721b92e3b86d9d99a101cc10b0cb59ebc6a4ae48d605bf8da351e6b720feaae6

General

Target

7c03edc3853c0d0470fa0c4c35a19209.exe
Size

1.5MB
MD5

7c03edc3853c0d0470fa0c4c35a19209
SHA1

1cb3a7274baaedf0d3fdfcce7bfd9efc65404595
SHA256

721b92e3b86d9d99a101cc10b0cb59ebc6a4ae48d605bf8da351e6b720feaae6
SHA512

64276a01587fe8676fd4e06e5e150fb01c3bf16f6d329a305c7aae15d25f4e2afbe098128b8f78e4fb3edba2fca927cf167291acaf30bbbd227be660d03e5a86
SSDEEP

24576:w2deVX/AUsGw2Bvr6qbmcjukL2HQHZDtQXUJmYy7J0GeBhjbkcjukL2Y:rMVXYUBbvr6mmcakL6WZDtQXWry7JkBB

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2536	7c03edc3853c0d0470fa0c4c35a19209.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	7c03edc3853c0d0470fa0c4c35a19209.exe

Loads dropped DLL 1 IoCs

pid	Process
1928	7c03edc3853c0d0470fa0c4c35a19209.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1928-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x00070000000122c4-11.dat	upx
behavioral1/files/0x00070000000122c4-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2828	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7c03edc3853c0d0470fa0c4c35a19209.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7c03edc3853c0d0470fa0c4c35a19209.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	7c03edc3853c0d0470fa0c4c35a19209.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	7c03edc3853c0d0470fa0c4c35a19209.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1928	7c03edc3853c0d0470fa0c4c35a19209.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1928	7c03edc3853c0d0470fa0c4c35a19209.exe
2536	7c03edc3853c0d0470fa0c4c35a19209.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2536	1928	7c03edc3853c0d0470fa0c4c35a19209.exe	29
PID 1928 wrote to memory of 2536	1928	7c03edc3853c0d0470fa0c4c35a19209.exe	29
PID 1928 wrote to memory of 2536	1928	7c03edc3853c0d0470fa0c4c35a19209.exe	29
PID 1928 wrote to memory of 2536	1928	7c03edc3853c0d0470fa0c4c35a19209.exe	29
PID 2536 wrote to memory of 2828	2536	7c03edc3853c0d0470fa0c4c35a19209.exe	30
PID 2536 wrote to memory of 2828	2536	7c03edc3853c0d0470fa0c4c35a19209.exe	30
PID 2536 wrote to memory of 2828	2536	7c03edc3853c0d0470fa0c4c35a19209.exe	30
PID 2536 wrote to memory of 2828	2536	7c03edc3853c0d0470fa0c4c35a19209.exe	30
PID 2536 wrote to memory of 2976	2536	7c03edc3853c0d0470fa0c4c35a19209.exe	34
PID 2536 wrote to memory of 2976	2536	7c03edc3853c0d0470fa0c4c35a19209.exe	34
PID 2536 wrote to memory of 2976	2536	7c03edc3853c0d0470fa0c4c35a19209.exe	34
PID 2536 wrote to memory of 2976	2536	7c03edc3853c0d0470fa0c4c35a19209.exe	34
PID 2976 wrote to memory of 2972	2976	cmd.exe	32
PID 2976 wrote to memory of 2972	2976	cmd.exe	32
PID 2976 wrote to memory of 2972	2976	cmd.exe	32
PID 2976 wrote to memory of 2972	2976	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\7c03edc3853c0d0470fa0c4c35a19209.exe
"C:\Users\Admin\AppData\Local\Temp\7c03edc3853c0d0470fa0c4c35a19209.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\7c03edc3853c0d0470fa0c4c35a19209.exe
  C:\Users\Admin\AppData\Local\Temp\7c03edc3853c0d0470fa0c4c35a19209.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\7c03edc3853c0d0470fa0c4c35a19209.exe" /TN U5Z8sQiHf24d /F
    3⤵
    - Creates scheduled task(s)
    PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\CJdtX.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN U5Z8sQiHf24d
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7c03edc3853c0d0470fa0c4c35a19209.exe

Filesize
913KB

MD5
216a119beb4b491782543cdea5eae005

SHA1
db1239850336ac169c9815627dffa5129f217ebc

SHA256
3ffe94a085362df494d85adbe2e38c6ec0cdf1ece5df7e1e150b5cbf5a73813a

SHA512
25537c4f1d0e2741e8684717db4639ae76c9a7c25b861b56965765aafcae682471499285d0114e2dab6b926225ac61be7d5d3bb388d7dbd3def65d03e786f5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CJdtX.xml

Filesize
1KB

MD5
ad15fd20d2d56bd305c9fcfd1e303258

SHA1
9534098a6a8af04017c81cf083d3effa29549b7b

SHA256
47d007d22f8decb22e12f7aeffcc9e9b3caabae92c2926b052e7b5b6cc9d04f6

SHA512
d8cab262c83c5d9451b7b0cd5740cab6c92765c602a02c790ab0d702e2683556ad7cf9584cee3bd6a9b6118a4fb7c6c2e85f90ea45977cdd7c3e416a4846e9cc

Download Submit
\Users\Admin\AppData\Local\Temp\7c03edc3853c0d0470fa0c4c35a19209.exe

Filesize
1.5MB

MD5
9ce06a870b12f8fbb8ce0a09c58bcc0b

SHA1
97339b6a67862d5e00a9be13f942588597ef3dbd

SHA256
5f943036c0ddcc5e3478a3f502855b8826ae15db289730c51eeef509479716f1

SHA512
b2ef02d731a14b82a4af1685fc86261fd3c5828fc7df3aa4c91208bdae3908ecf6b7ecd2a8a7d8ba12fd9c6db386801a2714da1a2fa5c3ae0ff902983e13619d

Download Submit
memory/1928-16-0x0000000023130000-0x000000002338C000-memory.dmp

Filesize
2.4MB

Download
memory/1928-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1928-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1928-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1928-3-0x0000000000240000-0x00000000002BE000-memory.dmp

Filesize
504KB

Download
memory/1928-53-0x0000000023130000-0x000000002338C000-memory.dmp

Filesize
2.4MB

Download
memory/2536-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2536-22-0x0000000022DF0000-0x0000000022E6E000-memory.dmp

Filesize
504KB

Download
memory/2536-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2536-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2536-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads