af6a92045ce2bff3e5bec8c7a77501bf49a1af5a62249a8e40aa33bbcf3ef9d7

General

Target

c543f35f845e53e02b6ce9622feccb7a.exe
Size

1003KB
MD5

c543f35f845e53e02b6ce9622feccb7a
SHA1

94210d20cf87df31b0a979cb39ced904570e9e96
SHA256

af6a92045ce2bff3e5bec8c7a77501bf49a1af5a62249a8e40aa33bbcf3ef9d7
SHA512

0f1d9343b9d31b39636c8b42c91babb328c5618103778e4c0689cefefe2733acd2fb997ee02b7ecf1d860550686def517497a53dccebcf25a56a49084cad0638
SSDEEP

24576:b+WwdyzmtiSKrsYrUjZI4pvagCwlyuxr/A:b+WwdyzmUSKrsYrUjZZpXCwIuh/A

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2532	c543f35f845e53e02b6ce9622feccb7a.exe

Executes dropped EXE 1 IoCs

pid	Process
2532	c543f35f845e53e02b6ce9622feccb7a.exe

Loads dropped DLL 1 IoCs

pid	Process
2324	c543f35f845e53e02b6ce9622feccb7a.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2324-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012251-11.dat	upx
behavioral1/memory/2324-16-0x0000000022F00000-0x000000002315C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2652	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c543f35f845e53e02b6ce9622feccb7a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c543f35f845e53e02b6ce9622feccb7a.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c543f35f845e53e02b6ce9622feccb7a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c543f35f845e53e02b6ce9622feccb7a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2324	c543f35f845e53e02b6ce9622feccb7a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2324	c543f35f845e53e02b6ce9622feccb7a.exe
2532	c543f35f845e53e02b6ce9622feccb7a.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2532	2324	c543f35f845e53e02b6ce9622feccb7a.exe	29
PID 2324 wrote to memory of 2532	2324	c543f35f845e53e02b6ce9622feccb7a.exe	29
PID 2324 wrote to memory of 2532	2324	c543f35f845e53e02b6ce9622feccb7a.exe	29
PID 2324 wrote to memory of 2532	2324	c543f35f845e53e02b6ce9622feccb7a.exe	29
PID 2532 wrote to memory of 2652	2532	c543f35f845e53e02b6ce9622feccb7a.exe	30
PID 2532 wrote to memory of 2652	2532	c543f35f845e53e02b6ce9622feccb7a.exe	30
PID 2532 wrote to memory of 2652	2532	c543f35f845e53e02b6ce9622feccb7a.exe	30
PID 2532 wrote to memory of 2652	2532	c543f35f845e53e02b6ce9622feccb7a.exe	30
PID 2532 wrote to memory of 2664	2532	c543f35f845e53e02b6ce9622feccb7a.exe	32
PID 2532 wrote to memory of 2664	2532	c543f35f845e53e02b6ce9622feccb7a.exe	32
PID 2532 wrote to memory of 2664	2532	c543f35f845e53e02b6ce9622feccb7a.exe	32
PID 2532 wrote to memory of 2664	2532	c543f35f845e53e02b6ce9622feccb7a.exe	32
PID 2664 wrote to memory of 2568	2664	cmd.exe	34
PID 2664 wrote to memory of 2568	2664	cmd.exe	34
PID 2664 wrote to memory of 2568	2664	cmd.exe	34
PID 2664 wrote to memory of 2568	2664	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c543f35f845e53e02b6ce9622feccb7a.exe
"C:\Users\Admin\AppData\Local\Temp\c543f35f845e53e02b6ce9622feccb7a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\c543f35f845e53e02b6ce9622feccb7a.exe
  C:\Users\Admin\AppData\Local\Temp\c543f35f845e53e02b6ce9622feccb7a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c543f35f845e53e02b6ce9622feccb7a.exe" /TN WiDkBlJDe41e /F
    3⤵
    - Creates scheduled task(s)
    PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN WiDkBlJDe41e > C:\Users\Admin\AppData\Local\Temp\RaODNK0H.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN WiDkBlJDe41e
      4⤵
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RaODNK0H.xml

Filesize
1KB

MD5
d8b22efc7f5706d1322de3a55bf7a30f

SHA1
e03519332a148d66928aad5f64db905fd0715850

SHA256
6e3557ca3087757035091b2d8c6c1e2f7e090c954b39e25cf5cceca230ff013b

SHA512
6f0f86d413377a8df765efc06f2727ccb03c04b7249053d664579587d11e0fcd3ea55cb8884e5fecfbde0ff48629e26921c65c33ec5c6d9de59abc7e042d5155

Download Submit
\Users\Admin\AppData\Local\Temp\c543f35f845e53e02b6ce9622feccb7a.exe

Filesize
1003KB

MD5
7d29e000b53928b971628abccd37cc36

SHA1
be68acf9d5d8a59b136050e29c4903f43763663f

SHA256
16ee660e460befef78c9abfbe274d31d2f594d76260ad4d9e2dae99356537d89

SHA512
8a3859cd9456bed07ee7617d051f1c6bf3bc22fa8a52a79b12e68850b1fea1f8ce544ec59388bdabb6f692448ae4f35a3fb32d26a78f4ec5af3d87792fe115a0

Download Submit
memory/2324-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2324-3-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/2324-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2324-16-0x0000000022F00000-0x000000002315C000-memory.dmp

Filesize
2.4MB

Download
memory/2324-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2532-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2532-21-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2532-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2532-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2532-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads