3aedbf18aad8d2fdb183a119a3c62f7f855d11fec365adae7a1f73cc39f72a04

General

Target

7e3fa266322de156a72a6916dffd8031.exe
Size

3.0MB
MD5

7e3fa266322de156a72a6916dffd8031
SHA1

a9eebf7601d47cad045afa4bc33c96ad3405eb33
SHA256

3aedbf18aad8d2fdb183a119a3c62f7f855d11fec365adae7a1f73cc39f72a04
SHA512

8ef08fa7284927591a03991f32a3ba8f4533015836d5896ba9471e53d8699e3af30bd65eb525cb81b3e3dbff7dd60f00d568c0b753ae4c9682a0f78d3fb8e9f2
SSDEEP

49152:hrbQCTVcakLyzjcNDQreELepcakLKPNsn5xeQ2rJmzLcakLyzjcNDQreELepcak3:hrbDBcakijyDQreELscakulsn5xeQ2ru

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2744	7e3fa266322de156a72a6916dffd8031.exe

Executes dropped EXE 1 IoCs

pid	Process
2744	7e3fa266322de156a72a6916dffd8031.exe

Loads dropped DLL 1 IoCs

pid	Process
3028	7e3fa266322de156a72a6916dffd8031.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3028-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000800000001223f-11.dat	upx
behavioral1/files/0x000800000001223f-17.dat	upx
behavioral1/memory/3028-16-0x00000000233B0000-0x000000002360C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3040	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7e3fa266322de156a72a6916dffd8031.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7e3fa266322de156a72a6916dffd8031.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	7e3fa266322de156a72a6916dffd8031.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	7e3fa266322de156a72a6916dffd8031.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3028	7e3fa266322de156a72a6916dffd8031.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3028	7e3fa266322de156a72a6916dffd8031.exe
2744	7e3fa266322de156a72a6916dffd8031.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2744	3028	7e3fa266322de156a72a6916dffd8031.exe	29
PID 3028 wrote to memory of 2744	3028	7e3fa266322de156a72a6916dffd8031.exe	29
PID 3028 wrote to memory of 2744	3028	7e3fa266322de156a72a6916dffd8031.exe	29
PID 3028 wrote to memory of 2744	3028	7e3fa266322de156a72a6916dffd8031.exe	29
PID 2744 wrote to memory of 3040	2744	7e3fa266322de156a72a6916dffd8031.exe	30
PID 2744 wrote to memory of 3040	2744	7e3fa266322de156a72a6916dffd8031.exe	30
PID 2744 wrote to memory of 3040	2744	7e3fa266322de156a72a6916dffd8031.exe	30
PID 2744 wrote to memory of 3040	2744	7e3fa266322de156a72a6916dffd8031.exe	30
PID 2744 wrote to memory of 2552	2744	7e3fa266322de156a72a6916dffd8031.exe	34
PID 2744 wrote to memory of 2552	2744	7e3fa266322de156a72a6916dffd8031.exe	34
PID 2744 wrote to memory of 2552	2744	7e3fa266322de156a72a6916dffd8031.exe	34
PID 2744 wrote to memory of 2552	2744	7e3fa266322de156a72a6916dffd8031.exe	34
PID 2552 wrote to memory of 2544	2552	cmd.exe	33
PID 2552 wrote to memory of 2544	2552	cmd.exe	33
PID 2552 wrote to memory of 2544	2552	cmd.exe	33
PID 2552 wrote to memory of 2544	2552	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\7e3fa266322de156a72a6916dffd8031.exe
"C:\Users\Admin\AppData\Local\Temp\7e3fa266322de156a72a6916dffd8031.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\7e3fa266322de156a72a6916dffd8031.exe
  C:\Users\Admin\AppData\Local\Temp\7e3fa266322de156a72a6916dffd8031.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\7e3fa266322de156a72a6916dffd8031.exe" /TN uhTCmbCqd877 /F
    3⤵
    - Creates scheduled task(s)
    PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uhTCmbCqd877 > C:\Users\Admin\AppData\Local\Temp\VQ4bCwcb.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN uhTCmbCqd877
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7e3fa266322de156a72a6916dffd8031.exe

Filesize
408KB

MD5
7b5a9fd866f40626c4d5514f037c04cb

SHA1
390066a8e901096d39c6c706edd1c24c5325aaa3

SHA256
de36fbbd06ff3c5f0e0c2be72de2b56ee0f5bd103b7782ab0eddc6c185e52f2e

SHA512
af688ec9938fad0345403deb5692e4a92e0476314b0a9d78042a13852974dada08c0f161734698342d19d724ad5bf001d1e9520906ae532833020d54bb8ecaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQ4bCwcb.xml

Filesize
1KB

MD5
b2337c596d9de935c7dd78950231359f

SHA1
b58303e4d7a8743a4e7a3bd0ec578c89ea0bdce5

SHA256
6032b52b4140fc50cdad25e21aed3429e0758668c940efcaa1d401d6cd95ecad

SHA512
584c273718830f707614558111084fda89f33dc711346665fed5c44e234b8b2ee4849ad6478e970d5423ecc44226d7976e310b4d24dc8493ed004e76f3808f12

Download Submit
\Users\Admin\AppData\Local\Temp\7e3fa266322de156a72a6916dffd8031.exe

Filesize
435KB

MD5
212ea651c320b92b5852322850646563

SHA1
4b2c53c8977adae57e8bd5496d50b1512ad58694

SHA256
855fa3ca8b48b76e600e8374afe82732c87b16191b6a6d21312dbbc8151c2296

SHA512
4461b94f16b7728b24b147f15b807072ced99e5b888977041a47c554052b5f973a1c290266e40ec0fa9642a208ff32fdf0ea495e9581f5406d16468db651b00b

Download Submit
memory/2744-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2744-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2744-22-0x00000000016D0000-0x000000000174E000-memory.dmp

Filesize
504KB

Download
memory/2744-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2744-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3028-3-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/3028-16-0x00000000233B0000-0x000000002360C000-memory.dmp

Filesize
2.4MB

Download
memory/3028-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3028-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3028-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads