3610fbc3151b2824dcbca7d110100ed0459fff27dd693292a405b43c331d7fdf

General

Target

b81a9539a59fa863d413405637988a9c.exe
Size

1.5MB
MD5

b81a9539a59fa863d413405637988a9c
SHA1

aa4e942633e8f441cf480fa2d6006b2587e56138
SHA256

3610fbc3151b2824dcbca7d110100ed0459fff27dd693292a405b43c331d7fdf
SHA512

24bfdd611099d45050ad4f966dc6b44ca7fea15e1b35e3937b3a2170b7d9d2caa218ba4eae40f7d29ae37bef8bdf55f3e7799e741db4dfa7bc1e09494849f471
SSDEEP

24576:Grr0V7m3w3LVtCPrYF9cjukL2r1R4c0buHXTnuesv5scjukL2Y:Grr0lkCLVwMF9cakL21R4c0a3Tnues5T

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2564	b81a9539a59fa863d413405637988a9c.exe

Executes dropped EXE 1 IoCs

pid	Process
2564	b81a9539a59fa863d413405637988a9c.exe

Loads dropped DLL 1 IoCs

pid	Process
2856	b81a9539a59fa863d413405637988a9c.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2856-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000d000000012253-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2532	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b81a9539a59fa863d413405637988a9c.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	b81a9539a59fa863d413405637988a9c.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	b81a9539a59fa863d413405637988a9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b81a9539a59fa863d413405637988a9c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2856	b81a9539a59fa863d413405637988a9c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2856	b81a9539a59fa863d413405637988a9c.exe
2564	b81a9539a59fa863d413405637988a9c.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2564	2856	b81a9539a59fa863d413405637988a9c.exe	29
PID 2856 wrote to memory of 2564	2856	b81a9539a59fa863d413405637988a9c.exe	29
PID 2856 wrote to memory of 2564	2856	b81a9539a59fa863d413405637988a9c.exe	29
PID 2856 wrote to memory of 2564	2856	b81a9539a59fa863d413405637988a9c.exe	29
PID 2564 wrote to memory of 2532	2564	b81a9539a59fa863d413405637988a9c.exe	30
PID 2564 wrote to memory of 2532	2564	b81a9539a59fa863d413405637988a9c.exe	30
PID 2564 wrote to memory of 2532	2564	b81a9539a59fa863d413405637988a9c.exe	30
PID 2564 wrote to memory of 2532	2564	b81a9539a59fa863d413405637988a9c.exe	30
PID 2564 wrote to memory of 2448	2564	b81a9539a59fa863d413405637988a9c.exe	32
PID 2564 wrote to memory of 2448	2564	b81a9539a59fa863d413405637988a9c.exe	32
PID 2564 wrote to memory of 2448	2564	b81a9539a59fa863d413405637988a9c.exe	32
PID 2564 wrote to memory of 2448	2564	b81a9539a59fa863d413405637988a9c.exe	32
PID 2448 wrote to memory of 2504	2448	cmd.exe	34
PID 2448 wrote to memory of 2504	2448	cmd.exe	34
PID 2448 wrote to memory of 2504	2448	cmd.exe	34
PID 2448 wrote to memory of 2504	2448	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\b81a9539a59fa863d413405637988a9c.exe
"C:\Users\Admin\AppData\Local\Temp\b81a9539a59fa863d413405637988a9c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\b81a9539a59fa863d413405637988a9c.exe
  C:\Users\Admin\AppData\Local\Temp\b81a9539a59fa863d413405637988a9c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b81a9539a59fa863d413405637988a9c.exe" /TN w6CK1HQd991c /F
    3⤵
    - Creates scheduled task(s)
    PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN w6CK1HQd991c > C:\Users\Admin\AppData\Local\Temp\it2cca.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN w6CK1HQd991c
      4⤵
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\it2cca.xml

Filesize
1KB

MD5
01e807b7c4e0c57cf76f10d7560ca004

SHA1
f5e002b2b6dbcd473162ab37e678093f3a271eb0

SHA256
6faf52cf6f3440d0d629c36adb922a8a729b1962cbb80dd835e45fb5156a1b2f

SHA512
8c0fb8722e4d5109d0988280fc3cb5a35cbcd32b2c550c20146f6f0f03104f928611c9f8c6dbb4956de3ca842cd1e578f4c6322242f279e134f171806c593565

Download Submit
\Users\Admin\AppData\Local\Temp\b81a9539a59fa863d413405637988a9c.exe

Filesize
1.5MB

MD5
e8b8a6fb620d7836b1c1ce5de7ab5dab

SHA1
8491faaab69f32150de529659186ac1ec3fc08e1

SHA256
5d094375f5c313b6c8ad0534561df6ce1790f2101040b3c72da251937bf24416

SHA512
fc75233bc0a48a0a0dbd2dc49d5cc84106bd9cd057f82ad4177a63529a34a7aa49f0ff2d58ad6ae20b36d92ef997a15dc707e40e0284d7a9a5f0b7d63e498a0b

Download Submit
memory/2564-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2564-21-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/2564-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2564-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2564-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2856-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2856-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2856-5-0x00000000001B0000-0x000000000022E000-memory.dmp

Filesize
504KB

Download
memory/2856-16-0x0000000023080000-0x00000000232DC000-memory.dmp

Filesize
2.4MB

Download
memory/2856-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads