c4cd09f6e9ca998e036fb941311c4bfff830417a5ed41bed11b2701c10d0c805

General

Target

87da907861baa9cd40eb52399c83af2b.exe
Size

3.9MB
MD5

87da907861baa9cd40eb52399c83af2b
SHA1

a7b5129b36afd2054943906ad0bdc172456ad946
SHA256

c4cd09f6e9ca998e036fb941311c4bfff830417a5ed41bed11b2701c10d0c805
SHA512

5edca0c8d00d4124d3994868d66709e6002d1dc16cac5166cb7d5eb2a7e4e9cd6be43603d91aa1e03ec5e94063a654d79cf277b1f0200abe5df0818c2a53fea2
SSDEEP

98304:xQX3r3MTAmHHA9zyULG+ZIDLWY9QA9zyULG+H5ZECD5RqqLY8A9zyULG+ZIDLWYt:q3r3M3gzLqvqY/zLqAe0RTLYZzLqvqYy

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2356	87da907861baa9cd40eb52399c83af2b.exe

Executes dropped EXE 1 IoCs

pid	Process
2356	87da907861baa9cd40eb52399c83af2b.exe

Loads dropped DLL 1 IoCs

pid	Process
2428	87da907861baa9cd40eb52399c83af2b.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2428-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000c0000000122f3-11.dat	upx
behavioral1/memory/2428-16-0x00000000235A0000-0x00000000237FC000-memory.dmp	upx
behavioral1/files/0x000c0000000122f3-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2696	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	87da907861baa9cd40eb52399c83af2b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	87da907861baa9cd40eb52399c83af2b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	87da907861baa9cd40eb52399c83af2b.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	87da907861baa9cd40eb52399c83af2b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2428	87da907861baa9cd40eb52399c83af2b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2428	87da907861baa9cd40eb52399c83af2b.exe
2356	87da907861baa9cd40eb52399c83af2b.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2356	2428	87da907861baa9cd40eb52399c83af2b.exe	29
PID 2428 wrote to memory of 2356	2428	87da907861baa9cd40eb52399c83af2b.exe	29
PID 2428 wrote to memory of 2356	2428	87da907861baa9cd40eb52399c83af2b.exe	29
PID 2428 wrote to memory of 2356	2428	87da907861baa9cd40eb52399c83af2b.exe	29
PID 2356 wrote to memory of 2696	2356	87da907861baa9cd40eb52399c83af2b.exe	30
PID 2356 wrote to memory of 2696	2356	87da907861baa9cd40eb52399c83af2b.exe	30
PID 2356 wrote to memory of 2696	2356	87da907861baa9cd40eb52399c83af2b.exe	30
PID 2356 wrote to memory of 2696	2356	87da907861baa9cd40eb52399c83af2b.exe	30
PID 2356 wrote to memory of 2964	2356	87da907861baa9cd40eb52399c83af2b.exe	32
PID 2356 wrote to memory of 2964	2356	87da907861baa9cd40eb52399c83af2b.exe	32
PID 2356 wrote to memory of 2964	2356	87da907861baa9cd40eb52399c83af2b.exe	32
PID 2356 wrote to memory of 2964	2356	87da907861baa9cd40eb52399c83af2b.exe	32
PID 2964 wrote to memory of 2104	2964	cmd.exe	34
PID 2964 wrote to memory of 2104	2964	cmd.exe	34
PID 2964 wrote to memory of 2104	2964	cmd.exe	34
PID 2964 wrote to memory of 2104	2964	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\87da907861baa9cd40eb52399c83af2b.exe
"C:\Users\Admin\AppData\Local\Temp\87da907861baa9cd40eb52399c83af2b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\87da907861baa9cd40eb52399c83af2b.exe
  C:\Users\Admin\AppData\Local\Temp\87da907861baa9cd40eb52399c83af2b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\87da907861baa9cd40eb52399c83af2b.exe" /TN x1iLRz9v069a /F
    3⤵
    - Creates scheduled task(s)
    PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN x1iLRz9v069a > C:\Users\Admin\AppData\Local\Temp\WP1qLoC.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN x1iLRz9v069a
      4⤵
      PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\87da907861baa9cd40eb52399c83af2b.exe

Filesize
3.9MB

MD5
360ed0c2b57038de7ffaecfd56c9a796

SHA1
7fb75c579cebee1f35cb95cb703a3e058a467343

SHA256
464604c386868771955960e218a24d30f71825402707c88bfd876ccae9c2b717

SHA512
7035fb8bcbc82d7fc26333ccf118914a9027c48135d28d36c5ac7320af860c09c06e23458d2075e281e55c3b4a54ee0094f57e26f017863ee00d861b1221e801

Download Submit
C:\Users\Admin\AppData\Local\Temp\WP1qLoC.xml

Filesize
1KB

MD5
2ef3df9b6158e6e3db418af87bf7bb2b

SHA1
52277eb17dc43a1287358a81f8a67bcbc0029c76

SHA256
ec2ec48137f6b7ae57c1d9340966e5987bc05fbc960a02d2e7240bfd5162e5f3

SHA512
715b1a98febb6a59fb02a9844d0473119e16d7cf9ac0e13ac76a0457a445098fbb4d95a81fedeb69d53fd3cc93bf8f2c9b2d03ec7331f41df5eab085544fb7a8

Download Submit
\Users\Admin\AppData\Local\Temp\87da907861baa9cd40eb52399c83af2b.exe

Filesize
3.3MB

MD5
5165f03fa59eab4e49028a6a2ef307d9

SHA1
5300148b1ce70586882596aa5d2e7dfcf220f33c

SHA256
c4623d7e7fc4d84358c115a5096fd2df4044ae60f92879e26da1551208e28f55

SHA512
9d891aaa767acea2019afc12e501d47f6a4f0d9e56df9a196b9f6335c56b3ad03c1716946d0b95dc76ca992fdc8ced9a6abb6c0f9be8da473276bced3c819e4a

Download Submit
memory/2356-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2356-21-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2356-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2356-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2356-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2428-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2428-16-0x00000000235A0000-0x00000000237FC000-memory.dmp

Filesize
2.4MB

Download
memory/2428-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2428-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2428-2-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads