e483447401b87a0ae990672c517a4e7303979a4fe3a5f15d2d4f9dcfbdcff3cc

General

Target

8b2176092d16ec194b1c7f45880708d6.exe
Size

2.0MB
MD5

8b2176092d16ec194b1c7f45880708d6
SHA1

ddc5e1193a28cef3bd74572bd78777194fd17932
SHA256

e483447401b87a0ae990672c517a4e7303979a4fe3a5f15d2d4f9dcfbdcff3cc
SHA512

8b41ad4d0d5162fee7a6518fbdc522bb1227fb78480194cf760ad3dafd2ce8ea7e49fdb3d5745861499d15d1a1d485e2744179d1ff3b234e97dabe470a13edcb
SSDEEP

49152:GVOs7ps3mjIvjcakLz0ibq6yqhJe8swpsqMs/iVdXcakLz0ibq6yqh:GVOsds3gmcakcibiqhJe8swFMUiVdXcH

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2756	8b2176092d16ec194b1c7f45880708d6.exe

Executes dropped EXE 1 IoCs

pid	Process
2756	8b2176092d16ec194b1c7f45880708d6.exe

Loads dropped DLL 1 IoCs

pid	Process
2028	8b2176092d16ec194b1c7f45880708d6.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2028-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000c000000012247-11.dat	upx
behavioral1/memory/2028-16-0x00000000232A0000-0x00000000234FC000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2396	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	8b2176092d16ec194b1c7f45880708d6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	8b2176092d16ec194b1c7f45880708d6.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	8b2176092d16ec194b1c7f45880708d6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	8b2176092d16ec194b1c7f45880708d6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2028	8b2176092d16ec194b1c7f45880708d6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2028	8b2176092d16ec194b1c7f45880708d6.exe
2756	8b2176092d16ec194b1c7f45880708d6.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2756	2028	8b2176092d16ec194b1c7f45880708d6.exe	29
PID 2028 wrote to memory of 2756	2028	8b2176092d16ec194b1c7f45880708d6.exe	29
PID 2028 wrote to memory of 2756	2028	8b2176092d16ec194b1c7f45880708d6.exe	29
PID 2028 wrote to memory of 2756	2028	8b2176092d16ec194b1c7f45880708d6.exe	29
PID 2756 wrote to memory of 2396	2756	8b2176092d16ec194b1c7f45880708d6.exe	30
PID 2756 wrote to memory of 2396	2756	8b2176092d16ec194b1c7f45880708d6.exe	30
PID 2756 wrote to memory of 2396	2756	8b2176092d16ec194b1c7f45880708d6.exe	30
PID 2756 wrote to memory of 2396	2756	8b2176092d16ec194b1c7f45880708d6.exe	30
PID 2756 wrote to memory of 2640	2756	8b2176092d16ec194b1c7f45880708d6.exe	32
PID 2756 wrote to memory of 2640	2756	8b2176092d16ec194b1c7f45880708d6.exe	32
PID 2756 wrote to memory of 2640	2756	8b2176092d16ec194b1c7f45880708d6.exe	32
PID 2756 wrote to memory of 2640	2756	8b2176092d16ec194b1c7f45880708d6.exe	32
PID 2640 wrote to memory of 2696	2640	cmd.exe	34
PID 2640 wrote to memory of 2696	2640	cmd.exe	34
PID 2640 wrote to memory of 2696	2640	cmd.exe	34
PID 2640 wrote to memory of 2696	2640	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\8b2176092d16ec194b1c7f45880708d6.exe
"C:\Users\Admin\AppData\Local\Temp\8b2176092d16ec194b1c7f45880708d6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\8b2176092d16ec194b1c7f45880708d6.exe
  C:\Users\Admin\AppData\Local\Temp\8b2176092d16ec194b1c7f45880708d6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8b2176092d16ec194b1c7f45880708d6.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\iexWFTf.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iexWFTf.xml

Filesize
1KB

MD5
ee739998cbc22c2333554e1e7d4bac5b

SHA1
54e5b380b2dab4aaeca09dc77bb4d84a3fac7e22

SHA256
3a70724cd18cf0da2187eb5b88e474d6dd4b4ff9800e3052bf9b1e1b175d8b86

SHA512
f4f8d49f18826740f18e434d8b78d8b4db89a05cf9fea64388bd278aae317be71ea9dfe1ebf0e9c38a4469f696f146aca4aca8a714335891cd5429b67ebed462

Download Submit
\Users\Admin\AppData\Local\Temp\8b2176092d16ec194b1c7f45880708d6.exe

Filesize
2.0MB

MD5
4f0fc53b63a52c97401c6796be4e9198

SHA1
5af4f87738c8b9f1788f79fe1fd2c0a93fb292fb

SHA256
ac6ba1d94928bec281d270ed30c047296924db1e12e714b5a21005ddb7abaffe

SHA512
9e9694ba3619e6cedb8239ef52f14fbbb13e32af151d4d4473412916f9a6f5fc1100edac2ae2ad512c588ef4e8b728dfea4a06331b52f5d407cc6cb857f3d36a

Download Submit
memory/2028-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2028-2-0x0000000022E00000-0x0000000022E7E000-memory.dmp

Filesize
504KB

Download
memory/2028-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2028-16-0x00000000232A0000-0x00000000234FC000-memory.dmp

Filesize
2.4MB

Download
memory/2028-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2756-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2756-20-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2756-27-0x00000000002F0000-0x000000000035B000-memory.dmp

Filesize
428KB

Download
memory/2756-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2756-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads