91880b637d758088b576296a7d5e68faef3c50d17cb2f638ddb0d5206f2f1209

General

Target

74edf1ee17b17e18632d244ef906b5ac.exe
Size

133KB
MD5

74edf1ee17b17e18632d244ef906b5ac
SHA1

47f823f7aca2969001863f935e9d786776ba8d1c
SHA256

91880b637d758088b576296a7d5e68faef3c50d17cb2f638ddb0d5206f2f1209
SHA512

b76e2d59ec0cfe69454bbbc9f220a7e6fc17cf4cbe331c0116dbc6f7fa4a6964bf17727df49a9048d52e6a7f12d97cccb419b9d9f8fd6d60e9417eb50bd10cca
SSDEEP

3072:aQzImYHMDTgrV5+CSFZlLVelT/4Uac6nAxQ:BGHK8bRSvxVelTsaxQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

74edf1ee17b17e18632d244ef906b5ac.exe

pid process

1852 74edf1ee17b17e18632d244ef906b5ac.exe
Executes dropped EXE 1 IoCs

Processes:

74edf1ee17b17e18632d244ef906b5ac.exe

pid process

1852 74edf1ee17b17e18632d244ef906b5ac.exe
Loads dropped DLL 1 IoCs

Processes:

74edf1ee17b17e18632d244ef906b5ac.exe

pid process

1708 74edf1ee17b17e18632d244ef906b5ac.exe

pid	process
1852	74edf1ee17b17e18632d244ef906b5ac.exe

pid	process
1852	74edf1ee17b17e18632d244ef906b5ac.exe

pid	process
1708	74edf1ee17b17e18632d244ef906b5ac.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1708-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\74edf1ee17b17e18632d244ef906b5ac.exe	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

74edf1ee17b17e18632d244ef906b5ac.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	74edf1ee17b17e18632d244ef906b5ac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	74edf1ee17b17e18632d244ef906b5ac.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	74edf1ee17b17e18632d244ef906b5ac.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	74edf1ee17b17e18632d244ef906b5ac.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

74edf1ee17b17e18632d244ef906b5ac.exe

pid process

1708 74edf1ee17b17e18632d244ef906b5ac.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

74edf1ee17b17e18632d244ef906b5ac.exe74edf1ee17b17e18632d244ef906b5ac.exe

pid process

1708 74edf1ee17b17e18632d244ef906b5ac.exe
1852 74edf1ee17b17e18632d244ef906b5ac.exe

pid	process
1708	74edf1ee17b17e18632d244ef906b5ac.exe

pid	process
1708	74edf1ee17b17e18632d244ef906b5ac.exe
1852	74edf1ee17b17e18632d244ef906b5ac.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

74edf1ee17b17e18632d244ef906b5ac.exe

description	pid	process	target process
PID 1708 wrote to memory of 1852	1708	74edf1ee17b17e18632d244ef906b5ac.exe	74edf1ee17b17e18632d244ef906b5ac.exe
PID 1708 wrote to memory of 1852	1708	74edf1ee17b17e18632d244ef906b5ac.exe	74edf1ee17b17e18632d244ef906b5ac.exe
PID 1708 wrote to memory of 1852	1708	74edf1ee17b17e18632d244ef906b5ac.exe	74edf1ee17b17e18632d244ef906b5ac.exe
PID 1708 wrote to memory of 1852	1708	74edf1ee17b17e18632d244ef906b5ac.exe	74edf1ee17b17e18632d244ef906b5ac.exe

C:\Users\Admin\AppData\Local\Temp\74edf1ee17b17e18632d244ef906b5ac.exe
"C:\Users\Admin\AppData\Local\Temp\74edf1ee17b17e18632d244ef906b5ac.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\74edf1ee17b17e18632d244ef906b5ac.exe
C:\Users\Admin\AppData\Local\Temp\74edf1ee17b17e18632d244ef906b5ac.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74edf1ee17b17e18632d244ef906b5ac.exe
Filesize
133KB

MD5
c1a6098e7889dac2bb0d283443755d83

SHA1
1893aafd42ac5d6ac9a37ea7a07b8899e395d871

SHA256
62b41f13e1f36c5d2feb8708aee490bb4dd429a678de2bb80cd65462706983f2

SHA512
7bd1650be3461a82ff4e07714b6ea12ee2e54f7f3d5bb5c03a41e8d4068416f8df2c962a67f053720ff29b870f3ec2a5c29b83a6a75da3bc8ecf1b2146a19737

Download Submit
memory/1708-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1708-2-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/1708-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-15-0x00000000001C0000-0x0000000000246000-memory.dmp

Filesize
536KB

Download
memory/1708-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-43-0x00000000001C0000-0x0000000000246000-memory.dmp

Filesize
536KB

Download
memory/1852-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1852-21-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/1852-44-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads