9e18a89c79fba1921f5de97ed8063d76b8af32c54e5cf2b688f1149d4a227dc5

General

Target

b8604162466154d6f90d7df94111e20a.exe
Size

1003KB
MD5

b8604162466154d6f90d7df94111e20a
SHA1

5f979878bddec4e103ebaa75713bd097d13ce4e7
SHA256

9e18a89c79fba1921f5de97ed8063d76b8af32c54e5cf2b688f1149d4a227dc5
SHA512

98aa1fe28392f171cdfee660c30414d8bfaf083cd22d43a1454dc39f2c00e150e1aaa72496729d666abbcaa296980e55eb0b9431bde63927a73e6ece2c4bc5d3
SSDEEP

24576:JLSP60v/4yHtDPDJZ6VknyN2aPHrSVp7HT6O9:xY60v/4yHtDPDJZowyN2aTSVpT+O9

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3044	b8604162466154d6f90d7df94111e20a.exe

Executes dropped EXE 1 IoCs

pid	Process
3044	b8604162466154d6f90d7df94111e20a.exe

Loads dropped DLL 1 IoCs

pid	Process
2012	b8604162466154d6f90d7df94111e20a.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2012-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012257-11.dat	upx
behavioral1/files/0x000b000000012257-13.dat	upx
behavioral1/files/0x000b000000012257-17.dat	upx
behavioral1/memory/2012-16-0x0000000022F00000-0x000000002315C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2620	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	b8604162466154d6f90d7df94111e20a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	b8604162466154d6f90d7df94111e20a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b8604162466154d6f90d7df94111e20a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b8604162466154d6f90d7df94111e20a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2012	b8604162466154d6f90d7df94111e20a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2012	b8604162466154d6f90d7df94111e20a.exe
3044	b8604162466154d6f90d7df94111e20a.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 3044	2012	b8604162466154d6f90d7df94111e20a.exe	29
PID 2012 wrote to memory of 3044	2012	b8604162466154d6f90d7df94111e20a.exe	29
PID 2012 wrote to memory of 3044	2012	b8604162466154d6f90d7df94111e20a.exe	29
PID 2012 wrote to memory of 3044	2012	b8604162466154d6f90d7df94111e20a.exe	29
PID 3044 wrote to memory of 2620	3044	b8604162466154d6f90d7df94111e20a.exe	30
PID 3044 wrote to memory of 2620	3044	b8604162466154d6f90d7df94111e20a.exe	30
PID 3044 wrote to memory of 2620	3044	b8604162466154d6f90d7df94111e20a.exe	30
PID 3044 wrote to memory of 2620	3044	b8604162466154d6f90d7df94111e20a.exe	30
PID 3044 wrote to memory of 2560	3044	b8604162466154d6f90d7df94111e20a.exe	32
PID 3044 wrote to memory of 2560	3044	b8604162466154d6f90d7df94111e20a.exe	32
PID 3044 wrote to memory of 2560	3044	b8604162466154d6f90d7df94111e20a.exe	32
PID 3044 wrote to memory of 2560	3044	b8604162466154d6f90d7df94111e20a.exe	32
PID 2560 wrote to memory of 2544	2560	cmd.exe	34
PID 2560 wrote to memory of 2544	2560	cmd.exe	34
PID 2560 wrote to memory of 2544	2560	cmd.exe	34
PID 2560 wrote to memory of 2544	2560	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\b8604162466154d6f90d7df94111e20a.exe
"C:\Users\Admin\AppData\Local\Temp\b8604162466154d6f90d7df94111e20a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\b8604162466154d6f90d7df94111e20a.exe
  C:\Users\Admin\AppData\Local\Temp\b8604162466154d6f90d7df94111e20a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b8604162466154d6f90d7df94111e20a.exe" /TN 5xzkGEJ1bdbc /F
    3⤵
    - Creates scheduled task(s)
    PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc > C:\Users\Admin\AppData\Local\Temp\5zcn3gYv.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc
      4⤵
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5zcn3gYv.xml

Filesize
1KB

MD5
d1b16d63c35cb3753238d60f878eff6d

SHA1
e9b6aac705b3e48ad547678858a6657b3f669a8b

SHA256
ef42b034a5dfabe1f5bd4231ac87cf6f605b9231f1dc62e985832c6a7bb7164b

SHA512
621f4ec263b753c413914cbb9e37babb67281e1e40eca855de07e6f81507dd37bf487a6318cf71a4c9e6911f04d26089f6c3eba8964121ee82eade3af8a3d3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8604162466154d6f90d7df94111e20a.exe

Filesize
896KB

MD5
2f93b638314778f871ed6392e16a5574

SHA1
0e9d1f73057d3a71855e577d15f01aee09900926

SHA256
137ff9ca4c858aeff75cdaaa52a51beb60f2ec8246bd68992d95e098130045bf

SHA512
c53c4dd3467b11ac1e6a566ab2b43591e00248b5fd09a10ce088df4c0f3d36254918d74a6b535588daa2a51775024215d0bf53523d739727cc22e255d7bdd1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8604162466154d6f90d7df94111e20a.exe

Filesize
768KB

MD5
c6e425a212bf66993030094f89114cf4

SHA1
67bc58eccef0345f65f609a7cf0033d12186a9e1

SHA256
2399712fad2c8e5d33907ae0bf6d401326849f5e4c44a967e448fe70f60275be

SHA512
d3395aba26a996d74acf67f9be0d8612f5b4ace2e4b46bc4cb08fc24c21a338fb6eb8b49960dad88490886a4409e32b717c708db4032c7ee964b0102159e734a

Download Submit
\Users\Admin\AppData\Local\Temp\b8604162466154d6f90d7df94111e20a.exe

Filesize
960KB

MD5
a622623ec89900686b38cc0d9ce83067

SHA1
ef01ec514e956a7971dbcbff5040942ffced22e7

SHA256
97b4109763aa541fd5f304f0da941148aa5d75ec3099d7c8b2a472b722727a08

SHA512
152570e57cb6331f1f337f8a440f90d883723c330c2f18241bf5875b15f010036a3572d3c7b7167105ee21e8fa2205d5c4b0d51186a7925f2a5e7f6c271d527e

Download Submit
memory/2012-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2012-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2012-16-0x0000000022F00000-0x000000002315C000-memory.dmp

Filesize
2.4MB

Download
memory/2012-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2012-3-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/2012-53-0x0000000022F00000-0x000000002315C000-memory.dmp

Filesize
2.4MB

Download
memory/3044-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3044-21-0x0000000000270000-0x00000000002EE000-memory.dmp

Filesize
504KB

Download
memory/3044-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3044-31-0x00000000002F0000-0x000000000035B000-memory.dmp

Filesize
428KB

Download
memory/3044-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads