b6e3021017eec6f146e96ece9474d7990b4d574cfa50ec5dec3b86f002d6b0c8

General

Target

7522c4702b11ad52da4c03c45f527031.exe
Size

133KB
MD5

7522c4702b11ad52da4c03c45f527031
SHA1

4756f3bba17aa058d3a39a915719c0f9d09124a7
SHA256

b6e3021017eec6f146e96ece9474d7990b4d574cfa50ec5dec3b86f002d6b0c8
SHA512

a0348d49d887659dac88323c26e8fa9b3720c61d1f1cbb09f98b7c214b161430ea8d094b26bc24d27e8427ce8022b640d43602eb36e0bea5d94cac18b7231346
SSDEEP

3072:WnS2BUKBiRI/3paqNy4gNqIB1N9VKq8WCN2+g6uXk1MuQ:ZaiOv8GyD1N9VX8i+OXWtQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

7522c4702b11ad52da4c03c45f527031.exe

pid process

2704 7522c4702b11ad52da4c03c45f527031.exe
Executes dropped EXE 1 IoCs

Processes:

7522c4702b11ad52da4c03c45f527031.exe

pid process

2704 7522c4702b11ad52da4c03c45f527031.exe
Loads dropped DLL 1 IoCs

Processes:

7522c4702b11ad52da4c03c45f527031.exe

pid process

1864 7522c4702b11ad52da4c03c45f527031.exe

pid	process
2704	7522c4702b11ad52da4c03c45f527031.exe

pid	process
2704	7522c4702b11ad52da4c03c45f527031.exe

pid	process
1864	7522c4702b11ad52da4c03c45f527031.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1864-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\7522c4702b11ad52da4c03c45f527031.exe	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

7522c4702b11ad52da4c03c45f527031.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7522c4702b11ad52da4c03c45f527031.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7522c4702b11ad52da4c03c45f527031.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	7522c4702b11ad52da4c03c45f527031.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	7522c4702b11ad52da4c03c45f527031.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

7522c4702b11ad52da4c03c45f527031.exe

pid process

1864 7522c4702b11ad52da4c03c45f527031.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

7522c4702b11ad52da4c03c45f527031.exe7522c4702b11ad52da4c03c45f527031.exe

pid process

1864 7522c4702b11ad52da4c03c45f527031.exe
2704 7522c4702b11ad52da4c03c45f527031.exe

pid	process
1864	7522c4702b11ad52da4c03c45f527031.exe

pid	process
1864	7522c4702b11ad52da4c03c45f527031.exe
2704	7522c4702b11ad52da4c03c45f527031.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7522c4702b11ad52da4c03c45f527031.exe

description	pid	process	target process
PID 1864 wrote to memory of 2704	1864	7522c4702b11ad52da4c03c45f527031.exe	7522c4702b11ad52da4c03c45f527031.exe
PID 1864 wrote to memory of 2704	1864	7522c4702b11ad52da4c03c45f527031.exe	7522c4702b11ad52da4c03c45f527031.exe
PID 1864 wrote to memory of 2704	1864	7522c4702b11ad52da4c03c45f527031.exe	7522c4702b11ad52da4c03c45f527031.exe
PID 1864 wrote to memory of 2704	1864	7522c4702b11ad52da4c03c45f527031.exe	7522c4702b11ad52da4c03c45f527031.exe

C:\Users\Admin\AppData\Local\Temp\7522c4702b11ad52da4c03c45f527031.exe
"C:\Users\Admin\AppData\Local\Temp\7522c4702b11ad52da4c03c45f527031.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\7522c4702b11ad52da4c03c45f527031.exe
C:\Users\Admin\AppData\Local\Temp\7522c4702b11ad52da4c03c45f527031.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\7522c4702b11ad52da4c03c45f527031.exe

Filesize
133KB

MD5
14080eac2e8c48a403452b0f7d441fd6

SHA1
cc652dcb9cd7856f5b77f6f086aa2790efb31e0f

SHA256
02bf73e94497a8768996a0c7fdd701e7eb5e7d5e789a64af8f38f4761674e862

SHA512
8875807d15b960ceb207751341013a8d3530d7c2e2708bad29ca21f2955a502fa5af7f74cf0084a778c9be99df227255f2ec400333ecabab20eda9ef63f36f0b

Download Submit
memory/1864-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1864-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1864-1-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/1864-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1864-16-0x0000000000190000-0x0000000000216000-memory.dmp

Filesize
536KB

Download
memory/2704-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2704-19-0x0000000000180000-0x00000000001A1000-memory.dmp

Filesize
132KB

Download
memory/2704-43-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads