a32f54d69f0e37e9f0b8aae7104950b72cf4f3b620c7d4c59a33ba538ad5ae72

General

Target

74f3f8df8bced4eca355d725b22f165e.exe
Size

302KB
MD5

74f3f8df8bced4eca355d725b22f165e
SHA1

4bf6a7aa51339d5a501ec255d2abb864bd102a18
SHA256

a32f54d69f0e37e9f0b8aae7104950b72cf4f3b620c7d4c59a33ba538ad5ae72
SHA512

06c04d7113be58f1f67f32911b5cd0ca77976c6472257af6c0f0e3778b08779514e75a5b515e9f52126f65b96f90c1cc73154ac55b69ea8321cdf1d4137825dd
SSDEEP

6144:IwGZUrIP+cMttgpCTd7nb1rCi+jBjfUHpIDyvQmQ:IZUrIPJMtepabpPHVIm

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

74f3f8df8bced4eca355d725b22f165e.exe

pid process

2348 74f3f8df8bced4eca355d725b22f165e.exe
Executes dropped EXE 1 IoCs

Processes:

74f3f8df8bced4eca355d725b22f165e.exe

pid process

2348 74f3f8df8bced4eca355d725b22f165e.exe
Loads dropped DLL 1 IoCs

Processes:

74f3f8df8bced4eca355d725b22f165e.exe

pid process

2212 74f3f8df8bced4eca355d725b22f165e.exe

pid	process
2348	74f3f8df8bced4eca355d725b22f165e.exe

pid	process
2348	74f3f8df8bced4eca355d725b22f165e.exe

pid	process
2212	74f3f8df8bced4eca355d725b22f165e.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2212-0-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\74f3f8df8bced4eca355d725b22f165e.exe	upx
behavioral1/memory/2212-13-0x00000000014E0000-0x00000000015C0000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

74f3f8df8bced4eca355d725b22f165e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	74f3f8df8bced4eca355d725b22f165e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	74f3f8df8bced4eca355d725b22f165e.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	74f3f8df8bced4eca355d725b22f165e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	74f3f8df8bced4eca355d725b22f165e.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

74f3f8df8bced4eca355d725b22f165e.exe

pid process

2212 74f3f8df8bced4eca355d725b22f165e.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

74f3f8df8bced4eca355d725b22f165e.exe74f3f8df8bced4eca355d725b22f165e.exe

pid process

2212 74f3f8df8bced4eca355d725b22f165e.exe
2348 74f3f8df8bced4eca355d725b22f165e.exe

pid	process
2212	74f3f8df8bced4eca355d725b22f165e.exe

pid	process
2212	74f3f8df8bced4eca355d725b22f165e.exe
2348	74f3f8df8bced4eca355d725b22f165e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

74f3f8df8bced4eca355d725b22f165e.exe

description	pid	process	target process
PID 2212 wrote to memory of 2348	2212	74f3f8df8bced4eca355d725b22f165e.exe	74f3f8df8bced4eca355d725b22f165e.exe
PID 2212 wrote to memory of 2348	2212	74f3f8df8bced4eca355d725b22f165e.exe	74f3f8df8bced4eca355d725b22f165e.exe
PID 2212 wrote to memory of 2348	2212	74f3f8df8bced4eca355d725b22f165e.exe	74f3f8df8bced4eca355d725b22f165e.exe
PID 2212 wrote to memory of 2348	2212	74f3f8df8bced4eca355d725b22f165e.exe	74f3f8df8bced4eca355d725b22f165e.exe

C:\Users\Admin\AppData\Local\Temp\74f3f8df8bced4eca355d725b22f165e.exe
"C:\Users\Admin\AppData\Local\Temp\74f3f8df8bced4eca355d725b22f165e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2212

C:\Users\Admin\AppData\Local\Temp\74f3f8df8bced4eca355d725b22f165e.exe
C:\Users\Admin\AppData\Local\Temp\74f3f8df8bced4eca355d725b22f165e.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\74f3f8df8bced4eca355d725b22f165e.exe
Filesize
302KB

MD5
a120b14c01f3b905b55885a5d35a264b

SHA1
7ccff1c419c098d2fafdd9fb8468ec96cc839744

SHA256
c27e35573cf6b6929f9dc0306a41353d7597a8831556ecb4f50af6678febf49c

SHA512
82aba217967fa0a527676cbbef0afcc7b338c468d34b7e03f7776469086f7ab278d387c14eb50f5f08773445a6a78101b1eda1ecce9c19714e60c7e6a76f8efd

Download Submit
memory/2212-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2212-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2212-4-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/2212-13-0x00000000014E0000-0x00000000015C0000-memory.dmp

Filesize
896KB

Download
memory/2212-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-18-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/2348-34-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads