e5ee31cf229e3638e1dab2cf2633e13efefb2802d946e0136c350143675ec41f

General

Target

8eaed1f3272586dd1c7f369b964891d3.exe
Size

302KB
MD5

8eaed1f3272586dd1c7f369b964891d3
SHA1

de6359f85a4766885c5b01471407cfe85d087f8e
SHA256

e5ee31cf229e3638e1dab2cf2633e13efefb2802d946e0136c350143675ec41f
SHA512

18d8f0f5a2b566e3f78895bf0d432c0ed3c07fb21d1642ff626b630578f16040fe629d6d42280e5b8a96c56b4408d1bba28bd377ae9b3e715cf962c42b3d0a3b
SSDEEP

6144:pE062fsr0hVz3kCPV7Cm5kDhI8HPm2ENNRPBOnmQ:elv0b3kG7T5kDh1aNRPom

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2448	8eaed1f3272586dd1c7f369b964891d3.exe

Executes dropped EXE 1 IoCs

pid	Process
2448	8eaed1f3272586dd1c7f369b964891d3.exe

Loads dropped DLL 1 IoCs

pid	Process
2264	8eaed1f3272586dd1c7f369b964891d3.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2264-0-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
behavioral1/files/0x00070000000120ff-11.dat	upx
behavioral1/files/0x00070000000120ff-17.dat	upx
behavioral1/memory/2448-18-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
behavioral1/memory/2264-15-0x0000000022D90000-0x0000000022E70000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	8eaed1f3272586dd1c7f369b964891d3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	8eaed1f3272586dd1c7f369b964891d3.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	8eaed1f3272586dd1c7f369b964891d3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	8eaed1f3272586dd1c7f369b964891d3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2264	8eaed1f3272586dd1c7f369b964891d3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2264	8eaed1f3272586dd1c7f369b964891d3.exe
2448	8eaed1f3272586dd1c7f369b964891d3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2448	2264	8eaed1f3272586dd1c7f369b964891d3.exe	29
PID 2264 wrote to memory of 2448	2264	8eaed1f3272586dd1c7f369b964891d3.exe	29
PID 2264 wrote to memory of 2448	2264	8eaed1f3272586dd1c7f369b964891d3.exe	29
PID 2264 wrote to memory of 2448	2264	8eaed1f3272586dd1c7f369b964891d3.exe	29

C:\Users\Admin\AppData\Local\Temp\8eaed1f3272586dd1c7f369b964891d3.exe
"C:\Users\Admin\AppData\Local\Temp\8eaed1f3272586dd1c7f369b964891d3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\8eaed1f3272586dd1c7f369b964891d3.exe
  C:\Users\Admin\AppData\Local\Temp\8eaed1f3272586dd1c7f369b964891d3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8eaed1f3272586dd1c7f369b964891d3.exe

Filesize
302KB

MD5
2e27fd5a120ee95ce1ebd01341e12cfc

SHA1
0f7df8d26bdb352c4fdfb38a5f3b464dee035669

SHA256
91e4fedbc9323bb2296fb18aea5fbec363f412da53d1e4cd5efda14281d47a0c

SHA512
53831ecd3b74607b59f72e6db22adda5bdbda58d0ba52f67affc113f40f017c0ad5ccfc99f65e16d8ccc1619bc099620e6cb629fb7600085b451c8919988b6a1

Download Submit
\Users\Admin\AppData\Local\Temp\8eaed1f3272586dd1c7f369b964891d3.exe

Filesize
128KB

MD5
d348490ce00ad49f9478a31d071af90f

SHA1
73b9c03b4c51645500633722eb1ec19e38bfdc3e

SHA256
3f588a987982f9ecb08934baaa44f019c80face7f7d3910d51a466691674ba3b

SHA512
e787e4c09f13accc2c8d0d8a914c41d86d68a5b08ff65615ab582578c3f5aa33d3d1ee677b76deffb57fec8b5937324e64bf38ac973680cad6ca8e4c274241b3

Download Submit
memory/2264-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2264-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-4-0x0000000000210000-0x0000000000241000-memory.dmp

Filesize
196KB

Download
memory/2264-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-15-0x0000000022D90000-0x0000000022E70000-memory.dmp

Filesize
896KB

Download
memory/2448-18-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2448-20-0x0000000000200000-0x0000000000231000-memory.dmp

Filesize
196KB

Download
memory/2448-43-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing