202cb4808a55b92d81c3df0ca9d44a6c901efad5997a9a893c61dbb7d5b1b79e

General

Target

74ef01b341c824eaef3921b5ef78e265.exe
Size

2.6MB
MD5

74ef01b341c824eaef3921b5ef78e265
SHA1

6c09b675871d4d58c20f9e14ade7a99a1297cc41
SHA256

202cb4808a55b92d81c3df0ca9d44a6c901efad5997a9a893c61dbb7d5b1b79e
SHA512

603868926d5a6e58ab6a797acfcf1ccfdd0500f1a0ee69917f97ca048446cf8d6e532c76f9317ded26be8d758aa3bdca70d29ee90be757ef40997f26db530d37
SSDEEP

49152:7F8+IfkFtBNjP3j3QijxNTMEdVi1KaL4J/A1r9ay3:7pvn73TLGB53

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

74ef01b341c824eaef3921b5ef78e265.exe

pid process

1332 74ef01b341c824eaef3921b5ef78e265.exe
Executes dropped EXE 1 IoCs

Processes:

74ef01b341c824eaef3921b5ef78e265.exe

pid process

1332 74ef01b341c824eaef3921b5ef78e265.exe
Loads dropped DLL 1 IoCs

Processes:

74ef01b341c824eaef3921b5ef78e265.exe

pid process

1752 74ef01b341c824eaef3921b5ef78e265.exe

pid	process
1332	74ef01b341c824eaef3921b5ef78e265.exe

pid	process
1332	74ef01b341c824eaef3921b5ef78e265.exe

pid	process
1752	74ef01b341c824eaef3921b5ef78e265.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1752-0-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\74ef01b341c824eaef3921b5ef78e265.exe	upx
behavioral1/memory/1332-17-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\74ef01b341c824eaef3921b5ef78e265.exe	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

74ef01b341c824eaef3921b5ef78e265.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	74ef01b341c824eaef3921b5ef78e265.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	74ef01b341c824eaef3921b5ef78e265.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	74ef01b341c824eaef3921b5ef78e265.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	74ef01b341c824eaef3921b5ef78e265.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

74ef01b341c824eaef3921b5ef78e265.exe

pid process

1752 74ef01b341c824eaef3921b5ef78e265.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

74ef01b341c824eaef3921b5ef78e265.exe74ef01b341c824eaef3921b5ef78e265.exe

pid process

1752 74ef01b341c824eaef3921b5ef78e265.exe
1332 74ef01b341c824eaef3921b5ef78e265.exe

pid	process
1752	74ef01b341c824eaef3921b5ef78e265.exe

pid	process
1752	74ef01b341c824eaef3921b5ef78e265.exe
1332	74ef01b341c824eaef3921b5ef78e265.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

74ef01b341c824eaef3921b5ef78e265.exe

description	pid	process	target process
PID 1752 wrote to memory of 1332	1752	74ef01b341c824eaef3921b5ef78e265.exe	74ef01b341c824eaef3921b5ef78e265.exe
PID 1752 wrote to memory of 1332	1752	74ef01b341c824eaef3921b5ef78e265.exe	74ef01b341c824eaef3921b5ef78e265.exe
PID 1752 wrote to memory of 1332	1752	74ef01b341c824eaef3921b5ef78e265.exe	74ef01b341c824eaef3921b5ef78e265.exe
PID 1752 wrote to memory of 1332	1752	74ef01b341c824eaef3921b5ef78e265.exe	74ef01b341c824eaef3921b5ef78e265.exe

C:\Users\Admin\AppData\Local\Temp\74ef01b341c824eaef3921b5ef78e265.exe
"C:\Users\Admin\AppData\Local\Temp\74ef01b341c824eaef3921b5ef78e265.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\74ef01b341c824eaef3921b5ef78e265.exe
C:\Users\Admin\AppData\Local\Temp\74ef01b341c824eaef3921b5ef78e265.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74ef01b341c824eaef3921b5ef78e265.exe
Filesize
1.3MB

MD5
a8fed2bc5a433821cf077112ad4bf11d

SHA1
cd0bb19e0fa380e351bfa7922aff22072136a7d9

SHA256
2aa9b2b1dd379ee1035afa755b74ced1927274dc36dda216771918509eb9b31d

SHA512
a842f35c180e076fe36915e07f4d98b457b0b350c8a975204450051ea1471c01015344e5984e6cd8572212d67115341bf01a62678f658905ed629f902d48dc0c

Download Submit
\Users\Admin\AppData\Local\Temp\74ef01b341c824eaef3921b5ef78e265.exe
Filesize
1.2MB

MD5
1046b7bb0168481a7ea23d7d2b1ad6b2

SHA1
0a7c09e08b47146b3941043373210323bbaf4627

SHA256
df9ce0ea6976a0428b1445cad830f0aa62ca44b8a21e77ef7dea04e0633afd03

SHA512
13bca56d3fd4f6fb5961553657bb90a45a49fdcdece2b3394b417f652eec6462b0f2e05a8ec95b948559e1955a89b5404434df3961abde98c72197ccb2bfb930

Download Submit
memory/1332-17-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/1332-19-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/1332-44-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/1752-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1752-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/1752-2-0x00000000021D0000-0x000000000242A000-memory.dmp

Filesize
2.4MB

Download
memory/1752-16-0x0000000003830000-0x00000000041CE000-memory.dmp

Filesize
9.6MB

Download
memory/1752-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1752-43-0x0000000003830000-0x00000000041CE000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads