f74bca0380d52ce1d872de5880de3a569c486ee7032fda93804e99277b73d387

General

Target

a145b92e958e208948a122e674ad2148.exe
Size

5.0MB
MD5

a145b92e958e208948a122e674ad2148
SHA1

6a53bd3a42cedaab4fe35b532309e2a7566fdefb
SHA256

f74bca0380d52ce1d872de5880de3a569c486ee7032fda93804e99277b73d387
SHA512

8158373c1c3659fa5e79d3f69be34cee4e67ac0b5b75bd94a33cee240729eea30cd80ddf5f44290a20d7e66bd071e2b07cc9ca2eb10d179df0d93e57764c815e
SSDEEP

49152:XvItnr32K/ukk/gr5QiqfOELdQoaJW/OOkgWxTgT5XZAdd:/inr32KG/E5QmEL+oaIGy0E5Wd

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2080	a145b92e958e208948a122e674ad2148.exe

Executes dropped EXE 1 IoCs

pid	Process
2080	a145b92e958e208948a122e674ad2148.exe

Loads dropped DLL 1 IoCs

pid	Process
2820	a145b92e958e208948a122e674ad2148.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2820-0-0x0000000000400000-0x0000000000CE1000-memory.dmp	upx
behavioral1/files/0x000a000000014a94-11.dat	upx
behavioral1/files/0x000a000000014a94-16.dat	upx
behavioral1/memory/2080-20-0x0000000000400000-0x0000000000CE1000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a145b92e958e208948a122e674ad2148.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	a145b92e958e208948a122e674ad2148.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	a145b92e958e208948a122e674ad2148.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a145b92e958e208948a122e674ad2148.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2820	a145b92e958e208948a122e674ad2148.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2820	a145b92e958e208948a122e674ad2148.exe
2080	a145b92e958e208948a122e674ad2148.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2080	2820	a145b92e958e208948a122e674ad2148.exe	29
PID 2820 wrote to memory of 2080	2820	a145b92e958e208948a122e674ad2148.exe	29
PID 2820 wrote to memory of 2080	2820	a145b92e958e208948a122e674ad2148.exe	29
PID 2820 wrote to memory of 2080	2820	a145b92e958e208948a122e674ad2148.exe	29

C:\Users\Admin\AppData\Local\Temp\a145b92e958e208948a122e674ad2148.exe
"C:\Users\Admin\AppData\Local\Temp\a145b92e958e208948a122e674ad2148.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\a145b92e958e208948a122e674ad2148.exe
  C:\Users\Admin\AppData\Local\Temp\a145b92e958e208948a122e674ad2148.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a145b92e958e208948a122e674ad2148.exe

Filesize
388KB

MD5
29188281bf26254fc8a98e3976e2e42a

SHA1
c63f0e00a442cf6eb306a043c9b1d8429efde93f

SHA256
0d13b64cae196808982c26744100c895229aaa76757985c7289ebf35275abac9

SHA512
e66bc4ddd8c2916e81f01798b8173388fbb39789e7d851a12a3bf3372a6131f7f41a05899762f4b57d4807ea4e11c2e7647ab25b710506471c6b9f83f8afaee6

Download Submit
\Users\Admin\AppData\Local\Temp\a145b92e958e208948a122e674ad2148.exe

Filesize
496KB

MD5
66989c75a7ef9171639f582ca7cd9d75

SHA1
3f029fae11ef42f9523df8b429cf08878bfe157e

SHA256
dc73166ccffa2dc1ff1f1e23a313785a3bec78720425d68f92429c5929099558

SHA512
331683a4c9157ed24d87c19aa48f4def8490bf2a7497fc21dbd0625c98cc769c5ff9a66b2adfe928fcc7230702a6a14bf1f150cdd939851f6e104f2d837ab459

Download Submit
memory/2080-20-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download
memory/2080-22-0x0000000001EE0000-0x000000000210E000-memory.dmp

Filesize
2.2MB

Download
memory/2080-44-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download
memory/2820-0-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download
memory/2820-1-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2820-3-0x0000000002120000-0x000000000234E000-memory.dmp

Filesize
2.2MB

Download
memory/2820-17-0x0000000003C60000-0x0000000004541000-memory.dmp

Filesize
8.9MB

Download
memory/2820-15-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2820-43-0x0000000003C60000-0x0000000004541000-memory.dmp

Filesize
8.9MB

Download

Analysis

Sharing