6eed3309fcf58a295d26f0fe901e4b65145be9ceec19d7ed9cda1c97afe47f0d

General

Target

7e755188b9efe5f399e39cb5dab4236b.exe
Size

2.0MB
MD5

7e755188b9efe5f399e39cb5dab4236b
SHA1

5d64ad839de557f2ef555a1ca222b0ad4c1d6399
SHA256

6eed3309fcf58a295d26f0fe901e4b65145be9ceec19d7ed9cda1c97afe47f0d
SHA512

e2558e0d248eda4fc865c5788fcef38cddc6c1f7a53b60a9730e5add010e5328cec73ddb55ca5b699ce05d66def5e1a48a91d29604e576883df3ea165395acde
SSDEEP

49152:baHwz4vIvsrEclCvXz6dK1QQkyqfjsWl0UIeQXwZq5XpldaXtvXz6dK1QQkyqfj:kw8wvsrEclCvXz6dKqQknoWl0UIeQ4ET

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2372	7e755188b9efe5f399e39cb5dab4236b.exe

Executes dropped EXE 1 IoCs

pid	Process
2372	7e755188b9efe5f399e39cb5dab4236b.exe

Loads dropped DLL 1 IoCs

pid	Process
1680	7e755188b9efe5f399e39cb5dab4236b.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-1-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000012264-11.dat	upx
behavioral1/files/0x0009000000012264-13.dat	upx
behavioral1/memory/1680-16-0x0000000023230000-0x000000002348C000-memory.dmp	upx
behavioral1/files/0x0009000000012264-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2844	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7e755188b9efe5f399e39cb5dab4236b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7e755188b9efe5f399e39cb5dab4236b.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	7e755188b9efe5f399e39cb5dab4236b.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	7e755188b9efe5f399e39cb5dab4236b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1680	7e755188b9efe5f399e39cb5dab4236b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1680	7e755188b9efe5f399e39cb5dab4236b.exe
2372	7e755188b9efe5f399e39cb5dab4236b.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2372	1680	7e755188b9efe5f399e39cb5dab4236b.exe	29
PID 1680 wrote to memory of 2372	1680	7e755188b9efe5f399e39cb5dab4236b.exe	29
PID 1680 wrote to memory of 2372	1680	7e755188b9efe5f399e39cb5dab4236b.exe	29
PID 1680 wrote to memory of 2372	1680	7e755188b9efe5f399e39cb5dab4236b.exe	29
PID 2372 wrote to memory of 2844	2372	7e755188b9efe5f399e39cb5dab4236b.exe	30
PID 2372 wrote to memory of 2844	2372	7e755188b9efe5f399e39cb5dab4236b.exe	30
PID 2372 wrote to memory of 2844	2372	7e755188b9efe5f399e39cb5dab4236b.exe	30
PID 2372 wrote to memory of 2844	2372	7e755188b9efe5f399e39cb5dab4236b.exe	30
PID 2372 wrote to memory of 2288	2372	7e755188b9efe5f399e39cb5dab4236b.exe	32
PID 2372 wrote to memory of 2288	2372	7e755188b9efe5f399e39cb5dab4236b.exe	32
PID 2372 wrote to memory of 2288	2372	7e755188b9efe5f399e39cb5dab4236b.exe	32
PID 2372 wrote to memory of 2288	2372	7e755188b9efe5f399e39cb5dab4236b.exe	32
PID 2288 wrote to memory of 2868	2288	cmd.exe	34
PID 2288 wrote to memory of 2868	2288	cmd.exe	34
PID 2288 wrote to memory of 2868	2288	cmd.exe	34
PID 2288 wrote to memory of 2868	2288	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\7e755188b9efe5f399e39cb5dab4236b.exe
"C:\Users\Admin\AppData\Local\Temp\7e755188b9efe5f399e39cb5dab4236b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\7e755188b9efe5f399e39cb5dab4236b.exe
  C:\Users\Admin\AppData\Local\Temp\7e755188b9efe5f399e39cb5dab4236b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\7e755188b9efe5f399e39cb5dab4236b.exe" /TN Nnb8kaFf43a4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN Nnb8kaFf43a4 > C:\Users\Admin\AppData\Local\Temp\FuTL3.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN Nnb8kaFf43a4
      4⤵
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7e755188b9efe5f399e39cb5dab4236b.exe

Filesize
896KB

MD5
0758afe5ba14f8518393151ce89dd8e4

SHA1
26e95e445ac55c1241b793b8f00346a192536ea6

SHA256
c9a84c9e03de61799b9364e67f8ee4525fcdcd111541d9896075ce468fcdc6a9

SHA512
6595d6680aff5ebab33ad178c6d3f326722b8adf06fc62742b1f5f13a0b20dc04c974d65843fac2214093bf7a25de35fd38b6a371af91b83c5ad94b514cebc13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e755188b9efe5f399e39cb5dab4236b.exe

Filesize
1.7MB

MD5
7ce710ac373c7d05333a18be77060b3b

SHA1
4bcc914702a5c7dbcff493bca6e62787748dfe98

SHA256
d59824e002da8f45eaf8f3f24697e18e9cc32462f9234689989d52bbc2f94860

SHA512
ceed55b8d122a3ba8f75b93edba4474fca2070968e17181756addc773518f9d1b27ff73426bfad4a5a81deef4fba5d13d252846b5ac20dc272c8c35d0981d183

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuTL3.xml

Filesize
1KB

MD5
65cefffbe3c36033fbb2ae502e2cb683

SHA1
69e5ce6fc6fd11e0fdc8a534eac7b31532c94453

SHA256
2a7b3168c6b3c5da76b001a95276d54c563b06fcd9baa758fde6f60464dff00f

SHA512
b4837395aa556d09f991153c20884373c4c9ffdacb99d1a27a990e891ac6dc57aae980b730285d0c782edcbeec022303cc03a4a51662fc544618da73bfacf31b

Download Submit
\Users\Admin\AppData\Local\Temp\7e755188b9efe5f399e39cb5dab4236b.exe

Filesize
1.2MB

MD5
fc7a4106727b6b8aa6011cb29f798fb0

SHA1
acd10141db0ae8f3c3c790519f42aaca1337675f

SHA256
5db78698bc78e3c538c638b269ad75ee5be7069e0f7facdb79a6e12cdce09361

SHA512
ba2df2c71505ea135cc42991a867a92a05a8fa06b4257573b99398a1b3207383477da9707bf536bf3be1d224debce7f3e935a9d3683e09633c266287b513fdd2

Download Submit
memory/1680-1-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1680-16-0x0000000023230000-0x000000002348C000-memory.dmp

Filesize
2.4MB

Download
memory/1680-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1680-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1680-3-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2372-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2372-21-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2372-26-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/2372-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2372-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads