39976ff6aae887b4f01dbe48dc81cfa06cba5cb4b2e7e6e1ae16dfe109cf0995

General

Target

c52a5453dbb2e944b1a24e7347743155.exe
Size

1003KB
MD5

c52a5453dbb2e944b1a24e7347743155
SHA1

7a10008b71eddf59dbb533b8e34a036ca4d72c14
SHA256

39976ff6aae887b4f01dbe48dc81cfa06cba5cb4b2e7e6e1ae16dfe109cf0995
SHA512

37ce4dd96fe80ddb084c66be15f8998d72e93fb1f2223d0138343edf5bb15092849d3575e1393f477c788b3eb8079df9a96f8dfdbec60be815968bcaadf40c82
SSDEEP

24576:8VFkkTd10AzNWqKSBjCcjukL2CDYibq6/yqLNaF:TkTdWAzNWqKSNCcakLz0ibq6yqh

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2616	c52a5453dbb2e944b1a24e7347743155.exe

Executes dropped EXE 1 IoCs

pid	Process
2616	c52a5453dbb2e944b1a24e7347743155.exe

Loads dropped DLL 1 IoCs

pid	Process
2064	c52a5453dbb2e944b1a24e7347743155.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2064-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012251-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2660	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c52a5453dbb2e944b1a24e7347743155.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c52a5453dbb2e944b1a24e7347743155.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c52a5453dbb2e944b1a24e7347743155.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c52a5453dbb2e944b1a24e7347743155.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2064	c52a5453dbb2e944b1a24e7347743155.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2064	c52a5453dbb2e944b1a24e7347743155.exe
2616	c52a5453dbb2e944b1a24e7347743155.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2616	2064	c52a5453dbb2e944b1a24e7347743155.exe	29
PID 2064 wrote to memory of 2616	2064	c52a5453dbb2e944b1a24e7347743155.exe	29
PID 2064 wrote to memory of 2616	2064	c52a5453dbb2e944b1a24e7347743155.exe	29
PID 2064 wrote to memory of 2616	2064	c52a5453dbb2e944b1a24e7347743155.exe	29
PID 2616 wrote to memory of 2660	2616	c52a5453dbb2e944b1a24e7347743155.exe	30
PID 2616 wrote to memory of 2660	2616	c52a5453dbb2e944b1a24e7347743155.exe	30
PID 2616 wrote to memory of 2660	2616	c52a5453dbb2e944b1a24e7347743155.exe	30
PID 2616 wrote to memory of 2660	2616	c52a5453dbb2e944b1a24e7347743155.exe	30
PID 2616 wrote to memory of 2592	2616	c52a5453dbb2e944b1a24e7347743155.exe	32
PID 2616 wrote to memory of 2592	2616	c52a5453dbb2e944b1a24e7347743155.exe	32
PID 2616 wrote to memory of 2592	2616	c52a5453dbb2e944b1a24e7347743155.exe	32
PID 2616 wrote to memory of 2592	2616	c52a5453dbb2e944b1a24e7347743155.exe	32
PID 2592 wrote to memory of 2724	2592	cmd.exe	34
PID 2592 wrote to memory of 2724	2592	cmd.exe	34
PID 2592 wrote to memory of 2724	2592	cmd.exe	34
PID 2592 wrote to memory of 2724	2592	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c52a5453dbb2e944b1a24e7347743155.exe
"C:\Users\Admin\AppData\Local\Temp\c52a5453dbb2e944b1a24e7347743155.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\c52a5453dbb2e944b1a24e7347743155.exe
  C:\Users\Admin\AppData\Local\Temp\c52a5453dbb2e944b1a24e7347743155.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c52a5453dbb2e944b1a24e7347743155.exe" /TN w6CK1HQd991c /F
    3⤵
    - Creates scheduled task(s)
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN w6CK1HQd991c > C:\Users\Admin\AppData\Local\Temp\aQYoc.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN w6CK1HQd991c
      4⤵
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aQYoc.xml

Filesize
1KB

MD5
f55b17fa335b6122ee76d5bc5c48156a

SHA1
4fb218fd753a68c5140d43c6a5125fd6d58e3a9b

SHA256
db3ad418894c4784aa3b8f11fc375cccda862fb021f9a0975ea0be40b23cecaa

SHA512
c9bc3e239457af4eff4626464b52f2e4380aab29f45e83bea4dfac8cf3dff1d573f8b047feaaf18df7919a0add7f9307f0ba337fb4e61b5769495d8b3ce45999

Download Submit
C:\Users\Admin\AppData\Local\Temp\c52a5453dbb2e944b1a24e7347743155.exe

Filesize
1003KB

MD5
7afc346ba6ccb4adadf5210feb16fd44

SHA1
51c4ffd7081ee8c2f965f64ea48b0eac89a0ca05

SHA256
13307a5787b38806fa074a177784014a5e687fd31b90d0d09ea1479cd71107b7

SHA512
8510dc354ca4d9d50f4f7f8197f006e37af0485e3fbb57f7f1817e470c2efbb990e3809edaf4dec31d0db72e80db4d016b84caafdca45ae703680be17d149a52

Download Submit
memory/2064-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2064-7-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/2064-16-0x0000000022EA0000-0x00000000230FC000-memory.dmp

Filesize
2.4MB

Download
memory/2064-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2064-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2064-54-0x0000000022EA0000-0x00000000230FC000-memory.dmp

Filesize
2.4MB

Download
memory/2616-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2616-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2616-27-0x00000000002C0000-0x000000000032B000-memory.dmp

Filesize
428KB

Download
memory/2616-22-0x0000000000240000-0x00000000002BE000-memory.dmp

Filesize
504KB

Download
memory/2616-55-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads