20574ec9f2fd6d4a25904f42e95d10fd27cc2777f31bc3c489822a9ebbf0bdeb

General

Target

9639dbb1439d054a1d93f9267878e535.exe
Size

2.0MB
MD5

9639dbb1439d054a1d93f9267878e535
SHA1

a84fc3c6dd807cf80e3c570e1d46903abcf9d797
SHA256

20574ec9f2fd6d4a25904f42e95d10fd27cc2777f31bc3c489822a9ebbf0bdeb
SHA512

a47ffbf742c3c106b0790f5c62378deaa5b06a46b849248583562f5121f5ddff10b5f36f9b97c7ca11c444a52018a0b09c8da2dc58f3d31244406a332af50604
SSDEEP

49152:DV5vKx0T6vIpFCMGQ7ai7D3xTgOxYwpKq+DYstDZmgHFcGhYzRqGQ7ai7D3xTgOu:RhKx06I/JD2i7D3xkOxYwpKq+DYiZrYj

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2836	9639dbb1439d054a1d93f9267878e535.exe

Executes dropped EXE 1 IoCs

pid	Process
2836	9639dbb1439d054a1d93f9267878e535.exe

Loads dropped DLL 1 IoCs

pid	Process
2232	9639dbb1439d054a1d93f9267878e535.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012243-15.dat	upx
behavioral1/files/0x000a000000012243-11.dat	upx
behavioral1/memory/2836-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2772	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	9639dbb1439d054a1d93f9267878e535.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	9639dbb1439d054a1d93f9267878e535.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	9639dbb1439d054a1d93f9267878e535.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	9639dbb1439d054a1d93f9267878e535.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2232	9639dbb1439d054a1d93f9267878e535.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2232	9639dbb1439d054a1d93f9267878e535.exe
2836	9639dbb1439d054a1d93f9267878e535.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2836	2232	9639dbb1439d054a1d93f9267878e535.exe	25
PID 2232 wrote to memory of 2836	2232	9639dbb1439d054a1d93f9267878e535.exe	25
PID 2232 wrote to memory of 2836	2232	9639dbb1439d054a1d93f9267878e535.exe	25
PID 2232 wrote to memory of 2836	2232	9639dbb1439d054a1d93f9267878e535.exe	25
PID 2836 wrote to memory of 2772	2836	9639dbb1439d054a1d93f9267878e535.exe	30
PID 2836 wrote to memory of 2772	2836	9639dbb1439d054a1d93f9267878e535.exe	30
PID 2836 wrote to memory of 2772	2836	9639dbb1439d054a1d93f9267878e535.exe	30
PID 2836 wrote to memory of 2772	2836	9639dbb1439d054a1d93f9267878e535.exe	30
PID 2836 wrote to memory of 2684	2836	9639dbb1439d054a1d93f9267878e535.exe	32
PID 2836 wrote to memory of 2684	2836	9639dbb1439d054a1d93f9267878e535.exe	32
PID 2836 wrote to memory of 2684	2836	9639dbb1439d054a1d93f9267878e535.exe	32
PID 2836 wrote to memory of 2684	2836	9639dbb1439d054a1d93f9267878e535.exe	32
PID 2684 wrote to memory of 2820	2684	cmd.exe	33
PID 2684 wrote to memory of 2820	2684	cmd.exe	33
PID 2684 wrote to memory of 2820	2684	cmd.exe	33
PID 2684 wrote to memory of 2820	2684	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\9639dbb1439d054a1d93f9267878e535.exe
"C:\Users\Admin\AppData\Local\Temp\9639dbb1439d054a1d93f9267878e535.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\9639dbb1439d054a1d93f9267878e535.exe
  C:\Users\Admin\AppData\Local\Temp\9639dbb1439d054a1d93f9267878e535.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\9639dbb1439d054a1d93f9267878e535.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\yfGmOFb.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9639dbb1439d054a1d93f9267878e535.exe

Filesize
208KB

MD5
b21e17afb0a9fbd2c4701b83720a217b

SHA1
370e8ad7c124cce3307e38403061ac410324b0d4

SHA256
4281dab0fabe3166696192ae7c04e3e4b478a74e8669a441ab0c71c1b32dcdfd

SHA512
cc0df7ccac88d743d4c1244de1a4ab41f1d47d9d52c54e740b9d71f48bfd5703099264f41abffcc8ea4a72c3589ecf9ba3ca9fd4671810bcdf36476118594e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfGmOFb.xml

Filesize
1KB

MD5
773f47ea2ff5ab386da5a9466580f25b

SHA1
aa27bb906ce35051bd489d428e4963170f725a26

SHA256
34721fb4db5d1d2afc72106330fca3bbae98fab78d456b8c1e30efaa4b02d604

SHA512
cac3cda773067961743ced9eb07c32c595573abde2b232f67ec78cc0729d11e8077ad7640da6ca6573ca62ce950850d6a355d2aacb42f347b4b10859796c7e87

Download Submit
\Users\Admin\AppData\Local\Temp\9639dbb1439d054a1d93f9267878e535.exe

Filesize
171KB

MD5
7ac7a6cc82c505afc4bce69c93f1af03

SHA1
98396c013cea7b53ced80ab5d91a705dd416e78d

SHA256
59c74ad6fa82fe253eb4682c7f372b8ea0a3c390310bb895ef45aaa88a49a6ae

SHA512
88a5e9c951a5b216b0f1d38b04e6a06883507e3f3d61ca8e1340957b9644caf9626002a8ee0a305d4994ddcb5369073f295d433b26fadf5472f4c771df09f164

Download Submit
memory/2232-17-0x0000000023250000-0x00000000234AC000-memory.dmp

Filesize
2.4MB

Download
memory/2232-3-0x00000000016D0000-0x000000000174E000-memory.dmp

Filesize
504KB

Download
memory/2232-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2232-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2232-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2836-20-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2836-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2836-27-0x00000000002F0000-0x000000000035B000-memory.dmp

Filesize
428KB

Download
memory/2836-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2836-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads