5eead3e931d9774e5a2d0f53a5ac7a300953981158dd48dadbfb830bcf3bab70

General

Target

b6cbbe888c0edff9a6e958ecf1a679fc.exe
Size

2.0MB
MD5

b6cbbe888c0edff9a6e958ecf1a679fc
SHA1

98367ce7a220ab9422a9865b8eb561f0353577cd
SHA256

5eead3e931d9774e5a2d0f53a5ac7a300953981158dd48dadbfb830bcf3bab70
SHA512

373a65abf6512d1cb72fc4cb20f6456d98c6827dfa8ad47b547808aad5da1bd2000d65fa170b3a1d698a7c5d54aa749dcd6a6383576b00026be57ac41d8561eb
SSDEEP

49152:VM7lUBDM8e23Rd4/rgo3hLIUgHcCdVG88qBmXBQ2sbg4MXT24/rgo3hLIUgHcCdO:K+BDM8e23RWrg0IJH/d0FamXBQ2skJXB

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3008	b6cbbe888c0edff9a6e958ecf1a679fc.exe

Executes dropped EXE 1 IoCs

pid	Process
3008	b6cbbe888c0edff9a6e958ecf1a679fc.exe

Loads dropped DLL 1 IoCs

pid	Process
2976	b6cbbe888c0edff9a6e958ecf1a679fc.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2976-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000012235-11.dat	upx
behavioral1/memory/2976-16-0x00000000231B0000-0x000000002340C000-memory.dmp	upx
behavioral1/files/0x0009000000012235-17.dat	upx
behavioral1/memory/3008-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2516	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b6cbbe888c0edff9a6e958ecf1a679fc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b6cbbe888c0edff9a6e958ecf1a679fc.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	b6cbbe888c0edff9a6e958ecf1a679fc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	b6cbbe888c0edff9a6e958ecf1a679fc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2976	b6cbbe888c0edff9a6e958ecf1a679fc.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2976	b6cbbe888c0edff9a6e958ecf1a679fc.exe
3008	b6cbbe888c0edff9a6e958ecf1a679fc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 3008	2976	b6cbbe888c0edff9a6e958ecf1a679fc.exe	29
PID 2976 wrote to memory of 3008	2976	b6cbbe888c0edff9a6e958ecf1a679fc.exe	29
PID 2976 wrote to memory of 3008	2976	b6cbbe888c0edff9a6e958ecf1a679fc.exe	29
PID 2976 wrote to memory of 3008	2976	b6cbbe888c0edff9a6e958ecf1a679fc.exe	29
PID 3008 wrote to memory of 2516	3008	b6cbbe888c0edff9a6e958ecf1a679fc.exe	30
PID 3008 wrote to memory of 2516	3008	b6cbbe888c0edff9a6e958ecf1a679fc.exe	30
PID 3008 wrote to memory of 2516	3008	b6cbbe888c0edff9a6e958ecf1a679fc.exe	30
PID 3008 wrote to memory of 2516	3008	b6cbbe888c0edff9a6e958ecf1a679fc.exe	30
PID 3008 wrote to memory of 2620	3008	b6cbbe888c0edff9a6e958ecf1a679fc.exe	32
PID 3008 wrote to memory of 2620	3008	b6cbbe888c0edff9a6e958ecf1a679fc.exe	32
PID 3008 wrote to memory of 2620	3008	b6cbbe888c0edff9a6e958ecf1a679fc.exe	32
PID 3008 wrote to memory of 2620	3008	b6cbbe888c0edff9a6e958ecf1a679fc.exe	32
PID 2620 wrote to memory of 2648	2620	cmd.exe	34
PID 2620 wrote to memory of 2648	2620	cmd.exe	34
PID 2620 wrote to memory of 2648	2620	cmd.exe	34
PID 2620 wrote to memory of 2648	2620	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\b6cbbe888c0edff9a6e958ecf1a679fc.exe
"C:\Users\Admin\AppData\Local\Temp\b6cbbe888c0edff9a6e958ecf1a679fc.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\b6cbbe888c0edff9a6e958ecf1a679fc.exe
  C:\Users\Admin\AppData\Local\Temp\b6cbbe888c0edff9a6e958ecf1a679fc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b6cbbe888c0edff9a6e958ecf1a679fc.exe" /TN uoFCMKY16031 /F
    3⤵
    - Creates scheduled task(s)
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uoFCMKY16031 > C:\Users\Admin\AppData\Local\Temp\suQPV.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN uoFCMKY16031
      4⤵
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b6cbbe888c0edff9a6e958ecf1a679fc.exe

Filesize
2.0MB

MD5
eec3ba7362f7e16b279c7705d73d3c9b

SHA1
8b41d786bc13346b4d34d5e8991002784a5ad9e5

SHA256
4079312902ffc44e328b9ab453b5bd28152157234cb403d959422c0353e7a8c3

SHA512
98d80f8f49c4d3c618f897d70b56b395ff50e46241aeb62f206317ff49a9d30a1db33992d08fbb31dbdf845b7d5fcc36daccb82dd79c309b43acd75963aa302b

Download Submit
C:\Users\Admin\AppData\Local\Temp\suQPV.xml

Filesize
1KB

MD5
f6e2ca8c3a4abf000ff1e7f8017912eb

SHA1
d6161c5e3d2bce371f812e81e477dba281de6826

SHA256
b88b278334f8777b63bb5e65d62bdaf1cea9c5e1d35d27c7caf6064a0fceb35e

SHA512
cbba61f1d9aa27bfe0918d5e4f68b5c4963d5dab9fde8939fa025d68c9ff4af4c5dca8cc5cd2d91e5154e41f7c5dd2b2f3e605c3d58228a79a7f05af34a9390f

Download Submit
\Users\Admin\AppData\Local\Temp\b6cbbe888c0edff9a6e958ecf1a679fc.exe

Filesize
1.1MB

MD5
cbd7609e63236e1cd8953b16147dc877

SHA1
238cf19c0809b654650364c3326b789a7372e21a

SHA256
05fdc000352b65a97c8b58337d77bbfbfc7bf8ea2ea5c063f6050961404532bf

SHA512
66c9201b870be5a83e30ff1f73d39a8322ed2d0f5f76a39b234c10a39e04e18c85cd3dab63d23ce3cbc33f74fd630c47140b8e7ac167c6c62b0b4181ad9f2e24

Download Submit
memory/2976-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2976-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2976-16-0x00000000231B0000-0x000000002340C000-memory.dmp

Filesize
2.4MB

Download
memory/2976-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2976-2-0x0000000000380000-0x00000000003FE000-memory.dmp

Filesize
504KB

Download
memory/3008-20-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/3008-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3008-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3008-28-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/3008-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads