09e1dddb71d0f0d6fcd6c6c54858da4a2da566966e694e4af414648720825e02

General

Target

b4d60afd0e91822f501ca5dbd163e6fd.exe
Size

2.0MB
MD5

b4d60afd0e91822f501ca5dbd163e6fd
SHA1

c4f02245cae35a925983013439de7b76da03b65d
SHA256

09e1dddb71d0f0d6fcd6c6c54858da4a2da566966e694e4af414648720825e02
SHA512

db6df604c37b5654f47bbab6535d69bbc061c5f438e7f628bdc3c9cf5baf24f527ec5108358a4e7181cafe5211ade1fb7a9f089967cbca12f8e9acb5e4293258
SSDEEP

49152:DEwvL7uUcakLz0ibq6yqhLMgN0EbLYwE6cakLz0ibq6yqh:DEwnbcakcibiqh/N0EbUwNcakcibiqh

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2884	b4d60afd0e91822f501ca5dbd163e6fd.exe

Executes dropped EXE 1 IoCs

pid	Process
2884	b4d60afd0e91822f501ca5dbd163e6fd.exe

Loads dropped DLL 1 IoCs

pid	Process
1224	b4d60afd0e91822f501ca5dbd163e6fd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1224-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/memory/1224-16-0x0000000023420000-0x000000002367C000-memory.dmp	upx
behavioral1/memory/2884-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0008000000012262-17.dat	upx
behavioral1/files/0x0008000000012262-13.dat	upx
behavioral1/files/0x0008000000012262-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2380	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b4d60afd0e91822f501ca5dbd163e6fd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b4d60afd0e91822f501ca5dbd163e6fd.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	b4d60afd0e91822f501ca5dbd163e6fd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	b4d60afd0e91822f501ca5dbd163e6fd.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1224	b4d60afd0e91822f501ca5dbd163e6fd.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1224	b4d60afd0e91822f501ca5dbd163e6fd.exe
2884	b4d60afd0e91822f501ca5dbd163e6fd.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2884	1224	b4d60afd0e91822f501ca5dbd163e6fd.exe	29
PID 1224 wrote to memory of 2884	1224	b4d60afd0e91822f501ca5dbd163e6fd.exe	29
PID 1224 wrote to memory of 2884	1224	b4d60afd0e91822f501ca5dbd163e6fd.exe	29
PID 1224 wrote to memory of 2884	1224	b4d60afd0e91822f501ca5dbd163e6fd.exe	29
PID 2884 wrote to memory of 2380	2884	b4d60afd0e91822f501ca5dbd163e6fd.exe	30
PID 2884 wrote to memory of 2380	2884	b4d60afd0e91822f501ca5dbd163e6fd.exe	30
PID 2884 wrote to memory of 2380	2884	b4d60afd0e91822f501ca5dbd163e6fd.exe	30
PID 2884 wrote to memory of 2380	2884	b4d60afd0e91822f501ca5dbd163e6fd.exe	30
PID 2884 wrote to memory of 2692	2884	b4d60afd0e91822f501ca5dbd163e6fd.exe	32
PID 2884 wrote to memory of 2692	2884	b4d60afd0e91822f501ca5dbd163e6fd.exe	32
PID 2884 wrote to memory of 2692	2884	b4d60afd0e91822f501ca5dbd163e6fd.exe	32
PID 2884 wrote to memory of 2692	2884	b4d60afd0e91822f501ca5dbd163e6fd.exe	32
PID 2692 wrote to memory of 2552	2692	cmd.exe	34
PID 2692 wrote to memory of 2552	2692	cmd.exe	34
PID 2692 wrote to memory of 2552	2692	cmd.exe	34
PID 2692 wrote to memory of 2552	2692	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\b4d60afd0e91822f501ca5dbd163e6fd.exe
"C:\Users\Admin\AppData\Local\Temp\b4d60afd0e91822f501ca5dbd163e6fd.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\b4d60afd0e91822f501ca5dbd163e6fd.exe
  C:\Users\Admin\AppData\Local\Temp\b4d60afd0e91822f501ca5dbd163e6fd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b4d60afd0e91822f501ca5dbd163e6fd.exe" /TN MJu5Ub8Eff50 /F
    3⤵
    - Creates scheduled task(s)
    PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MJu5Ub8Eff50 > C:\Users\Admin\AppData\Local\Temp\Agfdf5l.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN MJu5Ub8Eff50
      4⤵
      PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Agfdf5l.xml

Filesize
1KB

MD5
bdab13ef075a06a62b2f2022e0b5c7da

SHA1
3f5c05ac1861f3f310df71654f77a82395f47fcf

SHA256
cf3646c2a0c0f978380fc2a9b2f96411e1ae1af4af45576bdb0da16c037b5576

SHA512
0ba0a05a1f5df3be13e4f2d697fb0aa0c821a3e3935bb3595d9914d5f199b5e86ca9c5438910eb0ef4af0e17d3b2640bf3cd846c19713f5cf2925db479756411

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4d60afd0e91822f501ca5dbd163e6fd.exe

Filesize
160KB

MD5
819d4a029c82505d73650ac4b64726a4

SHA1
eaa0f56ea55f00489a02818b5bba52dc2b82489a

SHA256
a4836d467b432ad94f68a2b5e7394d550072492c61e042670d4d6135cfa9b10c

SHA512
d4ff2008371557a3e4761353a67e23a18d11ea66e63545e230001201d70726a0227d451011abe47a301562a0a9de27ada1216d37abe4f1ab7cf7e246554c8a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4d60afd0e91822f501ca5dbd163e6fd.exe

Filesize
340KB

MD5
4a9486a82c8e4333731187adb9b7927b

SHA1
dda56d103a82fffdc684ba31f64fec7cf898aae3

SHA256
de4d5a43f73ae06c5fe05a7ab6fde898603715c9ec1fd91ce525cb264500703b

SHA512
eff0440ca34721e50d266759bb14d45cd1a64ca9414583dad78c0e2a3fee04799e38dbc5ee9a92102dd02f1ae6a8111c2ce2a1ca6da6f42063a92deeb2b0028a

Download Submit
\Users\Admin\AppData\Local\Temp\b4d60afd0e91822f501ca5dbd163e6fd.exe

Filesize
285KB

MD5
ff864fbcceab0b5ed7c4dc613d155787

SHA1
f1ffab941c5b63fbb4577a6de78ef455841c8778

SHA256
15c91f2419a4a1b7621c5237acf583ffee7df310cf8ef1d80f5719a2cc594d47

SHA512
8206b983b2c264ae6a5d9a083be17024ed4e492d79bf2138bc028dd1fb16989e12461eacbe38253e002510077845fdcbc2d552daa78c0db10b4d4121de36a9d6

Download Submit
memory/1224-2-0x00000000002A0000-0x000000000031E000-memory.dmp

Filesize
504KB

Download
memory/1224-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1224-16-0x0000000023420000-0x000000002367C000-memory.dmp

Filesize
2.4MB

Download
memory/1224-53-0x0000000023420000-0x000000002367C000-memory.dmp

Filesize
2.4MB

Download
memory/1224-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1224-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2884-20-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2884-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2884-27-0x0000000000220000-0x000000000028B000-memory.dmp

Filesize
428KB

Download
memory/2884-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2884-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads