8ca53c7166637a87d13e221c85f26642a35b36baf336a3a900453bae20827d2e

General

Target

8b4d99198a3de7105578b5de8771cb2a.exe
Size

3.9MB
MD5

8b4d99198a3de7105578b5de8771cb2a
SHA1

04c0aebe2dc42db920d1ee770ad79dfe8ed1a31e
SHA256

8ca53c7166637a87d13e221c85f26642a35b36baf336a3a900453bae20827d2e
SHA512

6a39ccba90850ea86cecbce7a5637ddd8bfb3def1d9c2b1d6682ffc5638b847ed3de969eaa3d28b19d7db2dfa9ec61b842e961c63b8e7b3c05e3d9b496b21a65
SSDEEP

98304:mg/vEq2bfA9zyULG+Y0v0jD+rEA9zyULG+WRziQf4A9zyULG+Y0v0jD+rEA9zyU1:mg/eIzLqlGzLq4qzLqlGzLq

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2668	8b4d99198a3de7105578b5de8771cb2a.exe

Executes dropped EXE 1 IoCs

pid	Process
2668	8b4d99198a3de7105578b5de8771cb2a.exe

Loads dropped DLL 1 IoCs

pid	Process
1696	8b4d99198a3de7105578b5de8771cb2a.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1696-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-12.dat	upx
behavioral1/files/0x0004000000004ed7-18.dat	upx
behavioral1/memory/1696-17-0x0000000023590000-0x00000000237EC000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2816	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	8b4d99198a3de7105578b5de8771cb2a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	8b4d99198a3de7105578b5de8771cb2a.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	8b4d99198a3de7105578b5de8771cb2a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	8b4d99198a3de7105578b5de8771cb2a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1696	8b4d99198a3de7105578b5de8771cb2a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1696	8b4d99198a3de7105578b5de8771cb2a.exe
2668	8b4d99198a3de7105578b5de8771cb2a.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2668	1696	8b4d99198a3de7105578b5de8771cb2a.exe	31
PID 1696 wrote to memory of 2668	1696	8b4d99198a3de7105578b5de8771cb2a.exe	31
PID 1696 wrote to memory of 2668	1696	8b4d99198a3de7105578b5de8771cb2a.exe	31
PID 1696 wrote to memory of 2668	1696	8b4d99198a3de7105578b5de8771cb2a.exe	31
PID 2668 wrote to memory of 2816	2668	8b4d99198a3de7105578b5de8771cb2a.exe	32
PID 2668 wrote to memory of 2816	2668	8b4d99198a3de7105578b5de8771cb2a.exe	32
PID 2668 wrote to memory of 2816	2668	8b4d99198a3de7105578b5de8771cb2a.exe	32
PID 2668 wrote to memory of 2816	2668	8b4d99198a3de7105578b5de8771cb2a.exe	32
PID 2668 wrote to memory of 2784	2668	8b4d99198a3de7105578b5de8771cb2a.exe	36
PID 2668 wrote to memory of 2784	2668	8b4d99198a3de7105578b5de8771cb2a.exe	36
PID 2668 wrote to memory of 2784	2668	8b4d99198a3de7105578b5de8771cb2a.exe	36
PID 2668 wrote to memory of 2784	2668	8b4d99198a3de7105578b5de8771cb2a.exe	36
PID 2784 wrote to memory of 2868	2784	cmd.exe	34
PID 2784 wrote to memory of 2868	2784	cmd.exe	34
PID 2784 wrote to memory of 2868	2784	cmd.exe	34
PID 2784 wrote to memory of 2868	2784	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\8b4d99198a3de7105578b5de8771cb2a.exe
"C:\Users\Admin\AppData\Local\Temp\8b4d99198a3de7105578b5de8771cb2a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\8b4d99198a3de7105578b5de8771cb2a.exe
  C:\Users\Admin\AppData\Local\Temp\8b4d99198a3de7105578b5de8771cb2a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8b4d99198a3de7105578b5de8771cb2a.exe" /TN U5Z8sQiHf24d /F
    3⤵
    - Creates scheduled task(s)
    PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\3gQyjI.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN U5Z8sQiHf24d
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3gQyjI.xml

Filesize
1KB

MD5
5749c2efff9737983ea207c47ce40199

SHA1
8d0129b926b256696c1116b3e542745606d41401

SHA256
be6c88014d0fe656f23042f7c546bc1a5d7c4d35ddc68956a98e2fe886f0f836

SHA512
6ee77cdf1e955584af48f2472b2b82cd217aa8b1f72e7ea34e7887e85293831c1a896dd3bc05a36a962bfe474512a3cc10c8e4844ff42d40f94fe6915297ceaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b4d99198a3de7105578b5de8771cb2a.exe

Filesize
1.1MB

MD5
9c6623e0c80e1f607fc7c79409c7b380

SHA1
b051d4c09a0bf65eb1448aaf42e9ee384d63c356

SHA256
63f882b714a23c55236b0ab9405fd21a26de54c0f82ba85f7d1435ffa035da6b

SHA512
97f5f6208e96580f05afe7ee6fcfef206e1061b55002cd6da141d5b635f46780d3a8cd6aa585783a27de48430f1d6cb07a555531bd37a85c1d75fb7ade6790f4

Download Submit
\Users\Admin\AppData\Local\Temp\8b4d99198a3de7105578b5de8771cb2a.exe

Filesize
2.4MB

MD5
330dac2d10a5d11d92195f1c28da832c

SHA1
b049a318d40cb7b552c3bee147a450d74279a85e

SHA256
946bd1ab7f2ef374cd270977b3f7b58a9204ecf658a6264e5ccc185cbdae4a19

SHA512
bafc2083a54f89b7727758396af622f9de4fdbca50afb509d2f08e1ed29f19a189f64f27c074616114bc3258e5d78983c0620e97a93d7df8928c78c32e81d387

Download Submit
memory/1696-17-0x0000000023590000-0x00000000237EC000-memory.dmp

Filesize
2.4MB

Download
memory/1696-5-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1696-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1696-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1696-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1696-3-0x0000000000320000-0x000000000039E000-memory.dmp

Filesize
504KB

Download
memory/2668-21-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2668-22-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2668-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2668-32-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/2668-55-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads