b9b7fa49df3067fe019994494f04a394f3e7b070bb145950a1762f785ed4b2db

General

Target

751b36fff907a13ce2117455c14b4325.exe
Size

3.9MB
MD5

751b36fff907a13ce2117455c14b4325
SHA1

149fdccfe1ef72216895f9f9b5a661370226bf0c
SHA256

b9b7fa49df3067fe019994494f04a394f3e7b070bb145950a1762f785ed4b2db
SHA512

a121736c4c0c6e042eef41309a845f0e491a69e8caf53a592a5b5dace67557d8ffa535682877f0ca83f256df10963b3fdc6e7b1c567e79ff627447e8134e5a5d
SSDEEP

98304:1wWD2i7D3xkOxYwpK6kV8x94MD2i7D3xkOxYwpK7klaeIBSdW+um4D2i7D3xkOx8:1wWh7FkNqK6y8x9nh7FkNqKwla9cVShQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

751b36fff907a13ce2117455c14b4325.exe

pid process

2492 751b36fff907a13ce2117455c14b4325.exe
Executes dropped EXE 1 IoCs

Processes:

751b36fff907a13ce2117455c14b4325.exe

pid process

2492 751b36fff907a13ce2117455c14b4325.exe
Loads dropped DLL 1 IoCs

Processes:

751b36fff907a13ce2117455c14b4325.exe

pid process

808 751b36fff907a13ce2117455c14b4325.exe

pid	process
2492	751b36fff907a13ce2117455c14b4325.exe

pid	process
2492	751b36fff907a13ce2117455c14b4325.exe

pid	process
808	751b36fff907a13ce2117455c14b4325.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/808-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\751b36fff907a13ce2117455c14b4325.exe	upx
behavioral1/memory/2492-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\751b36fff907a13ce2117455c14b4325.exe	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

2 pastebin.com
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3056 schtasks.exe

flow	ioc
2	pastebin.com

pid	process
3056	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

751b36fff907a13ce2117455c14b4325.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	751b36fff907a13ce2117455c14b4325.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	751b36fff907a13ce2117455c14b4325.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	751b36fff907a13ce2117455c14b4325.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	751b36fff907a13ce2117455c14b4325.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

751b36fff907a13ce2117455c14b4325.exe

pid process

808 751b36fff907a13ce2117455c14b4325.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

751b36fff907a13ce2117455c14b4325.exe751b36fff907a13ce2117455c14b4325.exe

pid process

808 751b36fff907a13ce2117455c14b4325.exe
2492 751b36fff907a13ce2117455c14b4325.exe

pid	process
808	751b36fff907a13ce2117455c14b4325.exe

pid	process
808	751b36fff907a13ce2117455c14b4325.exe
2492	751b36fff907a13ce2117455c14b4325.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

751b36fff907a13ce2117455c14b4325.exe751b36fff907a13ce2117455c14b4325.execmd.exe

description	pid	process	target process
PID 808 wrote to memory of 2492	808	751b36fff907a13ce2117455c14b4325.exe	751b36fff907a13ce2117455c14b4325.exe
PID 808 wrote to memory of 2492	808	751b36fff907a13ce2117455c14b4325.exe	751b36fff907a13ce2117455c14b4325.exe
PID 808 wrote to memory of 2492	808	751b36fff907a13ce2117455c14b4325.exe	751b36fff907a13ce2117455c14b4325.exe
PID 808 wrote to memory of 2492	808	751b36fff907a13ce2117455c14b4325.exe	751b36fff907a13ce2117455c14b4325.exe
PID 2492 wrote to memory of 3056	2492	751b36fff907a13ce2117455c14b4325.exe	schtasks.exe
PID 2492 wrote to memory of 3056	2492	751b36fff907a13ce2117455c14b4325.exe	schtasks.exe
PID 2492 wrote to memory of 3056	2492	751b36fff907a13ce2117455c14b4325.exe	schtasks.exe
PID 2492 wrote to memory of 3056	2492	751b36fff907a13ce2117455c14b4325.exe	schtasks.exe
PID 2492 wrote to memory of 3052	2492	751b36fff907a13ce2117455c14b4325.exe	cmd.exe
PID 2492 wrote to memory of 3052	2492	751b36fff907a13ce2117455c14b4325.exe	cmd.exe
PID 2492 wrote to memory of 3052	2492	751b36fff907a13ce2117455c14b4325.exe	cmd.exe
PID 2492 wrote to memory of 3052	2492	751b36fff907a13ce2117455c14b4325.exe	cmd.exe
PID 3052 wrote to memory of 2880	3052	cmd.exe	schtasks.exe
PID 3052 wrote to memory of 2880	3052	cmd.exe	schtasks.exe
PID 3052 wrote to memory of 2880	3052	cmd.exe	schtasks.exe
PID 3052 wrote to memory of 2880	3052	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\751b36fff907a13ce2117455c14b4325.exe
"C:\Users\Admin\AppData\Local\Temp\751b36fff907a13ce2117455c14b4325.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\751b36fff907a13ce2117455c14b4325.exe
C:\Users\Admin\AppData\Local\Temp\751b36fff907a13ce2117455c14b4325.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\751b36fff907a13ce2117455c14b4325.exe" /TN MXmKXYLpa01b /F
3⤵
- Creates scheduled task(s)
PID:3056

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN MXmKXYLpa01b > C:\Users\Admin\AppData\Local\Temp\N9Lbdi.xml
3⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN MXmKXYLpa01b
4⤵
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\751b36fff907a13ce2117455c14b4325.exe
Filesize
199KB

MD5
74daa5561eef680dba8acde5f2f940b6

SHA1
10410330c2e391cc934116316cfe91e3b43df1cc

SHA256
653a67a578f246cc82a4a6b298b24ff5506ff5dc1f501ef2c8a5e4cfad6f72b8

SHA512
6fabf966f655e6aebb853af8e06f1e6dea956ea1f3e0a3e7c3b5e9bcc63b92b624941b0da2300db564da8384f757936f712dbf21863d486224a3b2058f108b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\N9Lbdi.xml
Filesize
1KB

MD5
45b02d8fab1b13b12af79228b5bcfdbc

SHA1
88b9448ea574eb5c77ed8d612f8baffcb253a794

SHA256
1ac6479ae5586408f0c0594854d08ececc8a349c02849f9bff1070716503eed2

SHA512
50dd1656b8ee4fd8d7efc59d7c30ea2cefddc03d0d67463757e73e73bc9254b85afaa8757fbcd04f7c6861d8d709cd9b99b7e86644d31af50c2e04dfeeb65a41

Download Submit
\Users\Admin\AppData\Local\Temp\751b36fff907a13ce2117455c14b4325.exe
Filesize
303KB

MD5
a8bcfe50f0e5bfa070c1f9b3536ea281

SHA1
52847e61beb28c5a9ece40d66cee453f78f29191

SHA256
7702f39b4479788f158cca47818239b2c24c6510ba30b7c517ac6526ec524feb

SHA512
88d5d3e972940dea885a1f1d2e35641c80608b1cac29ef9b4cd35ac79a03fb4437b9114e6ef5329498555fc5e5798a46086da860cbea8b803571d19907713071

Download Submit
memory/808-2-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/808-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/808-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/808-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2492-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2492-20-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2492-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2492-28-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2492-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads