09ba5401dca6976ed4bf55cae47b2b2f489829e329ad8a573120f5584a9872cb

General

Target

c3b3e606509feb13c4ac729cb418cbe6.exe
Size

3.9MB
MD5

c3b3e606509feb13c4ac729cb418cbe6
SHA1

65d2f50295f99ecd9175b4d693e31aa8743540fe
SHA256

09ba5401dca6976ed4bf55cae47b2b2f489829e329ad8a573120f5584a9872cb
SHA512

94fe6ddd1dc56783051be880be5b35b2841bb480023492aa18909c92f2fb24da5a0925644fca91a1c9e9122d54058b9a575befb452fa4ef2bb0dbd713456b07d
SSDEEP

98304:uu7FXGONOA9zyULG+kgd8pVPH+A9zyULG+/mQy8mYA9zyULG+kgd8pVPH+A9zyU1:j9GizLqEglHPzLq0O8mVzLqEglHPzLq

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1720	c3b3e606509feb13c4ac729cb418cbe6.exe

Executes dropped EXE 1 IoCs

pid	Process
1720	c3b3e606509feb13c4ac729cb418cbe6.exe

Loads dropped DLL 1 IoCs

pid	Process
640	c3b3e606509feb13c4ac729cb418cbe6.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/640-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000c00000001224c-11.dat	upx
behavioral1/memory/640-16-0x0000000023590000-0x00000000237EC000-memory.dmp	upx
behavioral1/files/0x000c00000001224c-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2628	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c3b3e606509feb13c4ac729cb418cbe6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c3b3e606509feb13c4ac729cb418cbe6.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c3b3e606509feb13c4ac729cb418cbe6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c3b3e606509feb13c4ac729cb418cbe6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
640	c3b3e606509feb13c4ac729cb418cbe6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
640	c3b3e606509feb13c4ac729cb418cbe6.exe
1720	c3b3e606509feb13c4ac729cb418cbe6.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 1720	640	c3b3e606509feb13c4ac729cb418cbe6.exe	29
PID 640 wrote to memory of 1720	640	c3b3e606509feb13c4ac729cb418cbe6.exe	29
PID 640 wrote to memory of 1720	640	c3b3e606509feb13c4ac729cb418cbe6.exe	29
PID 640 wrote to memory of 1720	640	c3b3e606509feb13c4ac729cb418cbe6.exe	29
PID 1720 wrote to memory of 2628	1720	c3b3e606509feb13c4ac729cb418cbe6.exe	30
PID 1720 wrote to memory of 2628	1720	c3b3e606509feb13c4ac729cb418cbe6.exe	30
PID 1720 wrote to memory of 2628	1720	c3b3e606509feb13c4ac729cb418cbe6.exe	30
PID 1720 wrote to memory of 2628	1720	c3b3e606509feb13c4ac729cb418cbe6.exe	30
PID 1720 wrote to memory of 1520	1720	c3b3e606509feb13c4ac729cb418cbe6.exe	32
PID 1720 wrote to memory of 1520	1720	c3b3e606509feb13c4ac729cb418cbe6.exe	32
PID 1720 wrote to memory of 1520	1720	c3b3e606509feb13c4ac729cb418cbe6.exe	32
PID 1720 wrote to memory of 1520	1720	c3b3e606509feb13c4ac729cb418cbe6.exe	32
PID 1520 wrote to memory of 2516	1520	cmd.exe	34
PID 1520 wrote to memory of 2516	1520	cmd.exe	34
PID 1520 wrote to memory of 2516	1520	cmd.exe	34
PID 1520 wrote to memory of 2516	1520	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c3b3e606509feb13c4ac729cb418cbe6.exe
"C:\Users\Admin\AppData\Local\Temp\c3b3e606509feb13c4ac729cb418cbe6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\c3b3e606509feb13c4ac729cb418cbe6.exe
  C:\Users\Admin\AppData\Local\Temp\c3b3e606509feb13c4ac729cb418cbe6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c3b3e606509feb13c4ac729cb418cbe6.exe" /TN MJu5Ub8Eff50 /F
    3⤵
    - Creates scheduled task(s)
    PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MJu5Ub8Eff50 > C:\Users\Admin\AppData\Local\Temp\xUnl7dCX5.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN MJu5Ub8Eff50
      4⤵
      PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c3b3e606509feb13c4ac729cb418cbe6.exe

Filesize
829KB

MD5
27140baa0e41ca472d36d86ac623dfca

SHA1
ac3818d22736c1ca2fd671541650cb887b7a66b6

SHA256
1cec58e3afb6e9d3b2f824c4b6280a1b8c36635d2c7562b5a8703422c33089af

SHA512
8a8a829848338c9886274caf381f24bd787f5b527cd03240d92b8394d7482e8ad46ac33621e066d7f6d539210d455c2efaa005255e7f01a3909a7d620d0c75e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUnl7dCX5.xml

Filesize
1KB

MD5
0b0756e9ca9e6c74169cfc2044861d9b

SHA1
aa0cd6bb9357b3bbddc089669b41f25cd85f0132

SHA256
d9449f933203df9721572cb14a87faa1aa1b77b2150f4b8439a8cfdac2c1d4ba

SHA512
21440a736d186d853c5b5ff13a47c32ead1667d2e4742c195738644ac0b31741f22be83eaf95e28709a9760ea76b015698fc34bf013f98681339e3903384d360

Download Submit
\Users\Admin\AppData\Local\Temp\c3b3e606509feb13c4ac729cb418cbe6.exe

Filesize
1.3MB

MD5
3fa707dd361db1a93b6f8f8ff302cf1e

SHA1
fca421c601a4bab1c7011ef753a888d86baa335b

SHA256
2ef80bd35b965a5d84a1a2c8d57718aeb0a4b28a7e5ffcea53f67d17f078231a

SHA512
49088d934fb91dabaac906b85373c07dc07266bd4201be8a2eeaa218d7415d0bc5e4a0558bfe3da833da7b18e214de56268d76d8a5cf5f27a79203112e6c3baf

Download Submit
memory/640-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/640-16-0x0000000023590000-0x00000000237EC000-memory.dmp

Filesize
2.4MB

Download
memory/640-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/640-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/640-2-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/1720-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1720-21-0x00000000002E0000-0x000000000035E000-memory.dmp

Filesize
504KB

Download
memory/1720-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1720-28-0x0000000000360000-0x00000000003CB000-memory.dmp

Filesize
428KB

Download
memory/1720-36-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads