bf3a1aca3bef1d1036b18f05fc0749fcba8ba718e39897b13d8c96d677c1dff2

General

Target

98dc1239529f829003e989551919150e.exe
Size

1003KB
MD5

98dc1239529f829003e989551919150e
SHA1

c42e585ca94188f25913d5ca546324852dbbc8fb
SHA256

bf3a1aca3bef1d1036b18f05fc0749fcba8ba718e39897b13d8c96d677c1dff2
SHA512

3eeb79f3b6764c85c5a9bf050d260c0ea65ae5142d62226ee52ff98a445d0b8b4c3cffa73b17b5373cd7eca0def2b7784e3ff0b71caace17f27ef51984eb6824
SSDEEP

24576:fF+XiMzjdj7+vivYH1Ca+va60N53UG2enM7TJtdQQW8he:fFWjdj7+4YH1CVy6AqZ2wTJtdQWc

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2392	98dc1239529f829003e989551919150e.exe

Executes dropped EXE 1 IoCs

pid	Process
2392	98dc1239529f829003e989551919150e.exe

Loads dropped DLL 1 IoCs

pid	Process
1708	98dc1239529f829003e989551919150e.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1708-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000800000001223a-11.dat	upx
behavioral1/memory/1708-16-0x0000000022F40000-0x000000002319C000-memory.dmp	upx
behavioral1/memory/2392-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2728	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	98dc1239529f829003e989551919150e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	98dc1239529f829003e989551919150e.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	98dc1239529f829003e989551919150e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	98dc1239529f829003e989551919150e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1708	98dc1239529f829003e989551919150e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1708	98dc1239529f829003e989551919150e.exe
2392	98dc1239529f829003e989551919150e.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2392	1708	98dc1239529f829003e989551919150e.exe	29
PID 1708 wrote to memory of 2392	1708	98dc1239529f829003e989551919150e.exe	29
PID 1708 wrote to memory of 2392	1708	98dc1239529f829003e989551919150e.exe	29
PID 1708 wrote to memory of 2392	1708	98dc1239529f829003e989551919150e.exe	29
PID 2392 wrote to memory of 2728	2392	98dc1239529f829003e989551919150e.exe	30
PID 2392 wrote to memory of 2728	2392	98dc1239529f829003e989551919150e.exe	30
PID 2392 wrote to memory of 2728	2392	98dc1239529f829003e989551919150e.exe	30
PID 2392 wrote to memory of 2728	2392	98dc1239529f829003e989551919150e.exe	30
PID 2392 wrote to memory of 3016	2392	98dc1239529f829003e989551919150e.exe	32
PID 2392 wrote to memory of 3016	2392	98dc1239529f829003e989551919150e.exe	32
PID 2392 wrote to memory of 3016	2392	98dc1239529f829003e989551919150e.exe	32
PID 2392 wrote to memory of 3016	2392	98dc1239529f829003e989551919150e.exe	32
PID 3016 wrote to memory of 2880	3016	cmd.exe	34
PID 3016 wrote to memory of 2880	3016	cmd.exe	34
PID 3016 wrote to memory of 2880	3016	cmd.exe	34
PID 3016 wrote to memory of 2880	3016	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\98dc1239529f829003e989551919150e.exe
"C:\Users\Admin\AppData\Local\Temp\98dc1239529f829003e989551919150e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\98dc1239529f829003e989551919150e.exe
  C:\Users\Admin\AppData\Local\Temp\98dc1239529f829003e989551919150e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\98dc1239529f829003e989551919150e.exe" /TN uhTCmbCqd877 /F
    3⤵
    - Creates scheduled task(s)
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uhTCmbCqd877 > C:\Users\Admin\AppData\Local\Temp\CVGTLjoXG.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN uhTCmbCqd877
      4⤵
      PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CVGTLjoXG.xml

Filesize
1KB

MD5
0f721fae63d65306682caffbeebec8df

SHA1
a9b3e5dd66330b53429fdcfb07cb4b89927e7d9e

SHA256
e69917988257825672b2fc1e8aba496c956e345619291daa88319f1e821d612c

SHA512
38aaf38dd90c1f28e7a98bf70d86a4a68a46483484286aafa0de53cb33f104c685cbab6a8e2158d7a92c2857902e4eb4729acc77a157f53043a83d5d765df75c

Download Submit
\Users\Admin\AppData\Local\Temp\98dc1239529f829003e989551919150e.exe

Filesize
1003KB

MD5
4b1ab490690ed14778a58ae97c04e90b

SHA1
51f796eb23d005082f0cf6ea709f30139bac98dd

SHA256
32da60360e9de9d5021fbcee3e29717f632f449ae90fe533a3af24eb9a567d45

SHA512
fd467f6fdf76ae097082d2c503346b5976bbaa4eb6c086a1dc675745d96e55404da0415602d27af9b2ade4e7a518597cb9473231b890d1647c51488db5fbec18

Download Submit
memory/1708-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1708-2-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/1708-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1708-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1708-16-0x0000000022F40000-0x000000002319C000-memory.dmp

Filesize
2.4MB

Download
memory/2392-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2392-20-0x0000000000280000-0x00000000002FE000-memory.dmp

Filesize
504KB

Download
memory/2392-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2392-27-0x0000000000300000-0x000000000036B000-memory.dmp

Filesize
428KB

Download
memory/2392-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads