462a9fe8a9ed7cbd38d1bc05fc60d316a56ad4d6602731388c9452bc477c548d

General

Target

7f42efb26641983a37d9a2e7f6b51ccc.exe
Size

1003KB
MD5

7f42efb26641983a37d9a2e7f6b51ccc
SHA1

155e13a730f20dd9fb2e5a3f833fa0bafa29895f
SHA256

462a9fe8a9ed7cbd38d1bc05fc60d316a56ad4d6602731388c9452bc477c548d
SHA512

cc164e20536c7f141a0c422ca050105b1323365a34c11f624e6bbd17a54baee912788226b65f98f3a7a52be71e1ebb9a3d2a9910840f7eadaeb714d796c0df04
SSDEEP

24576:hAF5TgCFi+FsZinjcH5f+64JRWFULCD+:hO8CFixZinjcN+9zWFULG+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2556	7f42efb26641983a37d9a2e7f6b51ccc.exe

Executes dropped EXE 1 IoCs

pid	Process
2556	7f42efb26641983a37d9a2e7f6b51ccc.exe

Loads dropped DLL 1 IoCs

pid	Process
2848	7f42efb26641983a37d9a2e7f6b51ccc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2848-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a00000001220d-11.dat	upx
behavioral1/memory/2848-16-0x0000000022F20000-0x000000002317C000-memory.dmp	upx
behavioral1/files/0x000a00000001220d-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2896	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7f42efb26641983a37d9a2e7f6b51ccc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7f42efb26641983a37d9a2e7f6b51ccc.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	7f42efb26641983a37d9a2e7f6b51ccc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	7f42efb26641983a37d9a2e7f6b51ccc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2848	7f42efb26641983a37d9a2e7f6b51ccc.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2848	7f42efb26641983a37d9a2e7f6b51ccc.exe
2556	7f42efb26641983a37d9a2e7f6b51ccc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2556	2848	7f42efb26641983a37d9a2e7f6b51ccc.exe	29
PID 2848 wrote to memory of 2556	2848	7f42efb26641983a37d9a2e7f6b51ccc.exe	29
PID 2848 wrote to memory of 2556	2848	7f42efb26641983a37d9a2e7f6b51ccc.exe	29
PID 2848 wrote to memory of 2556	2848	7f42efb26641983a37d9a2e7f6b51ccc.exe	29
PID 2556 wrote to memory of 2896	2556	7f42efb26641983a37d9a2e7f6b51ccc.exe	30
PID 2556 wrote to memory of 2896	2556	7f42efb26641983a37d9a2e7f6b51ccc.exe	30
PID 2556 wrote to memory of 2896	2556	7f42efb26641983a37d9a2e7f6b51ccc.exe	30
PID 2556 wrote to memory of 2896	2556	7f42efb26641983a37d9a2e7f6b51ccc.exe	30
PID 2556 wrote to memory of 2476	2556	7f42efb26641983a37d9a2e7f6b51ccc.exe	34
PID 2556 wrote to memory of 2476	2556	7f42efb26641983a37d9a2e7f6b51ccc.exe	34
PID 2556 wrote to memory of 2476	2556	7f42efb26641983a37d9a2e7f6b51ccc.exe	34
PID 2556 wrote to memory of 2476	2556	7f42efb26641983a37d9a2e7f6b51ccc.exe	34
PID 2476 wrote to memory of 2720	2476	cmd.exe	32
PID 2476 wrote to memory of 2720	2476	cmd.exe	32
PID 2476 wrote to memory of 2720	2476	cmd.exe	32
PID 2476 wrote to memory of 2720	2476	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\7f42efb26641983a37d9a2e7f6b51ccc.exe
"C:\Users\Admin\AppData\Local\Temp\7f42efb26641983a37d9a2e7f6b51ccc.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\7f42efb26641983a37d9a2e7f6b51ccc.exe
  C:\Users\Admin\AppData\Local\Temp\7f42efb26641983a37d9a2e7f6b51ccc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\7f42efb26641983a37d9a2e7f6b51ccc.exe" /TN 6ek6uOO9da42 /F
    3⤵
    - Creates scheduled task(s)
    PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 6ek6uOO9da42 > C:\Users\Admin\AppData\Local\Temp\ECXM62.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2476

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN 6ek6uOO9da42
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7f42efb26641983a37d9a2e7f6b51ccc.exe

Filesize
1003KB

MD5
e992a1a9f4c07866e331f6033eaf1481

SHA1
e9fc7956342d8bbd3eb6a056040c82fa0f51050a

SHA256
a98a9fd4aa67e2a6aa9b9a86345d401c50f3990aace1a05b3650eea5318ab158

SHA512
adcf4b92abb1c001c4fd2416fc658e53b760dc0b02bfce40b78240bc9119e39c8fe0327d9fb1d16d3e1fa0a48a6a6c7bb53cac04485bad1063af0cb701e1fa86

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECXM62.xml

Filesize
1KB

MD5
68dd92364aa7f62a9e17a2259d9f2b8c

SHA1
df8b6d61bfcbbf169ff476397f11997e71b81069

SHA256
b0dc2d9d669d6cd8e7e2a27f286eb791400a2617b995e776c6a73add980fa266

SHA512
c2780e5bd3398f84319394e38aeb84dbfa68413ccc1123e0bc002dffbe1c90ff0e4e958a0f1f7c77ab9a6172c153cc79d2e2777988307bf17f888a39746c0565

Download Submit
\Users\Admin\AppData\Local\Temp\7f42efb26641983a37d9a2e7f6b51ccc.exe

Filesize
65KB

MD5
ff6d89e3a6cef7de28d76a310dd060d6

SHA1
01140be866f5484e3d28db10ee32839bff82685e

SHA256
9df7fc510be4165137ba742b9977f706561ef990eaae64615b84b8f0f68e63fe

SHA512
a0b5ed6bb18f0b3be8d7f1e392b09ee1be37520badbbd77415f32c04b540f4a41d2b6fcda4eadbb219e9f785dcac6f4efc5142a3879fc95d2f6b806f1f8061c7

Download Submit
memory/2556-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2556-21-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2556-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2556-31-0x00000000002E0000-0x000000000034B000-memory.dmp

Filesize
428KB

Download
memory/2556-46-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2848-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2848-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2848-16-0x0000000022F20000-0x000000002317C000-memory.dmp

Filesize
2.4MB

Download
memory/2848-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2848-3-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2848-45-0x0000000022F20000-0x000000002317C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads