936dfa7e87e617e2e7380d0f3ae3d1b8016ede2b6ee18551115ca19432753ab2

General

Target

c10def95c5aff4fcd4a878b7f5fce465.exe
Size

2.0MB
MD5

c10def95c5aff4fcd4a878b7f5fce465
SHA1

8910ff67aab5732c6c544120a13b5f8a219c9100
SHA256

936dfa7e87e617e2e7380d0f3ae3d1b8016ede2b6ee18551115ca19432753ab2
SHA512

ba173ca4f6458be8e905731adf8e589d34741a85bd5bc562052076bc1a39ed88c82135368030f0febdf893b8f7c729d4eeb78bc7ac020e737fb0abe93b8a31c2
SSDEEP

49152:jW/pBtpsI4r6HCn0hcN+9zWFULG+OwjlaJDC1lbBebcN+9zWFULG+:jW/pBtpshr6in0iA9zyULG+TjlaJD0l+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2140	c10def95c5aff4fcd4a878b7f5fce465.exe

Executes dropped EXE 1 IoCs

pid	Process
2140	c10def95c5aff4fcd4a878b7f5fce465.exe

Loads dropped DLL 1 IoCs

pid	Process
880	c10def95c5aff4fcd4a878b7f5fce465.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/880-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a00000001410d-17.dat	upx
behavioral1/files/0x000a00000001410d-14.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2604	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c10def95c5aff4fcd4a878b7f5fce465.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c10def95c5aff4fcd4a878b7f5fce465.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c10def95c5aff4fcd4a878b7f5fce465.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c10def95c5aff4fcd4a878b7f5fce465.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
880	c10def95c5aff4fcd4a878b7f5fce465.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
880	c10def95c5aff4fcd4a878b7f5fce465.exe
2140	c10def95c5aff4fcd4a878b7f5fce465.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2140	880	c10def95c5aff4fcd4a878b7f5fce465.exe	29
PID 880 wrote to memory of 2140	880	c10def95c5aff4fcd4a878b7f5fce465.exe	29
PID 880 wrote to memory of 2140	880	c10def95c5aff4fcd4a878b7f5fce465.exe	29
PID 880 wrote to memory of 2140	880	c10def95c5aff4fcd4a878b7f5fce465.exe	29
PID 2140 wrote to memory of 2604	2140	c10def95c5aff4fcd4a878b7f5fce465.exe	30
PID 2140 wrote to memory of 2604	2140	c10def95c5aff4fcd4a878b7f5fce465.exe	30
PID 2140 wrote to memory of 2604	2140	c10def95c5aff4fcd4a878b7f5fce465.exe	30
PID 2140 wrote to memory of 2604	2140	c10def95c5aff4fcd4a878b7f5fce465.exe	30
PID 2140 wrote to memory of 2648	2140	c10def95c5aff4fcd4a878b7f5fce465.exe	32
PID 2140 wrote to memory of 2648	2140	c10def95c5aff4fcd4a878b7f5fce465.exe	32
PID 2140 wrote to memory of 2648	2140	c10def95c5aff4fcd4a878b7f5fce465.exe	32
PID 2140 wrote to memory of 2648	2140	c10def95c5aff4fcd4a878b7f5fce465.exe	32
PID 2648 wrote to memory of 2568	2648	cmd.exe	34
PID 2648 wrote to memory of 2568	2648	cmd.exe	34
PID 2648 wrote to memory of 2568	2648	cmd.exe	34
PID 2648 wrote to memory of 2568	2648	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c10def95c5aff4fcd4a878b7f5fce465.exe
"C:\Users\Admin\AppData\Local\Temp\c10def95c5aff4fcd4a878b7f5fce465.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\c10def95c5aff4fcd4a878b7f5fce465.exe
  C:\Users\Admin\AppData\Local\Temp\c10def95c5aff4fcd4a878b7f5fce465.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c10def95c5aff4fcd4a878b7f5fce465.exe" /TN uoFCMKY16031 /F
    3⤵
    - Creates scheduled task(s)
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uoFCMKY16031 > C:\Users\Admin\AppData\Local\Temp\YVa4F0VCz.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN uoFCMKY16031
      4⤵
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YVa4F0VCz.xml

Filesize
1KB

MD5
82456633adc0471bb9321517bb57858d

SHA1
5c91d835581d41b076516b4dd3a9e1dd3b211d5b

SHA256
ac2dab9beb34f98a384351af43d76645f1266cb8876c5445f7168c5e076fa3ec

SHA512
b808693f437c82f8b26152abf03fe1b72de1255c962956da98ae46d8591d7d37c69fede1c78afd9d3c3fb7d1a1aad0e47d86c0349e5df4bdd63da887dbe37427

Download Submit
C:\Users\Admin\AppData\Local\Temp\c10def95c5aff4fcd4a878b7f5fce465.exe

Filesize
320KB

MD5
4cca4eb2bad5d6589e61ac7dc5a955b5

SHA1
e0e7ce34a338994b7235b2ceca677a8aafb15440

SHA256
e2c7ad1ecde129dbe8686fadcc657b286187ba9bac29706be803151a63096256

SHA512
b1ce91fdc0b55f7c8895c4a207d017d5f25045a0cfbd1e2cb0627df7a6202c0f5396db7229da5a5c053c80844fe1afebabfd70e5f84b748aa1a5374b47afa001

Download Submit
C:\Users\Admin\AppData\Local\Temp\c10def95c5aff4fcd4a878b7f5fce465.exe

Filesize
256KB

MD5
4fc57f188ccddc14a286bd5b44461686

SHA1
ee3adb02b2e19b801933ba6578c43dd0aaf2371b

SHA256
646c7b449925cfa03d52267a5ef37b52f59f701427fd40db2ce0a5dd47a67906

SHA512
7f5086387a11b3f6cafb07810ec7be86c8eb7c072c718070c09d1571da73a06fc54a0be373cfbe3f2ef0318d4a25fc68682cbffaa6cf6d689efd25dcc3accc8b

Download Submit
memory/880-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/880-16-0x00000000232F0000-0x000000002354C000-memory.dmp

Filesize
2.4MB

Download
memory/880-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/880-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/880-2-0x00000000001F0000-0x000000000026E000-memory.dmp

Filesize
504KB

Download
memory/880-53-0x00000000232F0000-0x000000002354C000-memory.dmp

Filesize
2.4MB

Download
memory/2140-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2140-20-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2140-27-0x00000000002B0000-0x000000000031B000-memory.dmp

Filesize
428KB

Download
memory/2140-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2140-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads