8ee12a32e43142b4390408cdc3b261cde6d70f75a4ba1dfa4a22de5476f2d6e5

General

Target

8f7fb427d5d29216e10fc0d1df1f8998.exe
Size

1.6MB
MD5

8f7fb427d5d29216e10fc0d1df1f8998
SHA1

3b211090976ee1668c1a4b89fb0927e1595aac42
SHA256

8ee12a32e43142b4390408cdc3b261cde6d70f75a4ba1dfa4a22de5476f2d6e5
SHA512

9ab45944637c51c6d46a4bdf0a6725128c4ffb7aa459e86d4cf371a3b05bb1a61d2c9b61ac7dd6a7d70882e2b6eaf3d84df0401d1e9d5c16e379cefd53034d9a
SSDEEP

49152:MXw9MQErmHADQcakLz0NGkwjdgjtncakLz0O:MXw9MbmH8QcakcNGkwhgjtncakcO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2132	8f7fb427d5d29216e10fc0d1df1f8998.exe

Executes dropped EXE 1 IoCs

pid	Process
2132	8f7fb427d5d29216e10fc0d1df1f8998.exe

Loads dropped DLL 1 IoCs

pid	Process
1796	8f7fb427d5d29216e10fc0d1df1f8998.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1796-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000c000000012252-11.dat	upx
behavioral1/memory/1796-16-0x00000000231A0000-0x00000000233FC000-memory.dmp	upx
behavioral1/files/0x000c000000012252-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3012	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	8f7fb427d5d29216e10fc0d1df1f8998.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	8f7fb427d5d29216e10fc0d1df1f8998.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	8f7fb427d5d29216e10fc0d1df1f8998.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	8f7fb427d5d29216e10fc0d1df1f8998.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1796	8f7fb427d5d29216e10fc0d1df1f8998.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1796	8f7fb427d5d29216e10fc0d1df1f8998.exe
2132	8f7fb427d5d29216e10fc0d1df1f8998.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2132	1796	8f7fb427d5d29216e10fc0d1df1f8998.exe	29
PID 1796 wrote to memory of 2132	1796	8f7fb427d5d29216e10fc0d1df1f8998.exe	29
PID 1796 wrote to memory of 2132	1796	8f7fb427d5d29216e10fc0d1df1f8998.exe	29
PID 1796 wrote to memory of 2132	1796	8f7fb427d5d29216e10fc0d1df1f8998.exe	29
PID 2132 wrote to memory of 3012	2132	8f7fb427d5d29216e10fc0d1df1f8998.exe	30
PID 2132 wrote to memory of 3012	2132	8f7fb427d5d29216e10fc0d1df1f8998.exe	30
PID 2132 wrote to memory of 3012	2132	8f7fb427d5d29216e10fc0d1df1f8998.exe	30
PID 2132 wrote to memory of 3012	2132	8f7fb427d5d29216e10fc0d1df1f8998.exe	30
PID 2132 wrote to memory of 2696	2132	8f7fb427d5d29216e10fc0d1df1f8998.exe	32
PID 2132 wrote to memory of 2696	2132	8f7fb427d5d29216e10fc0d1df1f8998.exe	32
PID 2132 wrote to memory of 2696	2132	8f7fb427d5d29216e10fc0d1df1f8998.exe	32
PID 2132 wrote to memory of 2696	2132	8f7fb427d5d29216e10fc0d1df1f8998.exe	32
PID 2696 wrote to memory of 2820	2696	cmd.exe	34
PID 2696 wrote to memory of 2820	2696	cmd.exe	34
PID 2696 wrote to memory of 2820	2696	cmd.exe	34
PID 2696 wrote to memory of 2820	2696	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\8f7fb427d5d29216e10fc0d1df1f8998.exe
"C:\Users\Admin\AppData\Local\Temp\8f7fb427d5d29216e10fc0d1df1f8998.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\8f7fb427d5d29216e10fc0d1df1f8998.exe
  C:\Users\Admin\AppData\Local\Temp\8f7fb427d5d29216e10fc0d1df1f8998.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8f7fb427d5d29216e10fc0d1df1f8998.exe" /TN WAgLRKqP8c0d /F
    3⤵
    - Creates scheduled task(s)
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN WAgLRKqP8c0d > C:\Users\Admin\AppData\Local\Temp\iSykZ.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN WAgLRKqP8c0d
      4⤵
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8f7fb427d5d29216e10fc0d1df1f8998.exe

Filesize
1.4MB

MD5
3ffccf1ea7132173f1f53b479fa09fab

SHA1
f06fbb57ad9316a0da869c9c2c28aa479648f0d8

SHA256
ef3e382d47b28b07b864542ab752488407b77cdb0ebd0fda3226ecef8c0db10f

SHA512
ea2391f02395a2cbcd0238899550b73d1882f12173d0688d69aabf227af57de12322fce5e8b052a0bce954daddafe772e1f89d5e8164112587705f546165906f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iSykZ.xml

Filesize
1KB

MD5
45f1a0a3c0b3e156c79c40beb756c1f1

SHA1
55911895d53acff217eedce8ea6041a15fd46c3b

SHA256
6e8ab1d4a59941ba750d9a3d7760507d4ba6aa7328c569fe12211040c2dd7c38

SHA512
2bda9f76338eaa92032b14b47565dcfc535e1780acee09409fb55207206c45d90cd68b510e123e562d3b0e771dbe61421ced06f9f5d6b7a859001c7a911ca4e9

Download Submit
\Users\Admin\AppData\Local\Temp\8f7fb427d5d29216e10fc0d1df1f8998.exe

Filesize
1.6MB

MD5
8efd4acda945bc84941b79b571a0d528

SHA1
c3cee38e950b46a83d06d5edb67a2413f1f1ebf6

SHA256
6d749a8057fa4afe5de1910b66c4044ca05492635a8a5f892acd4947971afa7a

SHA512
4ecd60df08c945c2759e69517ca32b15b04dbd8ab2180ef4d2a0ae8d84cf5439b75bc5f384aed6cf47937059b0ed4a4d14419af302c326ff059976eed1aeafc0

Download Submit
memory/1796-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1796-3-0x0000000000290000-0x000000000030E000-memory.dmp

Filesize
504KB

Download
memory/1796-16-0x00000000231A0000-0x00000000233FC000-memory.dmp

Filesize
2.4MB

Download
memory/1796-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1796-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2132-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2132-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2132-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2132-21-0x00000000016D0000-0x000000000174E000-memory.dmp

Filesize
504KB

Download
memory/2132-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads