233ad983a171a34d49cff920321ef26db4c3ba0a95c37a1c73f0e35d1f18843b

General

Target

751af3e87f38559824ac3c3359612d7e.exe
Size

5.1MB
MD5

751af3e87f38559824ac3c3359612d7e
SHA1

0374f756ea23d5d3e3c25503bd82a15622221384
SHA256

233ad983a171a34d49cff920321ef26db4c3ba0a95c37a1c73f0e35d1f18843b
SHA512

37def4c7574723ce8dc75123889e0877433980d90998b43532f8f2fb54ff75f503570e917f1f1704549f3b64e7518267cf6ca0bf9574c9d376bb1361218ea703
SSDEEP

49152:6EWOP6fuvxp1nwNjkwWzee+IN8KcbmNokjItZ0YN3Ijhay35bkrfg8FYri+ts5EH:6EW9k1nwOOm30g2yOEjjs9/g3

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

751af3e87f38559824ac3c3359612d7e.exe

pid process

1960 751af3e87f38559824ac3c3359612d7e.exe
Executes dropped EXE 1 IoCs

Processes:

751af3e87f38559824ac3c3359612d7e.exe

pid process

1960 751af3e87f38559824ac3c3359612d7e.exe
Loads dropped DLL 1 IoCs

Processes:

751af3e87f38559824ac3c3359612d7e.exe

pid process

2232 751af3e87f38559824ac3c3359612d7e.exe

pid	process
1960	751af3e87f38559824ac3c3359612d7e.exe

pid	process
1960	751af3e87f38559824ac3c3359612d7e.exe

pid	process
2232	751af3e87f38559824ac3c3359612d7e.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2232-0-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\751af3e87f38559824ac3c3359612d7e.exe	upx
behavioral1/memory/2232-15-0x0000000004060000-0x00000000049FE000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\751af3e87f38559824ac3c3359612d7e.exe	upx
behavioral1/memory/1960-18-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

751af3e87f38559824ac3c3359612d7e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	751af3e87f38559824ac3c3359612d7e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	751af3e87f38559824ac3c3359612d7e.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	751af3e87f38559824ac3c3359612d7e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	751af3e87f38559824ac3c3359612d7e.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

751af3e87f38559824ac3c3359612d7e.exe

pid process

2232 751af3e87f38559824ac3c3359612d7e.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

751af3e87f38559824ac3c3359612d7e.exe751af3e87f38559824ac3c3359612d7e.exe

pid process

2232 751af3e87f38559824ac3c3359612d7e.exe
1960 751af3e87f38559824ac3c3359612d7e.exe

pid	process
2232	751af3e87f38559824ac3c3359612d7e.exe

pid	process
2232	751af3e87f38559824ac3c3359612d7e.exe
1960	751af3e87f38559824ac3c3359612d7e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

751af3e87f38559824ac3c3359612d7e.exe

description	pid	process	target process
PID 2232 wrote to memory of 1960	2232	751af3e87f38559824ac3c3359612d7e.exe	751af3e87f38559824ac3c3359612d7e.exe
PID 2232 wrote to memory of 1960	2232	751af3e87f38559824ac3c3359612d7e.exe	751af3e87f38559824ac3c3359612d7e.exe
PID 2232 wrote to memory of 1960	2232	751af3e87f38559824ac3c3359612d7e.exe	751af3e87f38559824ac3c3359612d7e.exe
PID 2232 wrote to memory of 1960	2232	751af3e87f38559824ac3c3359612d7e.exe	751af3e87f38559824ac3c3359612d7e.exe

C:\Users\Admin\AppData\Local\Temp\751af3e87f38559824ac3c3359612d7e.exe
"C:\Users\Admin\AppData\Local\Temp\751af3e87f38559824ac3c3359612d7e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\751af3e87f38559824ac3c3359612d7e.exe
C:\Users\Admin\AppData\Local\Temp\751af3e87f38559824ac3c3359612d7e.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\751af3e87f38559824ac3c3359612d7e.exe

Filesize
709KB

MD5
7b9e4e61b4b9f35ea1f2ec01220e2200

SHA1
79c0a4cbe0ea7931ee7c0a31186ef4126fb430a8

SHA256
682155d90db2e5ddd52d9d323c732dd970bfd50faf1b4cce1a81f2b113a3a808

SHA512
cb5799b07faa03c6765e01e3154a6fdefdad3868f4162e191cca25395bcaeed3bef2f9c0981a1747f33e40c9ff04eb3f2acb153e4f74a329566978686cbc84e4

Download Submit
\Users\Admin\AppData\Local\Temp\751af3e87f38559824ac3c3359612d7e.exe

Filesize
698KB

MD5
15540cf9fae2e4048b00c08e27037cf3

SHA1
63b58c0b1499dc45b0f0e98627d4c11d4efbbfda

SHA256
88b5f6f5c481befd1a1327a96668176d440b9717bea46f52c2ff52e690e80f6e

SHA512
da8fbf05a59b87af5c21efae9eacc6e7fae1ef188757213d561f4eb62f2e26e049fe789b12520b292a61b069829b553d7a686ca719be4273cc78b04a29ab7f4a

Download Submit
memory/1960-18-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/1960-20-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/1960-44-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2232-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2232-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2232-2-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2232-15-0x0000000004060000-0x00000000049FE000-memory.dmp

Filesize
9.6MB

Download
memory/2232-16-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2232-43-0x0000000004060000-0x00000000049FE000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads