81aee567f3ce499e28fd5f4d523111d29136a65de7298ce1fe86017970b9cf33

General

Target

a23311bcba7d3cd45f6867c6bf8a0717.exe
Size

10.2MB
MD5

a23311bcba7d3cd45f6867c6bf8a0717
SHA1

341d484383c7967bb1cb61c9d4481e745f6eefb6
SHA256

81aee567f3ce499e28fd5f4d523111d29136a65de7298ce1fe86017970b9cf33
SHA512

3ad95910865304cbbac804ba1b9eb4bbf0c00bf7b54667777d310601f1b4484d256e08b85f7572a73a984030a23770ed80fe341ce86495c9bb71fe308df5727f
SSDEEP

98304:w/E/Auq+u30g2yOEjjs9/g3M7ov4K1RrYdMA30g2yOEjjs9/g3:w8Yuq6ZUju/doQE1ZUju/

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2612	a23311bcba7d3cd45f6867c6bf8a0717.exe

Executes dropped EXE 1 IoCs

pid	Process
2612	a23311bcba7d3cd45f6867c6bf8a0717.exe

Loads dropped DLL 1 IoCs

pid	Process
2696	a23311bcba7d3cd45f6867c6bf8a0717.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2696-0-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x0008000000012254-11.dat	upx
behavioral1/files/0x0008000000012254-16.dat	upx
behavioral1/memory/2612-18-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a23311bcba7d3cd45f6867c6bf8a0717.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a23311bcba7d3cd45f6867c6bf8a0717.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	a23311bcba7d3cd45f6867c6bf8a0717.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	a23311bcba7d3cd45f6867c6bf8a0717.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2696	a23311bcba7d3cd45f6867c6bf8a0717.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2696	a23311bcba7d3cd45f6867c6bf8a0717.exe
2612	a23311bcba7d3cd45f6867c6bf8a0717.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2612	2696	a23311bcba7d3cd45f6867c6bf8a0717.exe	28
PID 2696 wrote to memory of 2612	2696	a23311bcba7d3cd45f6867c6bf8a0717.exe	28
PID 2696 wrote to memory of 2612	2696	a23311bcba7d3cd45f6867c6bf8a0717.exe	28
PID 2696 wrote to memory of 2612	2696	a23311bcba7d3cd45f6867c6bf8a0717.exe	28

C:\Users\Admin\AppData\Local\Temp\a23311bcba7d3cd45f6867c6bf8a0717.exe
"C:\Users\Admin\AppData\Local\Temp\a23311bcba7d3cd45f6867c6bf8a0717.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\a23311bcba7d3cd45f6867c6bf8a0717.exe
  C:\Users\Admin\AppData\Local\Temp\a23311bcba7d3cd45f6867c6bf8a0717.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a23311bcba7d3cd45f6867c6bf8a0717.exe

Filesize
3.1MB

MD5
c3be466edff31d6eaf4d43b08059a17f

SHA1
8b81669ac4e5b8f0a44a4e93cee0c7e1865cbbe2

SHA256
2054ee819aa0c915bf53e6232cefce2de7e889970152e97be65f9b30023aed22

SHA512
78488066c69b5a28274930338efb04cb6e91f465632d95f1d09becc60a1bd347f6059009cd34aaf7a34bcce0617f4f083ced593faa288081758e8df93fe02caa

Download Submit
\Users\Admin\AppData\Local\Temp\a23311bcba7d3cd45f6867c6bf8a0717.exe

Filesize
3.4MB

MD5
f5b927b17637b84f2d1c665c121c1be2

SHA1
748aba8b1fbfc99c3d041b2142af47fd3d6017de

SHA256
c17fd1eccd8f2ff9630f75d4d190dd51e2b93c47fdb7075d043eb630a5c05e41

SHA512
584315ff534dae2c813fc982ff6fd3c7ad6c222626941bf46a817b4cac01118ff896f742092167e4441a1e611cf5b09428af0f7159e7222460fdb98ec60cc307

Download Submit
memory/2612-18-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2612-20-0x0000000002230000-0x000000000248A000-memory.dmp

Filesize
2.4MB

Download
memory/2612-43-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2696-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2696-2-0x00000000021B0000-0x000000000240A000-memory.dmp

Filesize
2.4MB

Download
memory/2696-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2696-15-0x0000000004CB0000-0x000000000564E000-memory.dmp

Filesize
9.6MB

Download
memory/2696-14-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2696-42-0x0000000004CB0000-0x000000000564E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing