72f5f9aad337e87ce21daa3f29d848da99efb12690bd08680c9f53ffd8d020e8

General

Target

c1af5c61b8071231aa5b38fdf1a17c09.exe
Size

10.0MB
MD5

c1af5c61b8071231aa5b38fdf1a17c09
SHA1

aad53e2e77532ed7714ed09e6ac5bc35ebb260ca
SHA256

72f5f9aad337e87ce21daa3f29d848da99efb12690bd08680c9f53ffd8d020e8
SHA512

aaf84dadc68e8df81497fd2b6849ce1ca26e81315a2c52b9a4a34c5841790904a3ac5409672039cc8fef233d74480b49609950994ee2343b4c725b4375e46c05
SSDEEP

98304:HwGvjvd/k0mxbM8QO7Z0fp8wtf2B5rFLICDpKPG8QO7Z0fp8:HwGRf0bM8hd02+2BlF8C9z8hd02

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2552	c1af5c61b8071231aa5b38fdf1a17c09.exe

Executes dropped EXE 1 IoCs

pid	Process
2552	c1af5c61b8071231aa5b38fdf1a17c09.exe

Loads dropped DLL 1 IoCs

pid	Process
1688	c1af5c61b8071231aa5b38fdf1a17c09.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1688-7-0x0000000000400000-0x0000000000CE1000-memory.dmp	upx
behavioral1/files/0x000900000001447e-11.dat	upx
behavioral1/memory/1688-16-0x0000000004930000-0x0000000005211000-memory.dmp	upx
behavioral1/files/0x000900000001447e-17.dat	upx
behavioral1/files/0x000900000001447e-14.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c1af5c61b8071231aa5b38fdf1a17c09.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c1af5c61b8071231aa5b38fdf1a17c09.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c1af5c61b8071231aa5b38fdf1a17c09.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c1af5c61b8071231aa5b38fdf1a17c09.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1688	c1af5c61b8071231aa5b38fdf1a17c09.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1688	c1af5c61b8071231aa5b38fdf1a17c09.exe
2552	c1af5c61b8071231aa5b38fdf1a17c09.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2552	1688	c1af5c61b8071231aa5b38fdf1a17c09.exe	29
PID 1688 wrote to memory of 2552	1688	c1af5c61b8071231aa5b38fdf1a17c09.exe	29
PID 1688 wrote to memory of 2552	1688	c1af5c61b8071231aa5b38fdf1a17c09.exe	29
PID 1688 wrote to memory of 2552	1688	c1af5c61b8071231aa5b38fdf1a17c09.exe	29

C:\Users\Admin\AppData\Local\Temp\c1af5c61b8071231aa5b38fdf1a17c09.exe
"C:\Users\Admin\AppData\Local\Temp\c1af5c61b8071231aa5b38fdf1a17c09.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\c1af5c61b8071231aa5b38fdf1a17c09.exe
  C:\Users\Admin\AppData\Local\Temp\c1af5c61b8071231aa5b38fdf1a17c09.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c1af5c61b8071231aa5b38fdf1a17c09.exe

Filesize
1.6MB

MD5
6262850f672c3e3835542ae017893c2e

SHA1
6004ea1b9f4458042e354f80edee105d5d8f062a

SHA256
540c42909765c46fec1de98d6a74950ae002c3f5593c0ea116a45e56f17db166

SHA512
df948f58194125b50ca3978314b5b23dd7c329d62c9e3eb1a5e698016c7471e6d34dffcc21e49a16178bc8e3791b5bd1ff104f06259252c017b8ab4b5913a7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1af5c61b8071231aa5b38fdf1a17c09.exe

Filesize
1.2MB

MD5
ac275719c86bf2feda987d1daff481d8

SHA1
51b73a54bc36fbd14df347651da5ff17d0ca83ed

SHA256
6aacc5204559a66ee5d06abc5387598dc78e82e882d83059bf7ae840aa8cd952

SHA512
3e4338236c09673ea5f97396bc699afd2d22dc064c79174a1aa9b03284dbf6abcdc6905247e42e547e397dd354944ee881db540f571420eec2404462f32962be

Download Submit
\Users\Admin\AppData\Local\Temp\c1af5c61b8071231aa5b38fdf1a17c09.exe

Filesize
1.1MB

MD5
90740dc18a59d82eb4c3f072fd0d66a8

SHA1
3c68e136c8c1d8d2073858c877911fcea2739bc9

SHA256
947d4237bc22d1af28bad763158a6b1816aa95eb42b3cc899b0934f66d3b30af

SHA512
ce10192dcc4fa61067bbf66ea155c97326fd90709187d181c4e7161912e92aaeb29c928f3dd986801cf08069142b36c9a2754703125d37464c6629a7a3516bf1

Download Submit
memory/1688-0-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/1688-7-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download
memory/1688-9-0x0000000001EE0000-0x000000000210E000-memory.dmp

Filesize
2.2MB

Download
memory/1688-16-0x0000000004930000-0x0000000005211000-memory.dmp

Filesize
8.9MB

Download
memory/1688-15-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/1688-35-0x0000000004930000-0x0000000005211000-memory.dmp

Filesize
8.9MB

Download
memory/2552-19-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download
memory/2552-21-0x0000000001EE0000-0x000000000210E000-memory.dmp

Filesize
2.2MB

Download
memory/2552-36-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download

Analysis

Sharing