2a630ced355b4bcc67ab4baca282f796f5867073837a92cd51e5072688e5db12

General

Target

8bdbeda16bec167f1f6ac033c1f94430.exe
Size

3.9MB
MD5

8bdbeda16bec167f1f6ac033c1f94430
SHA1

9e863cc25d2a96c4d25e8ae77bd40842d8d46bce
SHA256

2a630ced355b4bcc67ab4baca282f796f5867073837a92cd51e5072688e5db12
SHA512

8ce754a81f9f575f13397bc6e61ac37417a21314fe29420bd9a929747f2883066bec98aa39a88f40f536eb1741394983bad3bf450acfe49f921fca510cfb2c36
SSDEEP

98304:uC1QmD5bPIo6DnYnWUtMKiln4K2Io6DnYnWU1UDYpIo6DnYnWUtMKiln4K2Io6Di:uC1QmQoM54MEHkoM54M

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2892	8bdbeda16bec167f1f6ac033c1f94430.exe

Executes dropped EXE 1 IoCs

pid	Process
2892	8bdbeda16bec167f1f6ac033c1f94430.exe

Loads dropped DLL 1 IoCs

pid	Process
2308	8bdbeda16bec167f1f6ac033c1f94430.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-1-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x00070000000122c4-17.dat	upx
behavioral1/files/0x00070000000122c4-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2804	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	8bdbeda16bec167f1f6ac033c1f94430.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	8bdbeda16bec167f1f6ac033c1f94430.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	8bdbeda16bec167f1f6ac033c1f94430.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	8bdbeda16bec167f1f6ac033c1f94430.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2308	8bdbeda16bec167f1f6ac033c1f94430.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2308	8bdbeda16bec167f1f6ac033c1f94430.exe
2892	8bdbeda16bec167f1f6ac033c1f94430.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2892	2308	8bdbeda16bec167f1f6ac033c1f94430.exe	21
PID 2308 wrote to memory of 2892	2308	8bdbeda16bec167f1f6ac033c1f94430.exe	21
PID 2308 wrote to memory of 2892	2308	8bdbeda16bec167f1f6ac033c1f94430.exe	21
PID 2308 wrote to memory of 2892	2308	8bdbeda16bec167f1f6ac033c1f94430.exe	21
PID 2892 wrote to memory of 2804	2892	8bdbeda16bec167f1f6ac033c1f94430.exe	28
PID 2892 wrote to memory of 2804	2892	8bdbeda16bec167f1f6ac033c1f94430.exe	28
PID 2892 wrote to memory of 2804	2892	8bdbeda16bec167f1f6ac033c1f94430.exe	28
PID 2892 wrote to memory of 2804	2892	8bdbeda16bec167f1f6ac033c1f94430.exe	28
PID 2892 wrote to memory of 2696	2892	8bdbeda16bec167f1f6ac033c1f94430.exe	29
PID 2892 wrote to memory of 2696	2892	8bdbeda16bec167f1f6ac033c1f94430.exe	29
PID 2892 wrote to memory of 2696	2892	8bdbeda16bec167f1f6ac033c1f94430.exe	29
PID 2892 wrote to memory of 2696	2892	8bdbeda16bec167f1f6ac033c1f94430.exe	29
PID 2696 wrote to memory of 2684	2696	cmd.exe	30
PID 2696 wrote to memory of 2684	2696	cmd.exe	30
PID 2696 wrote to memory of 2684	2696	cmd.exe	30
PID 2696 wrote to memory of 2684	2696	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\8bdbeda16bec167f1f6ac033c1f94430.exe
"C:\Users\Admin\AppData\Local\Temp\8bdbeda16bec167f1f6ac033c1f94430.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\8bdbeda16bec167f1f6ac033c1f94430.exe
  C:\Users\Admin\AppData\Local\Temp\8bdbeda16bec167f1f6ac033c1f94430.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8bdbeda16bec167f1f6ac033c1f94430.exe" /TN U5Z8sQiHf24d /F
    3⤵
    - Creates scheduled task(s)
    PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\fC8iusz6.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN U5Z8sQiHf24d
      4⤵
      PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8bdbeda16bec167f1f6ac033c1f94430.exe

Filesize
36KB

MD5
a30ea067902d043298815888dd9d65e9

SHA1
10b65817e8843039b6552f3386fdb537b2ec66bb

SHA256
aa20ced8a94c303e73c4daa09d00a2457603526420a5e0ace63dfb2d8714a81d

SHA512
49d0460259367d6a2fe2b76800f7027e46ca4aa9e13acae7772bcfb2fa4c2c21b85dab33a1a74ffeb0823e3535a0b054c4433ed81981f2d48b7c3fecd757111f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fC8iusz6.xml

Filesize
1KB

MD5
0b9190d108b379b6b6d71c65413c55eb

SHA1
de388a5b08f6993c820de355c658ec3ef425df94

SHA256
86fde0bfcc68cc62a88261432b6d18e6da60814d2d27657193017a35d5a6a031

SHA512
f17a2da321d528fe4ca1795ee0eb36539c9f6d3855fa81366fce95b7dc38c2de68d79e9bfae4eddd36a85c8b9f0e5a402a5347897693107762a7762972278d05

Download Submit
\Users\Admin\AppData\Local\Temp\8bdbeda16bec167f1f6ac033c1f94430.exe

Filesize
880KB

MD5
2bc3d4f0b4f0324cd0c864b0da9f6ebf

SHA1
d71d2e0777c42ba118b6c6e1f1e80231d7581724

SHA256
c47a1a399a8173f1419948e2803baabe6b73240d805f0624817fbc7d5d55c433

SHA512
bea10ab41579d30baccd6efbad7a25ff318828c2d57b7c29822e9eba96f80a32a74ecea0e57b8796c6f07c058c087e34edc6e3a3f20c38df3fdb8cb435377bbc

Download Submit
memory/2308-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2308-1-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2308-3-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/2308-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2308-15-0x00000000235A0000-0x00000000237FC000-memory.dmp

Filesize
2.4MB

Download
memory/2892-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2892-31-0x00000000002E0000-0x000000000034B000-memory.dmp

Filesize
428KB

Download
memory/2892-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2892-22-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2892-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads