fcfb378f38151acc5a11acb99ab6af5f2028559cf25f3c737f76714a0fc3ef04

General

Target

9b87cc47c62f53a7973942c6d46c2c8b.exe
Size

2.0MB
MD5

9b87cc47c62f53a7973942c6d46c2c8b
SHA1

32c21f9093b58d7b440b63df075fe283138c269a
SHA256

fcfb378f38151acc5a11acb99ab6af5f2028559cf25f3c737f76714a0fc3ef04
SHA512

29a27ef04466b35010cb9cc9a74dc2bcc91f2f76c24815dc2e8bea6595dedaf8d866e462ca0484f40f7cdef091e870bd741a7e5fc39e003451f546d8c535febe
SSDEEP

49152:poi42gXohaaj0GQ7ai7D3xTgOxYwpK9QPJex64ynRAIuGQ7ai7D3xTgOxYwpK:poiTgXsaaj0D2i7D3xkOxYwpK9CQx64u

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3040	9b87cc47c62f53a7973942c6d46c2c8b.exe

Executes dropped EXE 1 IoCs

pid	Process
3040	9b87cc47c62f53a7973942c6d46c2c8b.exe

Loads dropped DLL 1 IoCs

pid	Process
2856	9b87cc47c62f53a7973942c6d46c2c8b.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2856-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a0000000133a9-11.dat	upx
behavioral1/memory/2856-16-0x00000000232F0000-0x000000002354C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2684	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	9b87cc47c62f53a7973942c6d46c2c8b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	9b87cc47c62f53a7973942c6d46c2c8b.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	9b87cc47c62f53a7973942c6d46c2c8b.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	9b87cc47c62f53a7973942c6d46c2c8b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2856	9b87cc47c62f53a7973942c6d46c2c8b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2856	9b87cc47c62f53a7973942c6d46c2c8b.exe
3040	9b87cc47c62f53a7973942c6d46c2c8b.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 3040	2856	9b87cc47c62f53a7973942c6d46c2c8b.exe	29
PID 2856 wrote to memory of 3040	2856	9b87cc47c62f53a7973942c6d46c2c8b.exe	29
PID 2856 wrote to memory of 3040	2856	9b87cc47c62f53a7973942c6d46c2c8b.exe	29
PID 2856 wrote to memory of 3040	2856	9b87cc47c62f53a7973942c6d46c2c8b.exe	29
PID 3040 wrote to memory of 2684	3040	9b87cc47c62f53a7973942c6d46c2c8b.exe	30
PID 3040 wrote to memory of 2684	3040	9b87cc47c62f53a7973942c6d46c2c8b.exe	30
PID 3040 wrote to memory of 2684	3040	9b87cc47c62f53a7973942c6d46c2c8b.exe	30
PID 3040 wrote to memory of 2684	3040	9b87cc47c62f53a7973942c6d46c2c8b.exe	30
PID 3040 wrote to memory of 2612	3040	9b87cc47c62f53a7973942c6d46c2c8b.exe	32
PID 3040 wrote to memory of 2612	3040	9b87cc47c62f53a7973942c6d46c2c8b.exe	32
PID 3040 wrote to memory of 2612	3040	9b87cc47c62f53a7973942c6d46c2c8b.exe	32
PID 3040 wrote to memory of 2612	3040	9b87cc47c62f53a7973942c6d46c2c8b.exe	32
PID 2612 wrote to memory of 2584	2612	cmd.exe	34
PID 2612 wrote to memory of 2584	2612	cmd.exe	34
PID 2612 wrote to memory of 2584	2612	cmd.exe	34
PID 2612 wrote to memory of 2584	2612	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\9b87cc47c62f53a7973942c6d46c2c8b.exe
"C:\Users\Admin\AppData\Local\Temp\9b87cc47c62f53a7973942c6d46c2c8b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\9b87cc47c62f53a7973942c6d46c2c8b.exe
  C:\Users\Admin\AppData\Local\Temp\9b87cc47c62f53a7973942c6d46c2c8b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\9b87cc47c62f53a7973942c6d46c2c8b.exe" /TN qm2lmOfce5f6 /F
    3⤵
    - Creates scheduled task(s)
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN qm2lmOfce5f6 > C:\Users\Admin\AppData\Local\Temp\FgBts.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN qm2lmOfce5f6
      4⤵
      PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FgBts.xml

Filesize
1KB

MD5
1911130ef5bb17802d771784131e5e7b

SHA1
bd6da6a18b7da04c67f8894f23ab6d93f88d38e3

SHA256
fc8a630191745515339150743d0a43646287606e9a3b8e729b093216af48f124

SHA512
1fb1eb4781b5062d2eec5c5499e4f4c6677840050ad3b5383006e48b507426333925e62955dfe48a8480f5c8dc4dd61915a21beca39dea3e2e5fe9c7b1dd85f7

Download Submit
\Users\Admin\AppData\Local\Temp\9b87cc47c62f53a7973942c6d46c2c8b.exe

Filesize
2.0MB

MD5
84688793ab46fc1a08ecd5941238b8bf

SHA1
dca97b6263251d96df4664f7e804f694ddf82456

SHA256
d2bc41403d5bdc0d6846892cf0c7d969bbf6445bed8739cde682eeaa2026c6ba

SHA512
1f8796c1d0dbba6c5cd512aec9701b40294720cb13311cd142704a3d6ea43e559bdb386662251c21551fadf8bb0f96d7d74ef34d9100e5c0d13b7a99dc9677ab

Download Submit
memory/2856-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2856-3-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2856-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2856-16-0x00000000232F0000-0x000000002354C000-memory.dmp

Filesize
2.4MB

Download
memory/2856-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3040-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3040-21-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/3040-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3040-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/3040-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads