faf97b6b3d5f05002eafb3f1938d32ba76c9a80119c14ba57a6c13ba1d8e6bcf

General

Target

7515f6a110e269d692c83ce6639f87a9.exe
Size

7.8MB
MD5

7515f6a110e269d692c83ce6639f87a9
SHA1

9df0bd528dba8bf3bb06727c5a883d26e9779320
SHA256

faf97b6b3d5f05002eafb3f1938d32ba76c9a80119c14ba57a6c13ba1d8e6bcf
SHA512

1d31985b92640e1a05c7855474a44ec5d69e839af930087aa6f8f8723ea735b67c925c38dc323918e5ad9a7065108f90c4a81e3029cf108f047a41bac07647f2
SSDEEP

196608:XO8dlirybMgOnkdlirPUedlirybMgOnkdlirx+fSBdlirybMgOnkdlirPUedlirV:XOebMrn7U0bMrn0fUbMrn7U0bMrn

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1708	7515f6a110e269d692c83ce6639f87a9.exe

Executes dropped EXE 1 IoCs

pid	Process
1708	7515f6a110e269d692c83ce6639f87a9.exe

Loads dropped DLL 1 IoCs

pid	Process
2536	7515f6a110e269d692c83ce6639f87a9.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2536-2-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a00000001224e-11.dat	upx
behavioral1/files/0x000a00000001224e-17.dat	upx
behavioral1/memory/2536-16-0x0000000024020000-0x000000002427C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2764	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7515f6a110e269d692c83ce6639f87a9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7515f6a110e269d692c83ce6639f87a9.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	7515f6a110e269d692c83ce6639f87a9.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	7515f6a110e269d692c83ce6639f87a9.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2536	7515f6a110e269d692c83ce6639f87a9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2536	7515f6a110e269d692c83ce6639f87a9.exe
1708	7515f6a110e269d692c83ce6639f87a9.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1708	2536	7515f6a110e269d692c83ce6639f87a9.exe	29
PID 2536 wrote to memory of 1708	2536	7515f6a110e269d692c83ce6639f87a9.exe	29
PID 2536 wrote to memory of 1708	2536	7515f6a110e269d692c83ce6639f87a9.exe	29
PID 2536 wrote to memory of 1708	2536	7515f6a110e269d692c83ce6639f87a9.exe	29
PID 1708 wrote to memory of 2764	1708	7515f6a110e269d692c83ce6639f87a9.exe	30
PID 1708 wrote to memory of 2764	1708	7515f6a110e269d692c83ce6639f87a9.exe	30
PID 1708 wrote to memory of 2764	1708	7515f6a110e269d692c83ce6639f87a9.exe	30
PID 1708 wrote to memory of 2764	1708	7515f6a110e269d692c83ce6639f87a9.exe	30
PID 1708 wrote to memory of 2792	1708	7515f6a110e269d692c83ce6639f87a9.exe	33
PID 1708 wrote to memory of 2792	1708	7515f6a110e269d692c83ce6639f87a9.exe	33
PID 1708 wrote to memory of 2792	1708	7515f6a110e269d692c83ce6639f87a9.exe	33
PID 1708 wrote to memory of 2792	1708	7515f6a110e269d692c83ce6639f87a9.exe	33
PID 2792 wrote to memory of 2732	2792	cmd.exe	34
PID 2792 wrote to memory of 2732	2792	cmd.exe	34
PID 2792 wrote to memory of 2732	2792	cmd.exe	34
PID 2792 wrote to memory of 2732	2792	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\7515f6a110e269d692c83ce6639f87a9.exe
"C:\Users\Admin\AppData\Local\Temp\7515f6a110e269d692c83ce6639f87a9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\7515f6a110e269d692c83ce6639f87a9.exe
  C:\Users\Admin\AppData\Local\Temp\7515f6a110e269d692c83ce6639f87a9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\7515f6a110e269d692c83ce6639f87a9.exe" /TN U5Z8sQiHf24d /F
    3⤵
    - Creates scheduled task(s)
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\xRhlSlZ9p.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN U5Z8sQiHf24d
      4⤵
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7515f6a110e269d692c83ce6639f87a9.exe

Filesize
2.4MB

MD5
4abb7bf07728dafc81a6940c8dd31242

SHA1
cfa8d30e593e4e13ecad4f21d0f7884a361be9b5

SHA256
511a69d59082f017a0abbc3cf8905333a109fffbcaab353ba7138ea7dcbbabd0

SHA512
abf9b9788bde7e89d84bc67966c63791f1912783e531fbe2b1e1202bfc2645ada0c20d9f70cf274e4c16d0917d1df12757a8a69adf14a97f7d85f5ab16c9c285

Download Submit
C:\Users\Admin\AppData\Local\Temp\xRhlSlZ9p.xml

Filesize
1KB

MD5
9de40575debe1085e82e7c0a030b99ea

SHA1
931cf3e10a60759a77eec805a7574279ef872d1a

SHA256
25f73ba3d3992d858d90a5eb39ed17ebd0aef5ffb8fe6d9fbe41945e465849b4

SHA512
2ea8c9d70f005f07040fabc0c4ad906e1be02926983247308b892b7d9b85423baa8b1446262ef9e558148f4292aebc67ca35c1ca2e01e829e73c7d099a6d2844

Download Submit
\Users\Admin\AppData\Local\Temp\7515f6a110e269d692c83ce6639f87a9.exe

Filesize
2.6MB

MD5
79c711be55f068e1f079818803027f41

SHA1
bb09f38eafcd7b24882836944b5bb2504a9ea8fb

SHA256
2cc399df5818ff379722991856af9d043b1fd267493e02e606162a4c31cde32b

SHA512
a2b4828594ce8fd26790da5122f9c0ecb74da02b043a7e93d70cf39352113bb0840427b75e3e6f000c24aca5c5dea66d26603a1a070c5949a89438f148556972

Download Submit
memory/1708-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1708-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1708-21-0x0000000000280000-0x00000000002FE000-memory.dmp

Filesize
504KB

Download
memory/1708-31-0x0000000000300000-0x000000000036B000-memory.dmp

Filesize
428KB

Download
memory/1708-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2536-4-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2536-16-0x0000000024020000-0x000000002427C000-memory.dmp

Filesize
2.4MB

Download
memory/2536-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2536-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2536-2-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads