21e538e53342d6ef23fd623b3b54bea2016196386f113578f97f880c5d25954d

General

Target

76c37677f3d520bf2b445763963bffff.exe
Size

2.0MB
MD5

76c37677f3d520bf2b445763963bffff
SHA1

bd6f5477d36d3bb9b961cf0a219ed6bb937bb349
SHA256

21e538e53342d6ef23fd623b3b54bea2016196386f113578f97f880c5d25954d
SHA512

77c43baa1d5ce25602bd066bcfd52d0f439b2ac2d7e3ba9cdba366c46db016778957a7132e21125599976e2b000fa6cbf94393971b6c98495535f3930c208a81
SSDEEP

49152:e1YY9RlMx1WnxAX+vu2zBF1BFRVhBonxAX:w9RlMHWnxAXsu2zBnrRVhBonxAX

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2332	76c37677f3d520bf2b445763963bffff.exe

Executes dropped EXE 1 IoCs

pid	Process
2332	76c37677f3d520bf2b445763963bffff.exe

Loads dropped DLL 1 IoCs

pid	Process
2656	76c37677f3d520bf2b445763963bffff.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2656-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012243-11.dat	upx
behavioral1/memory/2332-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2060	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	76c37677f3d520bf2b445763963bffff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	76c37677f3d520bf2b445763963bffff.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	76c37677f3d520bf2b445763963bffff.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	76c37677f3d520bf2b445763963bffff.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2656	76c37677f3d520bf2b445763963bffff.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2656	76c37677f3d520bf2b445763963bffff.exe
2332	76c37677f3d520bf2b445763963bffff.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2332	2656	76c37677f3d520bf2b445763963bffff.exe	29
PID 2656 wrote to memory of 2332	2656	76c37677f3d520bf2b445763963bffff.exe	29
PID 2656 wrote to memory of 2332	2656	76c37677f3d520bf2b445763963bffff.exe	29
PID 2656 wrote to memory of 2332	2656	76c37677f3d520bf2b445763963bffff.exe	29
PID 2332 wrote to memory of 2060	2332	76c37677f3d520bf2b445763963bffff.exe	30
PID 2332 wrote to memory of 2060	2332	76c37677f3d520bf2b445763963bffff.exe	30
PID 2332 wrote to memory of 2060	2332	76c37677f3d520bf2b445763963bffff.exe	30
PID 2332 wrote to memory of 2060	2332	76c37677f3d520bf2b445763963bffff.exe	30
PID 2332 wrote to memory of 2844	2332	76c37677f3d520bf2b445763963bffff.exe	33
PID 2332 wrote to memory of 2844	2332	76c37677f3d520bf2b445763963bffff.exe	33
PID 2332 wrote to memory of 2844	2332	76c37677f3d520bf2b445763963bffff.exe	33
PID 2332 wrote to memory of 2844	2332	76c37677f3d520bf2b445763963bffff.exe	33
PID 2844 wrote to memory of 2908	2844	cmd.exe	34
PID 2844 wrote to memory of 2908	2844	cmd.exe	34
PID 2844 wrote to memory of 2908	2844	cmd.exe	34
PID 2844 wrote to memory of 2908	2844	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\76c37677f3d520bf2b445763963bffff.exe
"C:\Users\Admin\AppData\Local\Temp\76c37677f3d520bf2b445763963bffff.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\76c37677f3d520bf2b445763963bffff.exe
  C:\Users\Admin\AppData\Local\Temp\76c37677f3d520bf2b445763963bffff.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\76c37677f3d520bf2b445763963bffff.exe" /TN uhTCmbCqd877 /F
    3⤵
    - Creates scheduled task(s)
    PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uhTCmbCqd877 > C:\Users\Admin\AppData\Local\Temp\7mT28T3O0.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN uhTCmbCqd877
      4⤵
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7mT28T3O0.xml

Filesize
1KB

MD5
2a025eada345e87caa90b9e23ddd94a3

SHA1
0026640a5e11c57db465e3876c0533ebfe5aa2fb

SHA256
cd3e33098313aa0a1490578249a795f2e5965bf945c71e4e66f0307b37e38640

SHA512
7cc83f9c2188b0dd0d7d39c528dbb57dbceac3ea4cd9e3ed7bffdf8ffaf42a11e8d0e1691b63e15d3fcd220f661f1ed15b0ff5556abf360fdf8c09c4535b7e37

Download Submit
\Users\Admin\AppData\Local\Temp\76c37677f3d520bf2b445763963bffff.exe

Filesize
2.0MB

MD5
ecad85d025f45468d8dfbd0baa1f1bab

SHA1
91e916f7edb66038133417d8e43c56d1b16d714b

SHA256
5e004b47d01c6db18dedae0da0320640f15cf981f31e626307e704358a32120c

SHA512
491502efc8c43283c3fb4c65364edfd4a084ec4697462099324998e71c1ac7e41595c37ffe9714b23c09dffed82625a1d530a769d388e8d989076f0b765c462e

Download Submit
memory/2332-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2332-19-0x0000000000320000-0x000000000039E000-memory.dmp

Filesize
504KB

Download
memory/2332-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2332-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2332-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2656-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2656-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2656-2-0x0000000000290000-0x000000000030E000-memory.dmp

Filesize
504KB

Download
memory/2656-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads