c0fdfe15221e3c829cb92fdb08e6371944ddd50254100c6ca879aae8d3c2f768

General

Target

c1148c3ceb2973c1eee59dc74c8812a0.exe
Size

1003KB
MD5

c1148c3ceb2973c1eee59dc74c8812a0
SHA1

ddf809da35bbd9261af7530c6dfead4b0a5e3721
SHA256

c0fdfe15221e3c829cb92fdb08e6371944ddd50254100c6ca879aae8d3c2f768
SHA512

93143187097bbe46010ee1ac58d73063fe5bdcd99ea14cf74819152cedf2045d7467c5ae32181fd3da59577e0ebfd1cf3346c853bc38e1945ab0a957422f7c18
SSDEEP

24576:mxz+11KZTWE62NwSHGQoadai7D3uITjIFOxo53ApIj:mz+iZTWF2NwSHGQ7ai7D3xTgOxYwpK

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1216	c1148c3ceb2973c1eee59dc74c8812a0.exe

Executes dropped EXE 1 IoCs

pid	Process
1216	c1148c3ceb2973c1eee59dc74c8812a0.exe

Loads dropped DLL 1 IoCs

pid	Process
2312	c1148c3ceb2973c1eee59dc74c8812a0.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2312-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012254-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2800	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c1148c3ceb2973c1eee59dc74c8812a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c1148c3ceb2973c1eee59dc74c8812a0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c1148c3ceb2973c1eee59dc74c8812a0.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c1148c3ceb2973c1eee59dc74c8812a0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2312	c1148c3ceb2973c1eee59dc74c8812a0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2312	c1148c3ceb2973c1eee59dc74c8812a0.exe
1216	c1148c3ceb2973c1eee59dc74c8812a0.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1216	2312	c1148c3ceb2973c1eee59dc74c8812a0.exe	29
PID 2312 wrote to memory of 1216	2312	c1148c3ceb2973c1eee59dc74c8812a0.exe	29
PID 2312 wrote to memory of 1216	2312	c1148c3ceb2973c1eee59dc74c8812a0.exe	29
PID 2312 wrote to memory of 1216	2312	c1148c3ceb2973c1eee59dc74c8812a0.exe	29
PID 1216 wrote to memory of 2800	1216	c1148c3ceb2973c1eee59dc74c8812a0.exe	30
PID 1216 wrote to memory of 2800	1216	c1148c3ceb2973c1eee59dc74c8812a0.exe	30
PID 1216 wrote to memory of 2800	1216	c1148c3ceb2973c1eee59dc74c8812a0.exe	30
PID 1216 wrote to memory of 2800	1216	c1148c3ceb2973c1eee59dc74c8812a0.exe	30
PID 1216 wrote to memory of 2124	1216	c1148c3ceb2973c1eee59dc74c8812a0.exe	32
PID 1216 wrote to memory of 2124	1216	c1148c3ceb2973c1eee59dc74c8812a0.exe	32
PID 1216 wrote to memory of 2124	1216	c1148c3ceb2973c1eee59dc74c8812a0.exe	32
PID 1216 wrote to memory of 2124	1216	c1148c3ceb2973c1eee59dc74c8812a0.exe	32
PID 2124 wrote to memory of 2428	2124	cmd.exe	34
PID 2124 wrote to memory of 2428	2124	cmd.exe	34
PID 2124 wrote to memory of 2428	2124	cmd.exe	34
PID 2124 wrote to memory of 2428	2124	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c1148c3ceb2973c1eee59dc74c8812a0.exe
"C:\Users\Admin\AppData\Local\Temp\c1148c3ceb2973c1eee59dc74c8812a0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\c1148c3ceb2973c1eee59dc74c8812a0.exe
  C:\Users\Admin\AppData\Local\Temp\c1148c3ceb2973c1eee59dc74c8812a0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c1148c3ceb2973c1eee59dc74c8812a0.exe" /TN ymuVbjyg4de6 /F
    3⤵
    - Creates scheduled task(s)
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN ymuVbjyg4de6 > C:\Users\Admin\AppData\Local\Temp\qRuDCWAH.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN ymuVbjyg4de6
      4⤵
      PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qRuDCWAH.xml

Filesize
1KB

MD5
9faabac672166f6af62133fb2a6cf48d

SHA1
02fa2ecc6f427f44f2c1773df1bc1c2ef85f426a

SHA256
572d47c6985a6c1987866491f87ea9ae50701049851fd9cb078fec100996b3f6

SHA512
5301ff78b155e9af88a0bc37fb2bd6a404599b3fec074a649240a255d4fe7d06d336f18dc7b61eafb3b09f7eab9a97a35efe54cbcd00da2b08a303a197ea1192

Download Submit
\Users\Admin\AppData\Local\Temp\c1148c3ceb2973c1eee59dc74c8812a0.exe

Filesize
1003KB

MD5
50b6ae622e0ee144ad003d1fd7cf6395

SHA1
57c6de644e29c0c962942fccbb62bdadec0e6d27

SHA256
1d61a2f40c937a491514eaf7f88f0be8490d465b663ca8e1369f89e465c29d50

SHA512
22adbf6e32b16909705b7cae243fd56d49d2454d36429035b6692577b13a2a3eea28c8598d3baaf20b723a5bd4565f361c1076dcba29e645fb0bcd2bf075221e

Download Submit
memory/1216-19-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/1216-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1216-26-0x00000000002E0000-0x000000000034B000-memory.dmp

Filesize
428KB

Download
memory/1216-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2312-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2312-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2312-2-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/2312-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2312-16-0x0000000022EF0000-0x000000002314C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads