6f6fdbd4431305de4c3b92de91c0d6d29792c08d9201c8c3ff27f1116c46a9ad

General

Target

b83e8a96f7ed1194d0aba8cab1e13d9b.exe
Size

2.6MB
MD5

b83e8a96f7ed1194d0aba8cab1e13d9b
SHA1

6cc8372b1241d60fc4e0dfd495725f509b78d36e
SHA256

6f6fdbd4431305de4c3b92de91c0d6d29792c08d9201c8c3ff27f1116c46a9ad
SHA512

cbb51f14ebd1c63fed9fa0a51a74677d23682f4b0b71dd4162b8965da212f061812a7a05d6421a0f1912f21e3e0df2c3e7f9f9112c0cb8352e407103659b08c4
SSDEEP

49152:dU62vvnyJ7gfS2GgIKUAcyd5ulcn2SlTPvYPZvzqaPay3:mn53fxDe49n9a3

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2072	b83e8a96f7ed1194d0aba8cab1e13d9b.exe

Executes dropped EXE 1 IoCs

pid	Process
2072	b83e8a96f7ed1194d0aba8cab1e13d9b.exe

Loads dropped DLL 1 IoCs

pid	Process
1184	b83e8a96f7ed1194d0aba8cab1e13d9b.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1184-2-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000c000000012241-13.dat	upx
behavioral1/files/0x000c000000012241-11.dat	upx
behavioral1/files/0x000c000000012241-14.dat	upx
behavioral1/memory/2072-16-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b83e8a96f7ed1194d0aba8cab1e13d9b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b83e8a96f7ed1194d0aba8cab1e13d9b.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	b83e8a96f7ed1194d0aba8cab1e13d9b.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	b83e8a96f7ed1194d0aba8cab1e13d9b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1184	b83e8a96f7ed1194d0aba8cab1e13d9b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1184	b83e8a96f7ed1194d0aba8cab1e13d9b.exe
2072	b83e8a96f7ed1194d0aba8cab1e13d9b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2072	1184	b83e8a96f7ed1194d0aba8cab1e13d9b.exe	28
PID 1184 wrote to memory of 2072	1184	b83e8a96f7ed1194d0aba8cab1e13d9b.exe	28
PID 1184 wrote to memory of 2072	1184	b83e8a96f7ed1194d0aba8cab1e13d9b.exe	28
PID 1184 wrote to memory of 2072	1184	b83e8a96f7ed1194d0aba8cab1e13d9b.exe	28

C:\Users\Admin\AppData\Local\Temp\b83e8a96f7ed1194d0aba8cab1e13d9b.exe
"C:\Users\Admin\AppData\Local\Temp\b83e8a96f7ed1194d0aba8cab1e13d9b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\b83e8a96f7ed1194d0aba8cab1e13d9b.exe
  C:\Users\Admin\AppData\Local\Temp\b83e8a96f7ed1194d0aba8cab1e13d9b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b83e8a96f7ed1194d0aba8cab1e13d9b.exe

Filesize
768KB

MD5
e53a27b39df246e54f9822fa865dc522

SHA1
2c03b64bb11273d130e3914d8b98ef91fae40b02

SHA256
8bea74f5d8103bc3a2bc823333e4f5845d0e874c6acfc9044d7ebe8381cc395e

SHA512
00b7794940a37a9ade283d10effe26d3605a6c695acdaa2bb12519a3aacd8dcb83df947e1f692b4b8d4efc70c51e7195adba873f9932b264269da3e65d121a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b83e8a96f7ed1194d0aba8cab1e13d9b.exe

Filesize
2.6MB

MD5
1a9ddb07772f1277a4391628dd6629e9

SHA1
6be21d1efb709f72f402f3a24c017d72303583d8

SHA256
3627f3cfab9f6128200fc1ce4a014964c6db84f26db72556f43de65d61660c20

SHA512
5eb4beddaa97364e73bd021bc3ee39947a8b690e069551c7f89bed94320c7b1b02a8f34f98bd29bffd7ea1d4bdc5aaa04d8d86ebc90a40cffa3562cade62d7ff

Download Submit
\Users\Admin\AppData\Local\Temp\b83e8a96f7ed1194d0aba8cab1e13d9b.exe

Filesize
704KB

MD5
8c1908d9fbf7dfebf1b946897d11811e

SHA1
b5f536ca2c6e9e3f329d450e8dec17e31a10e2d2

SHA256
e87f51acd94b8bf9ab73c2753dac50f81cc386681f69e6df53423916573d1ebe

SHA512
e07c4f988278ca526fe3c8fa006145ead7f9ff157b63433d2472aabe3794eecf24740767117a02bcb8613fc4251c58c68a290399024c0f5fcf693e7744ad7563

Download Submit
memory/1184-0-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1184-2-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/1184-4-0x0000000002290000-0x00000000024EA000-memory.dmp

Filesize
2.4MB

Download
memory/1184-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2072-16-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2072-18-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2072-42-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing