e02eb55c076b71f409b5fb26a38139ccb6b6c1cee887d53b978c41be7d87ab97

General

Target

a2d90e3a9711aff6f1cf60cbbad7c658.exe
Size

133KB
MD5

a2d90e3a9711aff6f1cf60cbbad7c658
SHA1

17b626ad8846308a1b4a963d5ed3a745b0ec552d
SHA256

e02eb55c076b71f409b5fb26a38139ccb6b6c1cee887d53b978c41be7d87ab97
SHA512

c291d3e80df48ce5b9ab7cd983686e337372feea93e7ca7bc8f2a73045840a52ee0dd820d221b326d3da7f75acfbea118c5df19fb052fbc521b819689bdf64f8
SSDEEP

3072:ilrLuWCp3BD6H+fx0QKDaLsEDMXlpBiQvR95bQdz1ENIluHlPYydSzOQ:ilXuNnD9UaLna/HdQdz+NIlQPYyd5Q

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2596	a2d90e3a9711aff6f1cf60cbbad7c658.exe

Executes dropped EXE 1 IoCs

pid	Process
2596	a2d90e3a9711aff6f1cf60cbbad7c658.exe

Loads dropped DLL 1 IoCs

pid	Process
1624	a2d90e3a9711aff6f1cf60cbbad7c658.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1624-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/files/0x0009000000015c23-11.dat	upx
behavioral1/files/0x0009000000015c23-16.dat	upx
behavioral1/files/0x0009000000015c23-14.dat	upx
behavioral1/memory/1624-13-0x0000000002D20000-0x0000000002DA6000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a2d90e3a9711aff6f1cf60cbbad7c658.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a2d90e3a9711aff6f1cf60cbbad7c658.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	a2d90e3a9711aff6f1cf60cbbad7c658.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	a2d90e3a9711aff6f1cf60cbbad7c658.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1624	a2d90e3a9711aff6f1cf60cbbad7c658.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1624	a2d90e3a9711aff6f1cf60cbbad7c658.exe
2596	a2d90e3a9711aff6f1cf60cbbad7c658.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2596	1624	a2d90e3a9711aff6f1cf60cbbad7c658.exe	20
PID 1624 wrote to memory of 2596	1624	a2d90e3a9711aff6f1cf60cbbad7c658.exe	20
PID 1624 wrote to memory of 2596	1624	a2d90e3a9711aff6f1cf60cbbad7c658.exe	20
PID 1624 wrote to memory of 2596	1624	a2d90e3a9711aff6f1cf60cbbad7c658.exe	20

C:\Users\Admin\AppData\Local\Temp\a2d90e3a9711aff6f1cf60cbbad7c658.exe
"C:\Users\Admin\AppData\Local\Temp\a2d90e3a9711aff6f1cf60cbbad7c658.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\a2d90e3a9711aff6f1cf60cbbad7c658.exe
  C:\Users\Admin\AppData\Local\Temp\a2d90e3a9711aff6f1cf60cbbad7c658.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a2d90e3a9711aff6f1cf60cbbad7c658.exe

Filesize
12KB

MD5
0a6eb4fb4bd12e2bfbefe40339346c35

SHA1
ec899a7d55c9728e4333a87acd23a111b07ee1ba

SHA256
16bf40d8ac997e327030bbd63787fa3de6f22692ebffab848c0e334b94090116

SHA512
e881be1ecd9d187de80decc41987ca04fb4214f0bfc93d545f12af342ba58587054443db704d87f7cff854d270e5fa8e660fe23fde42ef137cd565eb723145f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2d90e3a9711aff6f1cf60cbbad7c658.exe

Filesize
1KB

MD5
0565b130972661a605f1d26c000ed901

SHA1
878ce9078d9ce4dfc7ff3174261c3fffcd4b6f33

SHA256
a248714222a4891587f4b2ad70374f9921239581df0a7d1e9d14b733aa948894

SHA512
2789f1fa7f3041168f5414febe8f50531d1858f917a32548d15987b0d2556aafd3cd2025d0a41e65ca3db5196ae7f7d2a288f74f2c8d5e6c65dd628a499ff97c

Download Submit
\Users\Admin\AppData\Local\Temp\a2d90e3a9711aff6f1cf60cbbad7c658.exe

Filesize
64KB

MD5
22b99b8d5cbcabdc425a4d55791acaf2

SHA1
721037140dbe04d3e1e96c1db69fe279c1eb8bf6

SHA256
cce99695e92f60e6c3810b79d374b8424c79e7d5930d801e08402b2b1df9f828

SHA512
2812854dfc881cbcbc576023fe211d64dbff88150f0653f73f77617401e9d13dcdbf8608c691b26785e4f60ed07d62eb4eb410f1228d3c4083bd946fe7c2b64b

Download Submit
memory/1624-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1624-1-0x00000000001F0000-0x0000000000211000-memory.dmp

Filesize
132KB

Download
memory/1624-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-13-0x0000000002D20000-0x0000000002DA6000-memory.dmp

Filesize
536KB

Download
memory/1624-42-0x0000000002D20000-0x0000000002DA6000-memory.dmp

Filesize
536KB

Download
memory/2596-18-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2596-43-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing