3aa009d4edd897752bedd696ea09d30b50bb5445d3931dee2ef8fd9890c5d3d4

General

Target

97aed3b56dcf4fb5899717f2251567cc.exe
Size

2.0MB
MD5

97aed3b56dcf4fb5899717f2251567cc
SHA1

e5c8ac08e10b5c8d07a51842b8ef706ff59638e6
SHA256

3aa009d4edd897752bedd696ea09d30b50bb5445d3931dee2ef8fd9890c5d3d4
SHA512

51e3b6acefe11a90394153a710285204f16a1ea81833ddf275c7a3158c04856a001ff9bde9b1be09561717eeaf08c33df84a2d22705259838c572bda2f016efb
SSDEEP

49152:GdqTEmmMH/a8cakLz0ibq6yqhIX6gPho8ivKHqcakLz0ibq6yqh:RYwHi8cakcibiqhIX/i8ivKHqcakcibJ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2288	97aed3b56dcf4fb5899717f2251567cc.exe

Executes dropped EXE 1 IoCs

pid	Process
2288	97aed3b56dcf4fb5899717f2251567cc.exe

Loads dropped DLL 1 IoCs

pid	Process
2252	97aed3b56dcf4fb5899717f2251567cc.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2252-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000012262-11.dat	upx
behavioral1/files/0x0009000000012262-13.dat	upx
behavioral1/memory/2252-16-0x0000000023320000-0x000000002357C000-memory.dmp	upx
behavioral1/files/0x0009000000012262-17.dat	upx
behavioral1/memory/2288-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2852	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	97aed3b56dcf4fb5899717f2251567cc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	97aed3b56dcf4fb5899717f2251567cc.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	97aed3b56dcf4fb5899717f2251567cc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	97aed3b56dcf4fb5899717f2251567cc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2252	97aed3b56dcf4fb5899717f2251567cc.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2252	97aed3b56dcf4fb5899717f2251567cc.exe
2288	97aed3b56dcf4fb5899717f2251567cc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2288	2252	97aed3b56dcf4fb5899717f2251567cc.exe	29
PID 2252 wrote to memory of 2288	2252	97aed3b56dcf4fb5899717f2251567cc.exe	29
PID 2252 wrote to memory of 2288	2252	97aed3b56dcf4fb5899717f2251567cc.exe	29
PID 2252 wrote to memory of 2288	2252	97aed3b56dcf4fb5899717f2251567cc.exe	29
PID 2288 wrote to memory of 2852	2288	97aed3b56dcf4fb5899717f2251567cc.exe	30
PID 2288 wrote to memory of 2852	2288	97aed3b56dcf4fb5899717f2251567cc.exe	30
PID 2288 wrote to memory of 2852	2288	97aed3b56dcf4fb5899717f2251567cc.exe	30
PID 2288 wrote to memory of 2852	2288	97aed3b56dcf4fb5899717f2251567cc.exe	30
PID 2288 wrote to memory of 2328	2288	97aed3b56dcf4fb5899717f2251567cc.exe	32
PID 2288 wrote to memory of 2328	2288	97aed3b56dcf4fb5899717f2251567cc.exe	32
PID 2288 wrote to memory of 2328	2288	97aed3b56dcf4fb5899717f2251567cc.exe	32
PID 2288 wrote to memory of 2328	2288	97aed3b56dcf4fb5899717f2251567cc.exe	32
PID 2328 wrote to memory of 2700	2328	cmd.exe	34
PID 2328 wrote to memory of 2700	2328	cmd.exe	34
PID 2328 wrote to memory of 2700	2328	cmd.exe	34
PID 2328 wrote to memory of 2700	2328	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\97aed3b56dcf4fb5899717f2251567cc.exe
"C:\Users\Admin\AppData\Local\Temp\97aed3b56dcf4fb5899717f2251567cc.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\97aed3b56dcf4fb5899717f2251567cc.exe
  C:\Users\Admin\AppData\Local\Temp\97aed3b56dcf4fb5899717f2251567cc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\97aed3b56dcf4fb5899717f2251567cc.exe" /TN WAgLRKqP8c0d /F
    3⤵
    - Creates scheduled task(s)
    PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN WAgLRKqP8c0d > C:\Users\Admin\AppData\Local\Temp\rq8OCkfT.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN WAgLRKqP8c0d
      4⤵
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\97aed3b56dcf4fb5899717f2251567cc.exe

Filesize
1.7MB

MD5
4813f556fd002bc3fd56d6fed88227bf

SHA1
2992621c321370735ba35dd4217648e2415eac91

SHA256
6d7ab9adb2c77e4b1e55a8a88727a269c9944c573cc1ed74d00fe9f97dfd5745

SHA512
084705ffa351d45982566e7aaf96cdc54a62757faeca4e795e7fa44ae53612426743395fbbe3055da9deac00f2e975c84c912218f9e924eacd9118972cb24edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\97aed3b56dcf4fb5899717f2251567cc.exe

Filesize
1.4MB

MD5
70592950949d68b3c903aaf7cbd6629d

SHA1
faf7222e3393c9138c0256b9f79c594440fc1ef7

SHA256
2ae0cbe0bceade1f0a7b96c4315c333a2210dab3ca7bbb1a39a9100b3524bfee

SHA512
09f1507b92e0ec1c5d1f12663a082a54013e502b6af3253af58663847a237dd27d585eb937f0cbd7634363369afabd473acbc114ad379be6b018708f12986e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\rq8OCkfT.xml

Filesize
1KB

MD5
0002a38188a9ccdea7b747d1dc0fb325

SHA1
602532efa0c2c44cb462d7057ce91c0665c276c5

SHA256
1b61f64735399d2af80116d701841e5de696cd77c185d1b0d97452c751501363

SHA512
1e1e0bd7baa908ec40780df8eb801742c1fb9b134bcae4d23f0b7d6080384e64af3d00d048f1a10708e09d3cd69464e33ff9bd29e6d59596fcbb3afc9e8d6d54

Download Submit
\Users\Admin\AppData\Local\Temp\97aed3b56dcf4fb5899717f2251567cc.exe

Filesize
1017KB

MD5
d02a59ad3459d25d0fe7ed734d5054fb

SHA1
0160a4f27499a15a4c5b7dbd1ed5049354a564b2

SHA256
275a665aeb26aa61bc0c178e325f4fd4f1b842216ef39bc513adc88ffe476283

SHA512
b0b45e79e849ab7b33d233d10439656ebbb30cf32e97bfb2b587b6cd474c254b54beed9e0cada4166ebf8630480ccaa9e240b1b714d06ca9e1c898c5a9d7a4ad

Download Submit
memory/2252-16-0x0000000023320000-0x000000002357C000-memory.dmp

Filesize
2.4MB

Download
memory/2252-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2252-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2252-2-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2252-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2288-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2288-20-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/2288-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2288-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2288-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads