e21fc46783ceba50173e3246b5e6396efe052c2ce5c4e57ac8f34ebb88062076

General

Target

74ee459180516358ed8633dcc009bbeb.exe
Size

133KB
MD5

74ee459180516358ed8633dcc009bbeb
SHA1

4f4482a4d3b2a11e0b7dd30f3ffc7fdce5aea735
SHA256

e21fc46783ceba50173e3246b5e6396efe052c2ce5c4e57ac8f34ebb88062076
SHA512

5f1cb241ad82b79e427efb00d8d16f591d8e6e9cff2602f00f60ba382ec922691ab1037bca6f6f50d2112a0be010d0f4d2797187f5f9e7fe32fc42739f8c2866
SSDEEP

3072:o+8ShjvbywEnSV/A8ImQvfpUY207gWHQh6+kQ:VjblEnS9opUA75/+kQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

74ee459180516358ed8633dcc009bbeb.exe

pid process

1308 74ee459180516358ed8633dcc009bbeb.exe
Executes dropped EXE 1 IoCs

Processes:

74ee459180516358ed8633dcc009bbeb.exe

pid process

1308 74ee459180516358ed8633dcc009bbeb.exe
Loads dropped DLL 1 IoCs

Processes:

74ee459180516358ed8633dcc009bbeb.exe

pid process

2532 74ee459180516358ed8633dcc009bbeb.exe

pid	process
1308	74ee459180516358ed8633dcc009bbeb.exe

pid	process
1308	74ee459180516358ed8633dcc009bbeb.exe

pid	process
2532	74ee459180516358ed8633dcc009bbeb.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2532-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\74ee459180516358ed8633dcc009bbeb.exe	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

74ee459180516358ed8633dcc009bbeb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	74ee459180516358ed8633dcc009bbeb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	74ee459180516358ed8633dcc009bbeb.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	74ee459180516358ed8633dcc009bbeb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	74ee459180516358ed8633dcc009bbeb.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

74ee459180516358ed8633dcc009bbeb.exe

pid process

2532 74ee459180516358ed8633dcc009bbeb.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

74ee459180516358ed8633dcc009bbeb.exe74ee459180516358ed8633dcc009bbeb.exe

pid process

2532 74ee459180516358ed8633dcc009bbeb.exe
1308 74ee459180516358ed8633dcc009bbeb.exe

pid	process
2532	74ee459180516358ed8633dcc009bbeb.exe

pid	process
2532	74ee459180516358ed8633dcc009bbeb.exe
1308	74ee459180516358ed8633dcc009bbeb.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

74ee459180516358ed8633dcc009bbeb.exe

description	pid	process	target process
PID 2532 wrote to memory of 1308	2532	74ee459180516358ed8633dcc009bbeb.exe	74ee459180516358ed8633dcc009bbeb.exe
PID 2532 wrote to memory of 1308	2532	74ee459180516358ed8633dcc009bbeb.exe	74ee459180516358ed8633dcc009bbeb.exe
PID 2532 wrote to memory of 1308	2532	74ee459180516358ed8633dcc009bbeb.exe	74ee459180516358ed8633dcc009bbeb.exe
PID 2532 wrote to memory of 1308	2532	74ee459180516358ed8633dcc009bbeb.exe	74ee459180516358ed8633dcc009bbeb.exe

C:\Users\Admin\AppData\Local\Temp\74ee459180516358ed8633dcc009bbeb.exe
"C:\Users\Admin\AppData\Local\Temp\74ee459180516358ed8633dcc009bbeb.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\74ee459180516358ed8633dcc009bbeb.exe
C:\Users\Admin\AppData\Local\Temp\74ee459180516358ed8633dcc009bbeb.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\74ee459180516358ed8633dcc009bbeb.exe
Filesize
133KB

MD5
6801009610ced26b1961a82b53d3da39

SHA1
c0bdc6be924fb3e9ef4e8939fe0e8bc855e1cb13

SHA256
7cb9eaf0005dc322d4760f02ba8d48733579b430a816683506c164020141b89a

SHA512
ad3762b4f884da9502cfcbecca9017c6986f76652ff705990c781807e012cd0d91f765ffeda5cf5fca7f4a157b1338f8b18f5b19c574b27a7a5dd857e00a35bc

Download Submit
memory/1308-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1308-20-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/1308-42-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2532-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2532-2-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2532-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2532-16-0x0000000000190000-0x0000000000216000-memory.dmp

Filesize
536KB

Download
memory/2532-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads