d9a2b3aa359d08d7aa46fe57b313755caba05c8a2304ab643207de0e5e5ca28e

General

Target

c2558d1a69052273fcfbfa6676744f6d.exe
Size

2.0MB
MD5

c2558d1a69052273fcfbfa6676744f6d
SHA1

769f55c3b14fa2faf65a172db442afd2f3e48c04
SHA256

d9a2b3aa359d08d7aa46fe57b313755caba05c8a2304ab643207de0e5e5ca28e
SHA512

6229492b8a28f2fb65bd4fa926fcf4f8798b8df5045934b62aaf10f0949b53cb3306a0814a366c3c4ac2996968e48747f258d2a28b55240f3b65ff7a7746a766
SSDEEP

49152:kOU2aX3feUMY+61Szi/acakLz0ibq6yqhhubDY0CgOnQvEn0bcakLz0ibq6yqh:BU2aX3feHYZ8i/acakcibiqhMbMgOn7R

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2952	c2558d1a69052273fcfbfa6676744f6d.exe

Executes dropped EXE 1 IoCs

pid	Process
2952	c2558d1a69052273fcfbfa6676744f6d.exe

Loads dropped DLL 1 IoCs

pid	Process
2316	c2558d1a69052273fcfbfa6676744f6d.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2316-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000013420-11.dat	upx
behavioral1/memory/2316-16-0x0000000023250000-0x00000000234AC000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2600	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c2558d1a69052273fcfbfa6676744f6d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c2558d1a69052273fcfbfa6676744f6d.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c2558d1a69052273fcfbfa6676744f6d.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c2558d1a69052273fcfbfa6676744f6d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2316	c2558d1a69052273fcfbfa6676744f6d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2316	c2558d1a69052273fcfbfa6676744f6d.exe
2952	c2558d1a69052273fcfbfa6676744f6d.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2952	2316	c2558d1a69052273fcfbfa6676744f6d.exe	29
PID 2316 wrote to memory of 2952	2316	c2558d1a69052273fcfbfa6676744f6d.exe	29
PID 2316 wrote to memory of 2952	2316	c2558d1a69052273fcfbfa6676744f6d.exe	29
PID 2316 wrote to memory of 2952	2316	c2558d1a69052273fcfbfa6676744f6d.exe	29
PID 2952 wrote to memory of 2600	2952	c2558d1a69052273fcfbfa6676744f6d.exe	30
PID 2952 wrote to memory of 2600	2952	c2558d1a69052273fcfbfa6676744f6d.exe	30
PID 2952 wrote to memory of 2600	2952	c2558d1a69052273fcfbfa6676744f6d.exe	30
PID 2952 wrote to memory of 2600	2952	c2558d1a69052273fcfbfa6676744f6d.exe	30
PID 2952 wrote to memory of 2552	2952	c2558d1a69052273fcfbfa6676744f6d.exe	32
PID 2952 wrote to memory of 2552	2952	c2558d1a69052273fcfbfa6676744f6d.exe	32
PID 2952 wrote to memory of 2552	2952	c2558d1a69052273fcfbfa6676744f6d.exe	32
PID 2952 wrote to memory of 2552	2952	c2558d1a69052273fcfbfa6676744f6d.exe	32
PID 2552 wrote to memory of 2500	2552	cmd.exe	34
PID 2552 wrote to memory of 2500	2552	cmd.exe	34
PID 2552 wrote to memory of 2500	2552	cmd.exe	34
PID 2552 wrote to memory of 2500	2552	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c2558d1a69052273fcfbfa6676744f6d.exe
"C:\Users\Admin\AppData\Local\Temp\c2558d1a69052273fcfbfa6676744f6d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\c2558d1a69052273fcfbfa6676744f6d.exe
  C:\Users\Admin\AppData\Local\Temp\c2558d1a69052273fcfbfa6676744f6d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c2558d1a69052273fcfbfa6676744f6d.exe" /TN WiDkBlJDe41e /F
    3⤵
    - Creates scheduled task(s)
    PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN WiDkBlJDe41e > C:\Users\Admin\AppData\Local\Temp\vMz8qY.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN WiDkBlJDe41e
      4⤵
      PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vMz8qY.xml

Filesize
1KB

MD5
c0574f37df5377a0f01fb5f0b211dcd9

SHA1
61ef82b88d6361a7e62a6d76bda4a4e628dbcf47

SHA256
693596908edb7ff0325023024907973ab4cc72b05dc3a8a55f57b16169152b1e

SHA512
a9b00470f4dd7c2eba52281d395a16398b6f7d34a5ad1dbcf9bb6766ab346c3e8127c553f2eeaa32ad678ebd9e4b4aaa4a1c20276e9ce0fe046aadad2ee8be92

Download Submit
\Users\Admin\AppData\Local\Temp\c2558d1a69052273fcfbfa6676744f6d.exe

Filesize
2.0MB

MD5
3c963c9aa56693221d8ba60222a422e1

SHA1
be20f4e8fd0000d5c03759b6b911556b1d4b80fe

SHA256
d58e718284f72c218e21685d42451957de291c8d976442ca2d1cf868654b85f9

SHA512
0116b3fcdfe4f7d793dd9d189fc161233753a135a3a4c747c91724158b3119850c09379e6e2421cdbaa59924de8158a79ca8db0129d903306a3593e5656e7cc7

Download Submit
memory/2316-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2316-2-0x0000000022DB0000-0x0000000022E2E000-memory.dmp

Filesize
504KB

Download
memory/2316-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2316-16-0x0000000023250000-0x00000000234AC000-memory.dmp

Filesize
2.4MB

Download
memory/2316-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2952-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2952-21-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2952-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2952-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2952-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads