43fe060b8755f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2500	74282be516f848ef05f43fe060b8755f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2500	74282be516f848ef05f43fe060b8755f.exe
1972	74282be516f848ef05f43fe060b8755f.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1972	2500	74282be516f848ef05f43fe060b8755f.exe	29
PID 2500 wrote to memory of 1972	2500	74282be516f848ef05f43fe060b8755f.exe	29
PID 2500 wrote to memory of 1972	2500	74282be516f848ef05f43fe060b8755f.exe	29
PID 2500 wrote to memory of 1972	2500	74282be516f848ef05f43fe060b8755f.exe	29
PID 1972 wrote to memory of 2796	1972	74282be516f848ef05f43fe060b8755f.exe	30
PID 1972 wrote to memory of 2796	1972	74282be516f848ef05f43fe060b8755f.exe	30
PID 1972 wrote to memory of 2796	1972	74282be516f848ef05f43fe060b8755f.exe	30
PID 1972 wrote to memory of 2796	1972	74282be516f848ef05f43fe060b8755f.exe	30
PID 1972 wrote to memory of 2948	1972	74282be516f848ef05f43fe060b8755f.exe	34
PID 1972 wrote to memory of 2948	1972	74282be516f848ef05f43fe060b8755f.exe	34
PID 1972 wrote to memory of 2948	1972	74282be516f848ef05f43fe060b8755f.exe	34
PID 1972 wrote to memory of 2948	1972	74282be516f848ef05f43fe060b8755f.exe	34
PID 2948 wrote to memory of 2864	2948	cmd.exe	33
PID 2948 wrote to memory of 2864	2948	cmd.exe	33
PID 2948 wrote to memory of 2864	2948	cmd.exe	33
PID 2948 wrote to memory of 2864	2948	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\74282be516f848ef05f43fe060b8755f.exe
"C:\Users\Admin\AppData\Local\Temp\74282be516f848ef05f43fe060b8755f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\74282be516f848ef05f43fe060b8755f.exe
  C:\Users\Admin\AppData\Local\Temp\74282be516f848ef05f43fe060b8755f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\74282be516f848ef05f43fe060b8755f.exe" /TN QxutJGth3fd4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN QxutJGth3fd4 > C:\Users\Admin\AppData\Local\Temp\4OfVd.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2948

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN QxutJGth3fd4
1⤵
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4OfVd.xml

Filesize
1KB

MD5
74013a6dc0625f0496c6b2a9352b4493

SHA1
c0ad7beab1899faf503fb0d08fcba0d96cf8a8de

SHA256
e98c73beb11a3a725f08f38c6a125ff5fee0c3e61866901f9dfb77847f6eb165

SHA512
3e496df3c72fc5f8bc716802c1958a58d857239ed005798536a62ef481ee65d5db1c0b7782bd18c15ec3617ae2913903619fd49e9669c5319404c9b6ce5b5dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\74282be516f848ef05f43fe060b8755f.exe

Filesize
64KB

MD5
204e5a73d0bc8f9cec37525adf160933

SHA1
7a2b0279e12afe1bb197ce3d848e2457782fcb02

SHA256
d3d23d8c80234b5f2b6fb2e47000761d890a3a713d29f4cfd67cc75d8b1f9976

SHA512
c24ab214e1f65b0bab8b0421693544c3bb385301dea96ce5b6c27adfa6ea2f4f315b5b7196e304f98e17d993147b0c7c67b9783c29e196eb09a44eec0f87e91a

Download Submit
\Users\Admin\AppData\Local\Temp\74282be516f848ef05f43fe060b8755f.exe

Filesize
109KB

MD5
13595c40cbcd7af813f963b862ef9c14

SHA1
756c2adb952bf54d99351c3d307d97ba7d421716

SHA256
780749429eb8dbf4966947f7a4dfcb12faba6c1783dc8c526f574a6e5f7a678b

SHA512
f1f97ddaa6a2e62d07b747a94e14782ff6e96437f7b4b4e5bba851d06cb32f23b451e0a27cc34538c2beea618a2b6f30cc502e5c1d5e9c43e82f66726bdb9808

Download Submit
memory/1972-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1972-21-0x0000000000280000-0x00000000002FE000-memory.dmp

Filesize
504KB

Download
memory/1972-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1972-31-0x0000000000370000-0x00000000003DB000-memory.dmp

Filesize
428KB

Download
memory/1972-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2500-16-0x0000000023E50000-0x00000000240AC000-memory.dmp

Filesize
2.4MB

Download
memory/2500-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2500-1-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2500-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2500-3-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads