590f71a7af313685c7ed5ebae38ad9bf0d12e1f9fcb8741bdfdfe977e4f1feff

General

Target

b6e6542495dedf19c062383f59f82dd2.exe
Size

1003KB
MD5

b6e6542495dedf19c062383f59f82dd2
SHA1

df4846bcf1a5909a09a1576e70033bd4985733ef
SHA256

590f71a7af313685c7ed5ebae38ad9bf0d12e1f9fcb8741bdfdfe977e4f1feff
SHA512

108e44ba6e9de7befd8a9a206c91669e9527eb619d8303a0984dbbbfa52cc023219b14ba874a4703e8d8fb33d478e8e6bf7c94b84bc900e24568e02aa6dd82e6
SSDEEP

24576:N0dF2ZM+nu0KiV+b9+9KT22cjukL2CDYibq6/yqLNaF:N0dFOXnu03V+b9+9Ka2cakLz0ibq6yqh

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
864	b6e6542495dedf19c062383f59f82dd2.exe

Executes dropped EXE 1 IoCs

pid	Process
864	b6e6542495dedf19c062383f59f82dd2.exe

Loads dropped DLL 1 IoCs

pid	Process
2936	b6e6542495dedf19c062383f59f82dd2.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2936-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000c00000001222a-11.dat	upx
behavioral1/memory/2936-15-0x0000000022F00000-0x000000002315C000-memory.dmp	upx
behavioral1/memory/864-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2056	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	b6e6542495dedf19c062383f59f82dd2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	b6e6542495dedf19c062383f59f82dd2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b6e6542495dedf19c062383f59f82dd2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b6e6542495dedf19c062383f59f82dd2.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2936	b6e6542495dedf19c062383f59f82dd2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2936	b6e6542495dedf19c062383f59f82dd2.exe
864	b6e6542495dedf19c062383f59f82dd2.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 864	2936	b6e6542495dedf19c062383f59f82dd2.exe	29
PID 2936 wrote to memory of 864	2936	b6e6542495dedf19c062383f59f82dd2.exe	29
PID 2936 wrote to memory of 864	2936	b6e6542495dedf19c062383f59f82dd2.exe	29
PID 2936 wrote to memory of 864	2936	b6e6542495dedf19c062383f59f82dd2.exe	29
PID 864 wrote to memory of 2056	864	b6e6542495dedf19c062383f59f82dd2.exe	30
PID 864 wrote to memory of 2056	864	b6e6542495dedf19c062383f59f82dd2.exe	30
PID 864 wrote to memory of 2056	864	b6e6542495dedf19c062383f59f82dd2.exe	30
PID 864 wrote to memory of 2056	864	b6e6542495dedf19c062383f59f82dd2.exe	30
PID 864 wrote to memory of 2712	864	b6e6542495dedf19c062383f59f82dd2.exe	32
PID 864 wrote to memory of 2712	864	b6e6542495dedf19c062383f59f82dd2.exe	32
PID 864 wrote to memory of 2712	864	b6e6542495dedf19c062383f59f82dd2.exe	32
PID 864 wrote to memory of 2712	864	b6e6542495dedf19c062383f59f82dd2.exe	32
PID 2712 wrote to memory of 2448	2712	cmd.exe	34
PID 2712 wrote to memory of 2448	2712	cmd.exe	34
PID 2712 wrote to memory of 2448	2712	cmd.exe	34
PID 2712 wrote to memory of 2448	2712	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\b6e6542495dedf19c062383f59f82dd2.exe
"C:\Users\Admin\AppData\Local\Temp\b6e6542495dedf19c062383f59f82dd2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\b6e6542495dedf19c062383f59f82dd2.exe
  C:\Users\Admin\AppData\Local\Temp\b6e6542495dedf19c062383f59f82dd2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b6e6542495dedf19c062383f59f82dd2.exe" /TN uoFCMKY16031 /F
    3⤵
    - Creates scheduled task(s)
    PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uoFCMKY16031 > C:\Users\Admin\AppData\Local\Temp\I5UwL.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN uoFCMKY16031
      4⤵
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\I5UwL.xml

Filesize
1KB

MD5
e1f76e0810f20b8e13971f54b1c13b11

SHA1
f3b6827a20a7466ed25327df3f041d93021e2a77

SHA256
85e52d3642bf6d179e0c6ba6e6f4c864654fa628296b749207f1c1d5e2ec97dd

SHA512
f4f8df4a61d0a39f76938abd2669b698be394948a412f79762ad8e8e1d51858c505156612284a39e338f8444070e65885346545d8128e08afd67664059a560bf

Download Submit
\Users\Admin\AppData\Local\Temp\b6e6542495dedf19c062383f59f82dd2.exe

Filesize
1003KB

MD5
f837592d7b3e7a11ddc6c6cf456d1abf

SHA1
d9378034cdc16d945d993c22927bb7f2f50deafd

SHA256
19a34e5f607a76a4598219e2e903b08f0774c67b588cbfdbf6f391bd8b720de1

SHA512
e72da0bcbd42377cac8b366309446bf0df6c4701a1717bf851b6bf77a46ad6ad67c2384b131d4c34f957774117a230b619bd0bc74e9b82e136e462c9af1df8bc

Download Submit
memory/864-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/864-20-0x0000000000380000-0x00000000003FE000-memory.dmp

Filesize
504KB

Download
memory/864-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/864-29-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/864-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2936-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2936-2-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/2936-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2936-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2936-15-0x0000000022F00000-0x000000002315C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads