852b9362d11b44ed1f743ea0ffbeecdb50df5fbaaf42f1e1677b26732f57f19a

General

Target

7510016c744e45e103a21bf94d3dfb26.exe
Size

133KB
MD5

7510016c744e45e103a21bf94d3dfb26
SHA1

258f8076ff682cfd211af3f9adb601695dad8ef0
SHA256

852b9362d11b44ed1f743ea0ffbeecdb50df5fbaaf42f1e1677b26732f57f19a
SHA512

ce13d15cb00e856428e3206c7c90d52357c1cb2f13516a03babe03db1ff4d379a5511fbf4833843d3149ebeb6a57755692e8fb4c727402575d2880d8a1b897fa
SSDEEP

3072:Gas0ck3YsxEotlhRRAezfcAIHdtFW3znx6h1aD0B5wA+wN4mBl8HQ:GgbbJfDI9Ax6h1nbdfymUHQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

7510016c744e45e103a21bf94d3dfb26.exe

pid process

2920 7510016c744e45e103a21bf94d3dfb26.exe
Executes dropped EXE 1 IoCs

Processes:

7510016c744e45e103a21bf94d3dfb26.exe

pid process

2920 7510016c744e45e103a21bf94d3dfb26.exe
Loads dropped DLL 1 IoCs

Processes:

7510016c744e45e103a21bf94d3dfb26.exe

pid process

1708 7510016c744e45e103a21bf94d3dfb26.exe

pid	process
2920	7510016c744e45e103a21bf94d3dfb26.exe

pid	process
2920	7510016c744e45e103a21bf94d3dfb26.exe

pid	process
1708	7510016c744e45e103a21bf94d3dfb26.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1708-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\7510016c744e45e103a21bf94d3dfb26.exe	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

7510016c744e45e103a21bf94d3dfb26.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7510016c744e45e103a21bf94d3dfb26.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7510016c744e45e103a21bf94d3dfb26.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	7510016c744e45e103a21bf94d3dfb26.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	7510016c744e45e103a21bf94d3dfb26.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

7510016c744e45e103a21bf94d3dfb26.exe

pid process

1708 7510016c744e45e103a21bf94d3dfb26.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

7510016c744e45e103a21bf94d3dfb26.exe7510016c744e45e103a21bf94d3dfb26.exe

pid process

1708 7510016c744e45e103a21bf94d3dfb26.exe
2920 7510016c744e45e103a21bf94d3dfb26.exe

pid	process
1708	7510016c744e45e103a21bf94d3dfb26.exe

pid	process
1708	7510016c744e45e103a21bf94d3dfb26.exe
2920	7510016c744e45e103a21bf94d3dfb26.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7510016c744e45e103a21bf94d3dfb26.exe

description	pid	process	target process
PID 1708 wrote to memory of 2920	1708	7510016c744e45e103a21bf94d3dfb26.exe	7510016c744e45e103a21bf94d3dfb26.exe
PID 1708 wrote to memory of 2920	1708	7510016c744e45e103a21bf94d3dfb26.exe	7510016c744e45e103a21bf94d3dfb26.exe
PID 1708 wrote to memory of 2920	1708	7510016c744e45e103a21bf94d3dfb26.exe	7510016c744e45e103a21bf94d3dfb26.exe
PID 1708 wrote to memory of 2920	1708	7510016c744e45e103a21bf94d3dfb26.exe	7510016c744e45e103a21bf94d3dfb26.exe

C:\Users\Admin\AppData\Local\Temp\7510016c744e45e103a21bf94d3dfb26.exe
"C:\Users\Admin\AppData\Local\Temp\7510016c744e45e103a21bf94d3dfb26.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\7510016c744e45e103a21bf94d3dfb26.exe
C:\Users\Admin\AppData\Local\Temp\7510016c744e45e103a21bf94d3dfb26.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\7510016c744e45e103a21bf94d3dfb26.exe
Filesize
133KB

MD5
b369f8f3899e64c04d6e026f4d3a2adc

SHA1
f9b27d9f119bf75f756d69a2a53712f4a1e131ea

SHA256
d122e58c150c959e4ce628a3cb365480bc4f0791821cc8f247867ff73f6fa9cb

SHA512
960fa6039a30e11582f4dfdd153476befc64f2eddfdc04bf3f6286a11a5f2fc1a11a21dd72166a24a201c468a13b53461b6d632444d4006f6fb48099d253fc79

Download Submit
memory/1708-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1708-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-4-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/1708-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-16-0x00000000001C0000-0x0000000000246000-memory.dmp

Filesize
536KB

Download
memory/1708-43-0x00000000001C0000-0x0000000000246000-memory.dmp

Filesize
536KB

Download
memory/2920-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2920-20-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2920-44-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads