75e146f2dac8657bb26e6b38830c63b247e9f2f0cace0a2d787d9199ff36c204

General

Target

7bfef7415062c3d9867dfb56c17d48d4.exe
Size

3.9MB
MD5

7bfef7415062c3d9867dfb56c17d48d4
SHA1

2081d58ce2417a3a4c1592dda95d1c99074c4b90
SHA256

75e146f2dac8657bb26e6b38830c63b247e9f2f0cace0a2d787d9199ff36c204
SHA512

8b38c0ca7673e0248b5c4d85eb94d3621c581d71a9147c0bc157e54039541c92de8248042787e775b451de20c260936f0cbc2da4dfdaf50b2bee4f24f7a69334
SSDEEP

98304:w0HGp6FXzJ5WgacakcibiqhMbMgOn7n0bcakcibiqh+CP4acakcibiqhMbMgOn7R:w0HGp6zkgadlirybMgOnkdliryadlirV

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	7bfef7415062c3d9867dfb56c17d48d4.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	7bfef7415062c3d9867dfb56c17d48d4.exe

Loads dropped DLL 1 IoCs

pid	Process
2344	7bfef7415062c3d9867dfb56c17d48d4.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2344-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b00000001226e-11.dat	upx
behavioral1/files/0x000b00000001226e-17.dat	upx
behavioral1/memory/2708-20-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2920	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7bfef7415062c3d9867dfb56c17d48d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7bfef7415062c3d9867dfb56c17d48d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	7bfef7415062c3d9867dfb56c17d48d4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	7bfef7415062c3d9867dfb56c17d48d4.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2344	7bfef7415062c3d9867dfb56c17d48d4.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2344	7bfef7415062c3d9867dfb56c17d48d4.exe
2708	7bfef7415062c3d9867dfb56c17d48d4.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2708	2344	7bfef7415062c3d9867dfb56c17d48d4.exe	29
PID 2344 wrote to memory of 2708	2344	7bfef7415062c3d9867dfb56c17d48d4.exe	29
PID 2344 wrote to memory of 2708	2344	7bfef7415062c3d9867dfb56c17d48d4.exe	29
PID 2344 wrote to memory of 2708	2344	7bfef7415062c3d9867dfb56c17d48d4.exe	29
PID 2708 wrote to memory of 2920	2708	7bfef7415062c3d9867dfb56c17d48d4.exe	30
PID 2708 wrote to memory of 2920	2708	7bfef7415062c3d9867dfb56c17d48d4.exe	30
PID 2708 wrote to memory of 2920	2708	7bfef7415062c3d9867dfb56c17d48d4.exe	30
PID 2708 wrote to memory of 2920	2708	7bfef7415062c3d9867dfb56c17d48d4.exe	30
PID 2708 wrote to memory of 2984	2708	7bfef7415062c3d9867dfb56c17d48d4.exe	32
PID 2708 wrote to memory of 2984	2708	7bfef7415062c3d9867dfb56c17d48d4.exe	32
PID 2708 wrote to memory of 2984	2708	7bfef7415062c3d9867dfb56c17d48d4.exe	32
PID 2708 wrote to memory of 2984	2708	7bfef7415062c3d9867dfb56c17d48d4.exe	32
PID 2984 wrote to memory of 1940	2984	cmd.exe	34
PID 2984 wrote to memory of 1940	2984	cmd.exe	34
PID 2984 wrote to memory of 1940	2984	cmd.exe	34
PID 2984 wrote to memory of 1940	2984	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\7bfef7415062c3d9867dfb56c17d48d4.exe
"C:\Users\Admin\AppData\Local\Temp\7bfef7415062c3d9867dfb56c17d48d4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\7bfef7415062c3d9867dfb56c17d48d4.exe
  C:\Users\Admin\AppData\Local\Temp\7bfef7415062c3d9867dfb56c17d48d4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\7bfef7415062c3d9867dfb56c17d48d4.exe" /TN MXmKXYLpa01b /F
    3⤵
    - Creates scheduled task(s)
    PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MXmKXYLpa01b > C:\Users\Admin\AppData\Local\Temp\ePNYY.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN MXmKXYLpa01b
      4⤵
      PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7bfef7415062c3d9867dfb56c17d48d4.exe

Filesize
61KB

MD5
32ce764a4ac3e5a1772a342e69b028d9

SHA1
feb218a559993f4213da28bbc78f5a12c92d6a6b

SHA256
767229d151bfad6e43dcbdccb46a526090665f0d27e8d1647e08d39ba3349b2e

SHA512
e8017a4fe5fbe65df4475d1e7484814e285e950fb42361e4e94ea690e16f8f26641802c1e0d5b602bd1d8e23739ac353c285a9d1eacd4e83c9afe3ed3adc8e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ePNYY.xml

Filesize
1KB

MD5
0413fa9f2b9d9fcc21c94ed840c27d5f

SHA1
3825840cc25486e9f8cc2ff7caa0a0d5cf8a6866

SHA256
78fba5f321ea9e1ddd824b693c77d47acb5d191511ef8db4886626a9eff62af3

SHA512
79f1166584436697774147119cba6810eabe78d2267a81a8d6d44652589ebd4459d897da2af733fb52903e477b95a85d6ca7c2db597862eb39c101b1e5691943

Download Submit
\Users\Admin\AppData\Local\Temp\7bfef7415062c3d9867dfb56c17d48d4.exe

Filesize
127KB

MD5
11c00a8eda8fb56b62b710849dffad17

SHA1
bc67e5805bd44a11d9113f6c13ce8b2c4df4dcb6

SHA256
ad9e448a035b11f0b2be57f4043549a5df7455d50f7cae9223bfa1866ddf9c36

SHA512
7980d5207bd2a7cd791619052ce183cdc86438a549977f92135d6d41ce9a95ca6456c32e3f13bf63649f71bec008ab7b55a626594b6f8891afae1d57c6c015bd

Download Submit
memory/2344-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2344-16-0x00000000236C0000-0x000000002391C000-memory.dmp

Filesize
2.4MB

Download
memory/2344-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2344-3-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/2344-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2344-54-0x00000000236C0000-0x000000002391C000-memory.dmp

Filesize
2.4MB

Download
memory/2708-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2708-22-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2708-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2708-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2708-55-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads