790bff3bdf92e65f5e083bc5bf96c1207ba2479665cb2ab2dc29390aa9cb59ef

General

Target

77261618397987078f09f5747ef558f7.exe
Size

2.0MB
MD5

77261618397987078f09f5747ef558f7
SHA1

0e687ab3b648d3840d176a9b01e73676c1bc50ba
SHA256

790bff3bdf92e65f5e083bc5bf96c1207ba2479665cb2ab2dc29390aa9cb59ef
SHA512

cdb1888c4131f6fcdfbb9a8ba1981637063cead8ff13e67cd97315065117e17dec314bb75ec7b436ddf0d5c8eaed74ecd82088700498ebf092093663d4334861
SSDEEP

49152:qbxKbp+8jP6ZGQ7ai7D3xTgOxYwpKhdWN5uqa/JY814GQ7ai7D3xTgOxYwpK:qFKbpdjPQD2i7D3xkOxYwpKPWPra/i8V

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2132	77261618397987078f09f5747ef558f7.exe

Executes dropped EXE 1 IoCs

pid	Process
2132	77261618397987078f09f5747ef558f7.exe

Loads dropped DLL 1 IoCs

pid	Process
1160	77261618397987078f09f5747ef558f7.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1160-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012255-11.dat	upx
behavioral1/memory/1160-16-0x0000000023260000-0x00000000234BC000-memory.dmp	upx
behavioral1/files/0x000a000000012255-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3004	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	77261618397987078f09f5747ef558f7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	77261618397987078f09f5747ef558f7.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	77261618397987078f09f5747ef558f7.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	77261618397987078f09f5747ef558f7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1160	77261618397987078f09f5747ef558f7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1160	77261618397987078f09f5747ef558f7.exe
2132	77261618397987078f09f5747ef558f7.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 2132	1160	77261618397987078f09f5747ef558f7.exe	29
PID 1160 wrote to memory of 2132	1160	77261618397987078f09f5747ef558f7.exe	29
PID 1160 wrote to memory of 2132	1160	77261618397987078f09f5747ef558f7.exe	29
PID 1160 wrote to memory of 2132	1160	77261618397987078f09f5747ef558f7.exe	29
PID 2132 wrote to memory of 3004	2132	77261618397987078f09f5747ef558f7.exe	30
PID 2132 wrote to memory of 3004	2132	77261618397987078f09f5747ef558f7.exe	30
PID 2132 wrote to memory of 3004	2132	77261618397987078f09f5747ef558f7.exe	30
PID 2132 wrote to memory of 3004	2132	77261618397987078f09f5747ef558f7.exe	30
PID 2132 wrote to memory of 2812	2132	77261618397987078f09f5747ef558f7.exe	34
PID 2132 wrote to memory of 2812	2132	77261618397987078f09f5747ef558f7.exe	34
PID 2132 wrote to memory of 2812	2132	77261618397987078f09f5747ef558f7.exe	34
PID 2132 wrote to memory of 2812	2132	77261618397987078f09f5747ef558f7.exe	34
PID 2812 wrote to memory of 2612	2812	cmd.exe	33
PID 2812 wrote to memory of 2612	2812	cmd.exe	33
PID 2812 wrote to memory of 2612	2812	cmd.exe	33
PID 2812 wrote to memory of 2612	2812	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\77261618397987078f09f5747ef558f7.exe
"C:\Users\Admin\AppData\Local\Temp\77261618397987078f09f5747ef558f7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\77261618397987078f09f5747ef558f7.exe
  C:\Users\Admin\AppData\Local\Temp\77261618397987078f09f5747ef558f7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\77261618397987078f09f5747ef558f7.exe" /TN WAgLRKqP8c0d /F
    3⤵
    - Creates scheduled task(s)
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN WAgLRKqP8c0d > C:\Users\Admin\AppData\Local\Temp\woGbgX4B.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN WAgLRKqP8c0d
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\77261618397987078f09f5747ef558f7.exe

Filesize
396KB

MD5
aafe1cb633b427edea64951a99dd52bd

SHA1
0587cecbfd47c9ad69b721cc8b01500cdb2d1f03

SHA256
e2079d981e7391311896327de972ec090e94275ae073eadb0620a4686c69ce94

SHA512
82d7dfe90115a989642d8d153a4cdde270004de8cff172cb124339941d4deccbaf11e7cba5e7b4d0482cb6995fbe23b9c885ea9a9584573734681305968e25b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\woGbgX4B.xml

Filesize
1KB

MD5
5f8dc2097e486291e6cee4901177aff5

SHA1
36f0f26888abd28bf10d6d22fc1c6bb960c9bfec

SHA256
4e7f3c083c2801aae702f415248aff158f09221292f6f2b7f81f257f2affcff7

SHA512
42c070df6c1eb3f3cf073707910530626909ed3727db07f8a2014aab5719ec4cf23c31138b68bc497387ea9cb7f31dc9595162c0ab4f1693eeb05a44aeb8eff3

Download Submit
\Users\Admin\AppData\Local\Temp\77261618397987078f09f5747ef558f7.exe

Filesize
440KB

MD5
925017d89bf378d0c29cdda1e25ff5c6

SHA1
271ad6d816fe07be1b809a27b9d86341ec43ae03

SHA256
f9196e4ee08596429c5d99ec728cc14080c4ddcdac9d7f9b7f8a999b6e873623

SHA512
aa7d789c517a00cf4df144d91dc6d2111e7d5342ef8fc6a63fc18648f01621b79403ee1a5d708abe55296c2ecb6e6b974b63b4e4c3b3270c13bbe96d1fe9bf75

Download Submit
memory/1160-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1160-16-0x0000000023260000-0x00000000234BC000-memory.dmp

Filesize
2.4MB

Download
memory/1160-3-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/1160-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1160-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2132-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2132-21-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2132-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2132-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2132-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads