be115c7a4e0047ce1f3064660ae180eded19ba2a186080c7bd7558cbd7cfc960

General

Target

c48ac2f9fea17b2b9b5b1a314611a693.exe
Size

5.1MB
MD5

c48ac2f9fea17b2b9b5b1a314611a693
SHA1

0070c860a367f16524e8f2f81306221d2b9fec9d
SHA256

be115c7a4e0047ce1f3064660ae180eded19ba2a186080c7bd7558cbd7cfc960
SHA512

0c5de159ee8bf8996911dcd207c90feb9788d738c6ec81d2ef08698ce642359e9633efe10977930a61cd701740f45fb478d72ee77a7e2f45b162aba505f22752
SSDEEP

98304:2KRHuALzW43S11qronI0Iy5fKP7grvYLS3:ROBa0j9

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3024	c48ac2f9fea17b2b9b5b1a314611a693.exe

Executes dropped EXE 1 IoCs

pid	Process
3024	c48ac2f9fea17b2b9b5b1a314611a693.exe

Loads dropped DLL 1 IoCs

pid	Process
1936	c48ac2f9fea17b2b9b5b1a314611a693.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1936-1-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000b00000001224f-11.dat	upx
behavioral1/files/0x000b00000001224f-14.dat	upx
behavioral1/files/0x000b00000001224f-13.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c48ac2f9fea17b2b9b5b1a314611a693.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c48ac2f9fea17b2b9b5b1a314611a693.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c48ac2f9fea17b2b9b5b1a314611a693.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c48ac2f9fea17b2b9b5b1a314611a693.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1936	c48ac2f9fea17b2b9b5b1a314611a693.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1936	c48ac2f9fea17b2b9b5b1a314611a693.exe
3024	c48ac2f9fea17b2b9b5b1a314611a693.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 3024	1936	c48ac2f9fea17b2b9b5b1a314611a693.exe	28
PID 1936 wrote to memory of 3024	1936	c48ac2f9fea17b2b9b5b1a314611a693.exe	28
PID 1936 wrote to memory of 3024	1936	c48ac2f9fea17b2b9b5b1a314611a693.exe	28
PID 1936 wrote to memory of 3024	1936	c48ac2f9fea17b2b9b5b1a314611a693.exe	28

C:\Users\Admin\AppData\Local\Temp\c48ac2f9fea17b2b9b5b1a314611a693.exe
"C:\Users\Admin\AppData\Local\Temp\c48ac2f9fea17b2b9b5b1a314611a693.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\c48ac2f9fea17b2b9b5b1a314611a693.exe
  C:\Users\Admin\AppData\Local\Temp\c48ac2f9fea17b2b9b5b1a314611a693.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c48ac2f9fea17b2b9b5b1a314611a693.exe

Filesize
1.8MB

MD5
248b70b60667fa195c65efea71036f1d

SHA1
97ec471d576c5ebba5d78e2a3f3c9c3b499a7ea2

SHA256
dfdcac989e1de2e8beaa6a7c95e5e0284feb0984af53a76a0babf3027694529a

SHA512
515aa49b1b4e7738692a2de42ede78055e54313b7cf7fccbf0533c49cced183b94853c1c157bfe4d3624c8b3dd5a2af59d20d9f306da01834d5a8106302f45d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c48ac2f9fea17b2b9b5b1a314611a693.exe

Filesize
1.5MB

MD5
6976496fcdb7261eb2f3d5b6761168cb

SHA1
1075bcdc6888a99b50f5719d61ab60680f0b9dec

SHA256
a41e455205b4d181606d88af89be2843e86e713cf4939fce192ac43f531ed7b7

SHA512
0a6f2c23be41cf97ea5fcf291cea344d1e5fe78fe5b8317a48a3c56c5e5ca47c91dec1dcd093734fe1ad3d1495173f5d34a948bdfbbeca849bc6d0708c5a3d5a

Download Submit
\Users\Admin\AppData\Local\Temp\c48ac2f9fea17b2b9b5b1a314611a693.exe

Filesize
1.5MB

MD5
1cd7f3fe62040ab7efda53812584715c

SHA1
5c4521693ea1f8d8bdd4f4b96813625b37ae2a68

SHA256
17b668c449fe83359e56f3fa1d709a11a656e00eccf7904d84bc9d6fa970a103

SHA512
2835ac56f6e511cfd0bc4c3b3010e2e030d5ba44dfd817e0dd0cc2034c3bd52661cebfdf471b5ab61061aca6b8f9c90b6c257ae73bb775b444a96323ce973193

Download Submit
memory/1936-0-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1936-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/1936-2-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/1936-16-0x0000000004060000-0x00000000049FE000-memory.dmp

Filesize
9.6MB

Download
memory/1936-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1936-43-0x0000000004060000-0x00000000049FE000-memory.dmp

Filesize
9.6MB

Download
memory/3024-18-0x0000000002250000-0x00000000024AA000-memory.dmp

Filesize
2.4MB

Download
memory/3024-21-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/3024-44-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing