6384a78a076ea0fd43684d132903845426ebb2600ccde5d8555d514f976a3c74

General

Target

9949d275e7ac8c5a0bebc47d28f8aa45.exe
Size

5.1MB
MD5

9949d275e7ac8c5a0bebc47d28f8aa45
SHA1

337131470ec47f55cfc616cd9b77fcb6e35644f4
SHA256

6384a78a076ea0fd43684d132903845426ebb2600ccde5d8555d514f976a3c74
SHA512

c1aa8c1b4d62ab45bf605eedf7aa92dadf406561351a2b39f946bedc162cd86076a2d320753aab5ad5f6505e3baa933813b49edf06ccdbd7c5b8a9feb3338a4e
SSDEEP

98304:x4P3UWmGd3Il4Iadp35zgMi3bW+Ab+6+nwK3:xA3UAiXQzgMv+k6

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2116	9949d275e7ac8c5a0bebc47d28f8aa45.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	9949d275e7ac8c5a0bebc47d28f8aa45.exe

Loads dropped DLL 1 IoCs

pid	Process
2108	9949d275e7ac8c5a0bebc47d28f8aa45.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2108-1-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000b000000012243-11.dat	upx
behavioral1/files/0x000b000000012243-14.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	9949d275e7ac8c5a0bebc47d28f8aa45.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	9949d275e7ac8c5a0bebc47d28f8aa45.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	9949d275e7ac8c5a0bebc47d28f8aa45.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	9949d275e7ac8c5a0bebc47d28f8aa45.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2108	9949d275e7ac8c5a0bebc47d28f8aa45.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2108	9949d275e7ac8c5a0bebc47d28f8aa45.exe
2116	9949d275e7ac8c5a0bebc47d28f8aa45.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2116	2108	9949d275e7ac8c5a0bebc47d28f8aa45.exe	28
PID 2108 wrote to memory of 2116	2108	9949d275e7ac8c5a0bebc47d28f8aa45.exe	28
PID 2108 wrote to memory of 2116	2108	9949d275e7ac8c5a0bebc47d28f8aa45.exe	28
PID 2108 wrote to memory of 2116	2108	9949d275e7ac8c5a0bebc47d28f8aa45.exe	28

C:\Users\Admin\AppData\Local\Temp\9949d275e7ac8c5a0bebc47d28f8aa45.exe
"C:\Users\Admin\AppData\Local\Temp\9949d275e7ac8c5a0bebc47d28f8aa45.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\9949d275e7ac8c5a0bebc47d28f8aa45.exe
  C:\Users\Admin\AppData\Local\Temp\9949d275e7ac8c5a0bebc47d28f8aa45.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9949d275e7ac8c5a0bebc47d28f8aa45.exe

Filesize
3.7MB

MD5
cc62a5a5e5f1708f158903b0ad2a2fcc

SHA1
4f1efa48459f05602731f7076cab5240d74af6ed

SHA256
f505f050be294cb3a21b53e1382ef24d70591756cbe0d9433701bd1c330c7a1e

SHA512
15d7255de44bc50352499c20cee899f9896419ff1e00a94dd06929677a4a87f09c72ae92275e1cb224d9d14e6b11441e0e639bd21f87b0c1a3d9efa4309b7dc4

Download Submit
\Users\Admin\AppData\Local\Temp\9949d275e7ac8c5a0bebc47d28f8aa45.exe

Filesize
704KB

MD5
c5af22cb4c898af8657b05e7aa9f20d7

SHA1
1b3c3c65f9dccbfc8862bf505c0ad72f7dcd672c

SHA256
9bc1d874da4b33cd2f8242bdf8863db55138c8ae4cb988246f2a411d0cdb6b0a

SHA512
6b2b60250ff208ef9d8f42bfeea3411d94e3a22b9e43dc149610b56dbc03c53853bd947989055657eb48a77ee39c22f345c13b75471e5cf4cd1457959f81a8d2

Download Submit
memory/2108-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2108-0-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2108-3-0x0000000002200000-0x000000000245A000-memory.dmp

Filesize
2.4MB

Download
memory/2108-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2108-17-0x00000000042C0000-0x0000000004C5E000-memory.dmp

Filesize
9.6MB

Download
memory/2108-42-0x00000000042C0000-0x0000000004C5E000-memory.dmp

Filesize
9.6MB

Download
memory/2116-19-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2116-21-0x00000000021D0000-0x000000000242A000-memory.dmp

Filesize
2.4MB

Download
memory/2116-43-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing