4b8aba0aab4ea03a50d19eaafdcd7d55fdb62b49ad6c9892b1efce3f2e52bfd1

General

Target

78e4382b23626a0c54c0e1075517686d.exe
Size

3.9MB
MD5

78e4382b23626a0c54c0e1075517686d
SHA1

1f956b19a9d433c19807106e16896f4df58529ec
SHA256

4b8aba0aab4ea03a50d19eaafdcd7d55fdb62b49ad6c9892b1efce3f2e52bfd1
SHA512

9dc37c1e67f89a9c1d45a53f2f9e47722dd8a746074abc7760ad73f8e8d21e93c832d0765e09695d088dd9987db563ce18979892103d3203b8632ea30c824551
SSDEEP

98304:rw7eZyRcZl1a8+7/A9zyULG+pM0n6x94uffA9zyULG+LUZzwPvnXA9zyULG+pM0N:dUc7DDzLqQHu4uQzLqyuzwXnwzLqQHuR

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
860	78e4382b23626a0c54c0e1075517686d.exe

Executes dropped EXE 1 IoCs

pid	Process
860	78e4382b23626a0c54c0e1075517686d.exe

Loads dropped DLL 1 IoCs

pid	Process
2004	78e4382b23626a0c54c0e1075517686d.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2004-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000014825-11.dat	upx
behavioral1/memory/2004-15-0x00000000236E0000-0x000000002393C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2728	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	78e4382b23626a0c54c0e1075517686d.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	78e4382b23626a0c54c0e1075517686d.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	78e4382b23626a0c54c0e1075517686d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	78e4382b23626a0c54c0e1075517686d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2004	78e4382b23626a0c54c0e1075517686d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2004	78e4382b23626a0c54c0e1075517686d.exe
860	78e4382b23626a0c54c0e1075517686d.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 860	2004	78e4382b23626a0c54c0e1075517686d.exe	29
PID 2004 wrote to memory of 860	2004	78e4382b23626a0c54c0e1075517686d.exe	29
PID 2004 wrote to memory of 860	2004	78e4382b23626a0c54c0e1075517686d.exe	29
PID 2004 wrote to memory of 860	2004	78e4382b23626a0c54c0e1075517686d.exe	29
PID 860 wrote to memory of 2728	860	78e4382b23626a0c54c0e1075517686d.exe	30
PID 860 wrote to memory of 2728	860	78e4382b23626a0c54c0e1075517686d.exe	30
PID 860 wrote to memory of 2728	860	78e4382b23626a0c54c0e1075517686d.exe	30
PID 860 wrote to memory of 2728	860	78e4382b23626a0c54c0e1075517686d.exe	30
PID 860 wrote to memory of 2580	860	78e4382b23626a0c54c0e1075517686d.exe	33
PID 860 wrote to memory of 2580	860	78e4382b23626a0c54c0e1075517686d.exe	33
PID 860 wrote to memory of 2580	860	78e4382b23626a0c54c0e1075517686d.exe	33
PID 860 wrote to memory of 2580	860	78e4382b23626a0c54c0e1075517686d.exe	33
PID 2580 wrote to memory of 2636	2580	cmd.exe	34
PID 2580 wrote to memory of 2636	2580	cmd.exe	34
PID 2580 wrote to memory of 2636	2580	cmd.exe	34
PID 2580 wrote to memory of 2636	2580	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\78e4382b23626a0c54c0e1075517686d.exe
"C:\Users\Admin\AppData\Local\Temp\78e4382b23626a0c54c0e1075517686d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\78e4382b23626a0c54c0e1075517686d.exe
  C:\Users\Admin\AppData\Local\Temp\78e4382b23626a0c54c0e1075517686d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\78e4382b23626a0c54c0e1075517686d.exe" /TN 6ek6uOO9da42 /F
    3⤵
    - Creates scheduled task(s)
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 6ek6uOO9da42 > C:\Users\Admin\AppData\Local\Temp\vWvjo.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN 6ek6uOO9da42
      4⤵
      PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vWvjo.xml

Filesize
1KB

MD5
ad73494fb914ac25199e7d24fab93b97

SHA1
a5e00f10842c21a00ff1b92eb176d8fe1d4758df

SHA256
9f96721a812fb1374032ae7ab0485b2ea83fd907ddbb0b701663accc16a421d9

SHA512
da82979dda42ef222073dce9111f216c1e2c25231fcf52369016e36739db7a1b52f0ef86d3c5e2f3fcb4bf71b1518fb27c41e42e8e19aabd877202dd95609c5b

Download Submit
\Users\Admin\AppData\Local\Temp\78e4382b23626a0c54c0e1075517686d.exe

Filesize
3.9MB

MD5
ce37c696cc554af8679fe9362768990c

SHA1
2c908693890efffb1c930fd10b5698c05879023b

SHA256
887eb9dea53dd8529214f5e2ce3dabd8b42b297bce776c4340b21355f6817f3c

SHA512
c1e13e8130249710090c802c3e21757883c637bd763965753074fa9133a4e3c9e3e7f121c473a1460a0c0d85b29cef6ff2dafb2e14a0c229720c425dbea8cf4d

Download Submit
memory/860-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/860-21-0x0000000000250000-0x00000000002CE000-memory.dmp

Filesize
504KB

Download
memory/860-27-0x00000000002D0000-0x000000000033B000-memory.dmp

Filesize
428KB

Download
memory/860-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/860-45-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2004-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2004-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2004-4-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2004-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2004-15-0x00000000236E0000-0x000000002393C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads