b843162c310beff0f178230eb0bb2485f127c78372f5dbd5b9328596f9936f94

General

Target

9a51d300d81c187e1a71b2041cdef152.exe
Size

3.0MB
MD5

9a51d300d81c187e1a71b2041cdef152
SHA1

904100073805d3be924777e1aa505216bc98781a
SHA256

b843162c310beff0f178230eb0bb2485f127c78372f5dbd5b9328596f9936f94
SHA512

c99da8d53ed01171fbbd605f3a5a3b757506575eb763035e613375b22fe866cbfe9e4ba309f52f9b9726bd46df0454fe7c179bce81be52b6a0fa25631e2a7a2e
SSDEEP

49152:z+kvU5NX+Wc7KdcakL6WZDtQXWry7JkBZbkcakLoDjGDHRQlywSKcakL6WZDtQXw:z9snu1mdcakOWZDtQXWry7mBZbkcaksi

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	9a51d300d81c187e1a71b2041cdef152.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	9a51d300d81c187e1a71b2041cdef152.exe

Loads dropped DLL 1 IoCs

pid	Process
2432	9a51d300d81c187e1a71b2041cdef152.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2432-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012185-17.dat	upx
behavioral1/memory/2432-15-0x0000000023430000-0x000000002368C000-memory.dmp	upx
behavioral1/files/0x000b000000012185-14.dat	upx
behavioral1/files/0x000b000000012185-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2668	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	9a51d300d81c187e1a71b2041cdef152.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	9a51d300d81c187e1a71b2041cdef152.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	9a51d300d81c187e1a71b2041cdef152.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	9a51d300d81c187e1a71b2041cdef152.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2432	9a51d300d81c187e1a71b2041cdef152.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2432	9a51d300d81c187e1a71b2041cdef152.exe
2732	9a51d300d81c187e1a71b2041cdef152.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2732	2432	9a51d300d81c187e1a71b2041cdef152.exe	29
PID 2432 wrote to memory of 2732	2432	9a51d300d81c187e1a71b2041cdef152.exe	29
PID 2432 wrote to memory of 2732	2432	9a51d300d81c187e1a71b2041cdef152.exe	29
PID 2432 wrote to memory of 2732	2432	9a51d300d81c187e1a71b2041cdef152.exe	29
PID 2732 wrote to memory of 2668	2732	9a51d300d81c187e1a71b2041cdef152.exe	30
PID 2732 wrote to memory of 2668	2732	9a51d300d81c187e1a71b2041cdef152.exe	30
PID 2732 wrote to memory of 2668	2732	9a51d300d81c187e1a71b2041cdef152.exe	30
PID 2732 wrote to memory of 2668	2732	9a51d300d81c187e1a71b2041cdef152.exe	30
PID 2732 wrote to memory of 2784	2732	9a51d300d81c187e1a71b2041cdef152.exe	32
PID 2732 wrote to memory of 2784	2732	9a51d300d81c187e1a71b2041cdef152.exe	32
PID 2732 wrote to memory of 2784	2732	9a51d300d81c187e1a71b2041cdef152.exe	32
PID 2732 wrote to memory of 2784	2732	9a51d300d81c187e1a71b2041cdef152.exe	32
PID 2784 wrote to memory of 2956	2784	cmd.exe	34
PID 2784 wrote to memory of 2956	2784	cmd.exe	34
PID 2784 wrote to memory of 2956	2784	cmd.exe	34
PID 2784 wrote to memory of 2956	2784	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\9a51d300d81c187e1a71b2041cdef152.exe
"C:\Users\Admin\AppData\Local\Temp\9a51d300d81c187e1a71b2041cdef152.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\9a51d300d81c187e1a71b2041cdef152.exe
  C:\Users\Admin\AppData\Local\Temp\9a51d300d81c187e1a71b2041cdef152.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\9a51d300d81c187e1a71b2041cdef152.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\3bxFq778J.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3bxFq778J.xml

Filesize
1KB

MD5
88f527e3e1464b81419882c2ff1e706a

SHA1
dcb69b3449b687b9f18d86f734db6d06fe7cc530

SHA256
839d0c6617e9235cb10d9876f89a4509277463c079ea9a5ef8f0b6bc4500414c

SHA512
45e4d694d592ce9429dff32c2153e9f2191a9ee0f8a1b5fb497b076fe4d5f0d64756e135d5973d988876d4f8dff17f74a252f65ac7911f6bf632bfdbad90ee39

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a51d300d81c187e1a71b2041cdef152.exe

Filesize
1.2MB

MD5
38436dc6cce62d886e66bd20ca015c61

SHA1
3b42329cd2fbbd57ee4d203792a03e27a0ac0127

SHA256
4889d8af380823d47e446b6992d746b6d4e7a20d644d1a4623164a5b5636a5ba

SHA512
148657e65245d16f7dd85493034f6db040935475b4e6c0b6f279ed4475b3c7fbe902e8159c086d4888e7bb0b737d7a8ae96d62f48b85dca0f78617e17133b97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a51d300d81c187e1a71b2041cdef152.exe

Filesize
1.4MB

MD5
79e55962785b68e23ee4e0010bda7cd5

SHA1
0f96492277ff1b53884e08ff5a4828c10d5f1762

SHA256
8d56981930923cc74e7316b17e3aa8e38f1ea0d6ad3a5fb5d5edf0da4b839602

SHA512
f11017e37ff855e2bdbe1c8d4b439c118c4c075475ae0ea63951edc221641aca7878d88e1ed0244ef294bcf29250f95f94c6170697bb63a43930c49a1d4be073

Download Submit
\Users\Admin\AppData\Local\Temp\9a51d300d81c187e1a71b2041cdef152.exe

Filesize
1.4MB

MD5
c9b52b727ec455cd4415144ccdcc5597

SHA1
f3eab70aac4975edc9357ceeeac03d26dc8afce8

SHA256
bcb49251b3f74075540ddc29d605a7b86c5e11cc610e2eb965469f9985b6a3fe

SHA512
72dbfc783180bdbd506ff9a7ddd9fab6983093c7b03a4cde163f01ce847baaf49a6c3ea7b34f915a706a3263fc77b1160dbd4945e042f420c2e06170a811eddc

Download Submit
memory/2432-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2432-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2432-15-0x0000000023430000-0x000000002368C000-memory.dmp

Filesize
2.4MB

Download
memory/2432-3-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2432-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2432-53-0x0000000023430000-0x000000002368C000-memory.dmp

Filesize
2.4MB

Download
memory/2732-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2732-24-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2732-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2732-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads