5293279b98a0ceab456397ac6d392594e8a43699be8e3fdc8d2082bfd40226cd

General

Target

ab324a477296c87fcfa89fcf22708d00.exe
Size

1003KB
MD5

ab324a477296c87fcfa89fcf22708d00
SHA1

7b9adb74ab1990d8bbf814ca7831ccfb9c3acaa5
SHA256

5293279b98a0ceab456397ac6d392594e8a43699be8e3fdc8d2082bfd40226cd
SHA512

7489f17ddb686b3b90aafb56b739690cdedcbdea2d9e6526baa0287d53d058d9a007e5ca7ab8f81b9030ff9e7b356a622f5f9d2d3628772bf765a82cfc8f8b36
SSDEEP

24576:gWVQYYQmWxRHEqFcNWjb6tbeeIeau20JYJNzCl+:gWVQYYQXxRHzIWjb6trIeau20JY6l+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2516	ab324a477296c87fcfa89fcf22708d00.exe

Executes dropped EXE 1 IoCs

pid	Process
2516	ab324a477296c87fcfa89fcf22708d00.exe

Loads dropped DLL 1 IoCs

pid	Process
2460	ab324a477296c87fcfa89fcf22708d00.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2460-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0008000000012262-11.dat	upx
behavioral1/files/0x0008000000012262-17.dat	upx
behavioral1/memory/2516-19-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/memory/2460-16-0x0000000022F20000-0x000000002317C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2748	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	ab324a477296c87fcfa89fcf22708d00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ab324a477296c87fcfa89fcf22708d00.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ab324a477296c87fcfa89fcf22708d00.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	ab324a477296c87fcfa89fcf22708d00.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2460	ab324a477296c87fcfa89fcf22708d00.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2460	ab324a477296c87fcfa89fcf22708d00.exe
2516	ab324a477296c87fcfa89fcf22708d00.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2516	2460	ab324a477296c87fcfa89fcf22708d00.exe	29
PID 2460 wrote to memory of 2516	2460	ab324a477296c87fcfa89fcf22708d00.exe	29
PID 2460 wrote to memory of 2516	2460	ab324a477296c87fcfa89fcf22708d00.exe	29
PID 2460 wrote to memory of 2516	2460	ab324a477296c87fcfa89fcf22708d00.exe	29
PID 2516 wrote to memory of 2748	2516	ab324a477296c87fcfa89fcf22708d00.exe	30
PID 2516 wrote to memory of 2748	2516	ab324a477296c87fcfa89fcf22708d00.exe	30
PID 2516 wrote to memory of 2748	2516	ab324a477296c87fcfa89fcf22708d00.exe	30
PID 2516 wrote to memory of 2748	2516	ab324a477296c87fcfa89fcf22708d00.exe	30
PID 2516 wrote to memory of 1900	2516	ab324a477296c87fcfa89fcf22708d00.exe	32
PID 2516 wrote to memory of 1900	2516	ab324a477296c87fcfa89fcf22708d00.exe	32
PID 2516 wrote to memory of 1900	2516	ab324a477296c87fcfa89fcf22708d00.exe	32
PID 2516 wrote to memory of 1900	2516	ab324a477296c87fcfa89fcf22708d00.exe	32
PID 1900 wrote to memory of 2640	1900	cmd.exe	34
PID 1900 wrote to memory of 2640	1900	cmd.exe	34
PID 1900 wrote to memory of 2640	1900	cmd.exe	34
PID 1900 wrote to memory of 2640	1900	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\ab324a477296c87fcfa89fcf22708d00.exe
"C:\Users\Admin\AppData\Local\Temp\ab324a477296c87fcfa89fcf22708d00.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\ab324a477296c87fcfa89fcf22708d00.exe
  C:\Users\Admin\AppData\Local\Temp\ab324a477296c87fcfa89fcf22708d00.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\ab324a477296c87fcfa89fcf22708d00.exe" /TN MJu5Ub8Eff50 /F
    3⤵
    - Creates scheduled task(s)
    PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MJu5Ub8Eff50 > C:\Users\Admin\AppData\Local\Temp\924OhkB.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN MJu5Ub8Eff50
      4⤵
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\924OhkB.xml

Filesize
1KB

MD5
c3f43da1c13498a258e801ba263ab50f

SHA1
02f137a759622e592539accd040cf94b74e98f77

SHA256
1bb49c61de3d16d3c5867583240362a5e740ec82c327981d70a53491070395e3

SHA512
eb0794eca79152cd79cdecbcf8c0fc7d639cef823d038644b695b6f5580a3d23429366f1b561da2aa9e4c7462b739a194ae71f23cfdfdfe28f2f4e641d3f130d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab324a477296c87fcfa89fcf22708d00.exe

Filesize
392KB

MD5
6c3d127205262079904551066ce1be8e

SHA1
fb0d197c3af79a7f44b93ba2207b2f991f7a09c7

SHA256
cc1f6c869eda5b7affae858aa89fd26bbfecd8ec9242f88d29612c0d7b2ab44a

SHA512
11b03e3a122d808d563767a405c7242dff2a306797db4db368a116f69c3163a863b53dfce0d05fe92e262095683f88f4ac8d596e8574da4225573ea12ce909a4

Download Submit
\Users\Admin\AppData\Local\Temp\ab324a477296c87fcfa89fcf22708d00.exe

Filesize
557KB

MD5
4c9d9cc2943d5af9bdb82695604c2474

SHA1
2432ec787f3323f5409af19317661d8713753a6b

SHA256
b75115f9d2ae1f919275845e715e4f3539d4d37f2a6fb8dee4a4b5da1246139a

SHA512
2e33a8d74f3368ab01d1940d24aad1fc0236b466a164059fdb6df194234abf9ef9388f783880cb7e2207da75a06fb02cb610f7ba003372ea2e8c3503a5658df8

Download Submit
memory/2460-16-0x0000000022F20000-0x000000002317C000-memory.dmp

Filesize
2.4MB

Download
memory/2460-4-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2460-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2460-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2460-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2516-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2516-21-0x00000000001C0000-0x000000000023E000-memory.dmp

Filesize
504KB

Download
memory/2516-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2516-27-0x00000000002E0000-0x000000000034B000-memory.dmp

Filesize
428KB

Download
memory/2516-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads