6330de4a9f0f2136b45712a68a3a9ddffbfbc78115046cca9df6c3d16eff4b1b

General

Target

8b568b6f0d3856bd226b6bdc5dc9be32.exe
Size

1003KB
MD5

8b568b6f0d3856bd226b6bdc5dc9be32
SHA1

15e2013597aaa5542cbd7ede6551c5816e2edd69
SHA256

6330de4a9f0f2136b45712a68a3a9ddffbfbc78115046cca9df6c3d16eff4b1b
SHA512

3b954d20acac9f34ba9b8ac8db563523abc4ab900808d601a8be3e9ed377001708b65b16e6720294117e2a7d22d8e458cbd4c0e1bed0e28f60116ca7d27173a7
SSDEEP

24576:l7WX5Toxhdr3968CcH5f+64JRWFULCD+:l7WX50Vr3968CcN+9zWFULG+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	8b568b6f0d3856bd226b6bdc5dc9be32.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	8b568b6f0d3856bd226b6bdc5dc9be32.exe

Loads dropped DLL 1 IoCs

pid	Process
2116	8b568b6f0d3856bd226b6bdc5dc9be32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2116-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000800000001223f-11.dat	upx
behavioral1/memory/2116-16-0x0000000022FE0000-0x000000002323C000-memory.dmp	upx
behavioral1/memory/2732-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000800000001223f-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2712	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	8b568b6f0d3856bd226b6bdc5dc9be32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	8b568b6f0d3856bd226b6bdc5dc9be32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	8b568b6f0d3856bd226b6bdc5dc9be32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	8b568b6f0d3856bd226b6bdc5dc9be32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2116	8b568b6f0d3856bd226b6bdc5dc9be32.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2116	8b568b6f0d3856bd226b6bdc5dc9be32.exe
2732	8b568b6f0d3856bd226b6bdc5dc9be32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2732	2116	8b568b6f0d3856bd226b6bdc5dc9be32.exe	29
PID 2116 wrote to memory of 2732	2116	8b568b6f0d3856bd226b6bdc5dc9be32.exe	29
PID 2116 wrote to memory of 2732	2116	8b568b6f0d3856bd226b6bdc5dc9be32.exe	29
PID 2116 wrote to memory of 2732	2116	8b568b6f0d3856bd226b6bdc5dc9be32.exe	29
PID 2732 wrote to memory of 2712	2732	8b568b6f0d3856bd226b6bdc5dc9be32.exe	30
PID 2732 wrote to memory of 2712	2732	8b568b6f0d3856bd226b6bdc5dc9be32.exe	30
PID 2732 wrote to memory of 2712	2732	8b568b6f0d3856bd226b6bdc5dc9be32.exe	30
PID 2732 wrote to memory of 2712	2732	8b568b6f0d3856bd226b6bdc5dc9be32.exe	30
PID 2732 wrote to memory of 2912	2732	8b568b6f0d3856bd226b6bdc5dc9be32.exe	34
PID 2732 wrote to memory of 2912	2732	8b568b6f0d3856bd226b6bdc5dc9be32.exe	34
PID 2732 wrote to memory of 2912	2732	8b568b6f0d3856bd226b6bdc5dc9be32.exe	34
PID 2732 wrote to memory of 2912	2732	8b568b6f0d3856bd226b6bdc5dc9be32.exe	34
PID 2912 wrote to memory of 2540	2912	cmd.exe	33
PID 2912 wrote to memory of 2540	2912	cmd.exe	33
PID 2912 wrote to memory of 2540	2912	cmd.exe	33
PID 2912 wrote to memory of 2540	2912	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\8b568b6f0d3856bd226b6bdc5dc9be32.exe
"C:\Users\Admin\AppData\Local\Temp\8b568b6f0d3856bd226b6bdc5dc9be32.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\8b568b6f0d3856bd226b6bdc5dc9be32.exe
  C:\Users\Admin\AppData\Local\Temp\8b568b6f0d3856bd226b6bdc5dc9be32.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8b568b6f0d3856bd226b6bdc5dc9be32.exe" /TN uhTCmbCqd877 /F
    3⤵
    - Creates scheduled task(s)
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uhTCmbCqd877 > C:\Users\Admin\AppData\Local\Temp\z4mT723D.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2912

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN uhTCmbCqd877
1⤵
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8b568b6f0d3856bd226b6bdc5dc9be32.exe

Filesize
197KB

MD5
81dbbb2495dc381e413146a69634ceca

SHA1
f3935e4fbf5cddaabc3ec11371ac743cffab95dd

SHA256
640476f2d4e0d6e00597a8582ee019597216b0fa1546184aa99c49de5e2e071a

SHA512
c2d518382596011bb7912822a77210b3364b8083da8cafef1094f14d1e345fe32ae05a93bce52b5e5c11ae2a08873b3652c94f7fd27cceab63ea4210f6e070ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\z4mT723D.xml

Filesize
1KB

MD5
bad68732c99a6d421f19435d67107989

SHA1
a79cceb8b6cecb9058b5577e049e462c4813d29f

SHA256
56248aa6bdc52657d563a3b5237466837f93f0ce1a01f209e2a74a79221073e6

SHA512
74d7abb5e407323a73ec2007d57bac220a812c01efec7022a0b7ab4fcc86a66cb9f9f47916a5bcd4057585734b220ecb5ff797b1e52c9895006e0fbf6162dcc5

Download Submit
\Users\Admin\AppData\Local\Temp\8b568b6f0d3856bd226b6bdc5dc9be32.exe

Filesize
168KB

MD5
603f51d71b44dc7a104329858fedbfb0

SHA1
26ac3dac996d77a3bf743fef372f6a2cb0915fd4

SHA256
48be413901ac8175f54a13249472166f5acb2495237b161f2a9d3c8889bc2d80

SHA512
80d449c4815a32565f6277082b1762787cbecb68d8f183a6d71d947160b01caacf3d9d60d91c0bf66b01a1baf0d348b0cc2e4add98a8defe2b3f8fc689e8efb0

Download Submit
memory/2116-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2116-16-0x0000000022FE0000-0x000000002323C000-memory.dmp

Filesize
2.4MB

Download
memory/2116-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2116-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2116-2-0x0000000000280000-0x00000000002FE000-memory.dmp

Filesize
504KB

Download
memory/2732-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2732-20-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2732-28-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2732-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2732-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads