8e77e48b97fe4ca044c9b423f161fa4ffa457e6a54c7d258348903505a4128d7

General

Target

9b500daf99c3ef2227a6f3c72b81cb18.exe
Size

3.0MB
MD5

9b500daf99c3ef2227a6f3c72b81cb18
SHA1

942796d1265c7b1d979d1b02f941559ce1c785ff
SHA256

8e77e48b97fe4ca044c9b423f161fa4ffa457e6a54c7d258348903505a4128d7
SHA512

752b9d0e5562bb9b071d56d89cf25ff4a552ef60dd9c1b497e2a3eb5f37459adbbb52c8e5b8f25e4dfc6aebbb5db6cbe3090024f8202a686c8445f2670c7093a
SSDEEP

49152:z3Y6mCMLf4TcakLBz6CSuw3opcakLlHQgfeL03+0nMlRcakLBz6CSuw3opcakLj:zI6fMLf4Tcak1zzSkpcakpdmL0O0M/cW

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2788	9b500daf99c3ef2227a6f3c72b81cb18.exe

Executes dropped EXE 1 IoCs

pid	Process
2788	9b500daf99c3ef2227a6f3c72b81cb18.exe

Loads dropped DLL 1 IoCs

pid	Process
1256	9b500daf99c3ef2227a6f3c72b81cb18.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1256-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b00000001223f-11.dat	upx
behavioral1/files/0x000b00000001223f-14.dat	upx
behavioral1/files/0x000b00000001223f-17.dat	upx
behavioral1/memory/2788-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2784	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	9b500daf99c3ef2227a6f3c72b81cb18.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	9b500daf99c3ef2227a6f3c72b81cb18.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	9b500daf99c3ef2227a6f3c72b81cb18.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	9b500daf99c3ef2227a6f3c72b81cb18.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1256	9b500daf99c3ef2227a6f3c72b81cb18.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1256	9b500daf99c3ef2227a6f3c72b81cb18.exe
2788	9b500daf99c3ef2227a6f3c72b81cb18.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 2788	1256	9b500daf99c3ef2227a6f3c72b81cb18.exe	29
PID 1256 wrote to memory of 2788	1256	9b500daf99c3ef2227a6f3c72b81cb18.exe	29
PID 1256 wrote to memory of 2788	1256	9b500daf99c3ef2227a6f3c72b81cb18.exe	29
PID 1256 wrote to memory of 2788	1256	9b500daf99c3ef2227a6f3c72b81cb18.exe	29
PID 2788 wrote to memory of 2784	2788	9b500daf99c3ef2227a6f3c72b81cb18.exe	30
PID 2788 wrote to memory of 2784	2788	9b500daf99c3ef2227a6f3c72b81cb18.exe	30
PID 2788 wrote to memory of 2784	2788	9b500daf99c3ef2227a6f3c72b81cb18.exe	30
PID 2788 wrote to memory of 2784	2788	9b500daf99c3ef2227a6f3c72b81cb18.exe	30
PID 2788 wrote to memory of 2236	2788	9b500daf99c3ef2227a6f3c72b81cb18.exe	32
PID 2788 wrote to memory of 2236	2788	9b500daf99c3ef2227a6f3c72b81cb18.exe	32
PID 2788 wrote to memory of 2236	2788	9b500daf99c3ef2227a6f3c72b81cb18.exe	32
PID 2788 wrote to memory of 2236	2788	9b500daf99c3ef2227a6f3c72b81cb18.exe	32
PID 2236 wrote to memory of 2288	2236	cmd.exe	34
PID 2236 wrote to memory of 2288	2236	cmd.exe	34
PID 2236 wrote to memory of 2288	2236	cmd.exe	34
PID 2236 wrote to memory of 2288	2236	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\9b500daf99c3ef2227a6f3c72b81cb18.exe
"C:\Users\Admin\AppData\Local\Temp\9b500daf99c3ef2227a6f3c72b81cb18.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\9b500daf99c3ef2227a6f3c72b81cb18.exe
  C:\Users\Admin\AppData\Local\Temp\9b500daf99c3ef2227a6f3c72b81cb18.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\9b500daf99c3ef2227a6f3c72b81cb18.exe" /TN uhTCmbCqd877 /F
    3⤵
    - Creates scheduled task(s)
    PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uhTCmbCqd877 > C:\Users\Admin\AppData\Local\Temp\pgjzMA.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN uhTCmbCqd877
      4⤵
      PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9b500daf99c3ef2227a6f3c72b81cb18.exe

Filesize
768KB

MD5
ce2787bd7ebbfa848a8c1c5b17fe8454

SHA1
2981bd8a5c74a42081cc5311fe0793b7dcdd0e4b

SHA256
2c13883ec9b2493183f569baf515a652839624c70feb174035f49c127cbb632a

SHA512
91ca1fbe1d916c3e9e2efb294fed7580a4cb67e52529a2f49d0d66e398315bcf9dce535366bdfae0c0232f28e8c1cceb8313d2c5b80037a7ab7d4f53d60234c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b500daf99c3ef2227a6f3c72b81cb18.exe

Filesize
3.0MB

MD5
b207ae2e4713095b97db1035bbf8ab18

SHA1
393f1a9013c7c3060bce6285369e276fde789e69

SHA256
000da1a3320a6aa2c1b67eebb7ff9393cd56a3b468e1111c2aa9b208c307085e

SHA512
2e0dce724be79b74f99ed4db10d7ce8efacd3dbc11c36140e517c3594a14abb27ffc6276fe78535848478d9f7f2b3ce15494ddbeabc468701077ebb595192b0f

Download Submit
\Users\Admin\AppData\Local\Temp\9b500daf99c3ef2227a6f3c72b81cb18.exe

Filesize
384KB

MD5
b95d2e4fcceca7e6efee5b8477c3a812

SHA1
6bd71442996ba474c9fb9695a6a3897e3465427c

SHA256
ecc713c5c33635f34eb99c0aa0f02eeb876353e24b3855aa87dac9e42462c5d4

SHA512
54fd2d6be2b55a08a6f5c8588a71c5652fa3663c57b218f5961d8d58631c7ce9042d08a5116bdf43e72d3fab6ce6c2421a647b7f8601c87a15974c6a6ebe3bb6

Download Submit
memory/1256-16-0x00000000233F0000-0x000000002364C000-memory.dmp

Filesize
2.4MB

Download
memory/1256-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1256-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1256-3-0x0000000000380000-0x00000000003FE000-memory.dmp

Filesize
504KB

Download
memory/1256-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2788-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2788-20-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2788-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2788-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2788-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads