7e0997dacb78b2b62f6a41b12e1be202dac433f63b21a0cc53b8d9fb1e712f01

General

Target

c549ae8ce044c1fe52ed0ac8e05abb44.exe
Size

3.9MB
MD5

c549ae8ce044c1fe52ed0ac8e05abb44
SHA1

e1c6e01cb73fbc4977c9b1f0938991f1ba188408
SHA256

7e0997dacb78b2b62f6a41b12e1be202dac433f63b21a0cc53b8d9fb1e712f01
SHA512

addaa29853eeb99ca5233bb9ce8c735ad15d7f6680d16eb7489c9d086f3f1861f2aa1e73634f37e853d8510dbd39e73ce8f5b40808e859807a29d0176b25ab5e
SSDEEP

98304:fqopHpbWILpYOeFA9zyULG+FgzZWWvvzarCqA9zyULG+fj2kHkpRKrMA9zyULG+Q:fqoFp3LDeyzLqggzkWvlzLq6j2Gk/KtP

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3016	c549ae8ce044c1fe52ed0ac8e05abb44.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	c549ae8ce044c1fe52ed0ac8e05abb44.exe

Loads dropped DLL 1 IoCs

pid	Process
2780	c549ae8ce044c1fe52ed0ac8e05abb44.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2780-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012252-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2596	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c549ae8ce044c1fe52ed0ac8e05abb44.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c549ae8ce044c1fe52ed0ac8e05abb44.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c549ae8ce044c1fe52ed0ac8e05abb44.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c549ae8ce044c1fe52ed0ac8e05abb44.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2780	c549ae8ce044c1fe52ed0ac8e05abb44.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2780	c549ae8ce044c1fe52ed0ac8e05abb44.exe
3016	c549ae8ce044c1fe52ed0ac8e05abb44.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3016	2780	c549ae8ce044c1fe52ed0ac8e05abb44.exe	29
PID 2780 wrote to memory of 3016	2780	c549ae8ce044c1fe52ed0ac8e05abb44.exe	29
PID 2780 wrote to memory of 3016	2780	c549ae8ce044c1fe52ed0ac8e05abb44.exe	29
PID 2780 wrote to memory of 3016	2780	c549ae8ce044c1fe52ed0ac8e05abb44.exe	29
PID 3016 wrote to memory of 2596	3016	c549ae8ce044c1fe52ed0ac8e05abb44.exe	30
PID 3016 wrote to memory of 2596	3016	c549ae8ce044c1fe52ed0ac8e05abb44.exe	30
PID 3016 wrote to memory of 2596	3016	c549ae8ce044c1fe52ed0ac8e05abb44.exe	30
PID 3016 wrote to memory of 2596	3016	c549ae8ce044c1fe52ed0ac8e05abb44.exe	30
PID 3016 wrote to memory of 2484	3016	c549ae8ce044c1fe52ed0ac8e05abb44.exe	32
PID 3016 wrote to memory of 2484	3016	c549ae8ce044c1fe52ed0ac8e05abb44.exe	32
PID 3016 wrote to memory of 2484	3016	c549ae8ce044c1fe52ed0ac8e05abb44.exe	32
PID 3016 wrote to memory of 2484	3016	c549ae8ce044c1fe52ed0ac8e05abb44.exe	32
PID 2484 wrote to memory of 2588	2484	cmd.exe	34
PID 2484 wrote to memory of 2588	2484	cmd.exe	34
PID 2484 wrote to memory of 2588	2484	cmd.exe	34
PID 2484 wrote to memory of 2588	2484	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c549ae8ce044c1fe52ed0ac8e05abb44.exe
"C:\Users\Admin\AppData\Local\Temp\c549ae8ce044c1fe52ed0ac8e05abb44.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\c549ae8ce044c1fe52ed0ac8e05abb44.exe
  C:\Users\Admin\AppData\Local\Temp\c549ae8ce044c1fe52ed0ac8e05abb44.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c549ae8ce044c1fe52ed0ac8e05abb44.exe" /TN guALCTR926f5 /F
    3⤵
    - Creates scheduled task(s)
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN guALCTR926f5 > C:\Users\Admin\AppData\Local\Temp\jLP2psr.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN guALCTR926f5
      4⤵
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jLP2psr.xml

Filesize
1KB

MD5
4fa80912bc08ed5ab4573b1a97664a6b

SHA1
9f0a4740f7ac37ad704d2caf316d63ea0180cd72

SHA256
37870ae7406289347f107230e13b627ab78bee261cb78146bdf1452419e05370

SHA512
59dc18a73e86af116645760a914f157f07a29b1f30870aeeadd6c8d340631c90eed9b8d9178fbdfc70e9c6fd9af293578745d177406821e6e1ca85cf7b3c62d4

Download Submit
\Users\Admin\AppData\Local\Temp\c549ae8ce044c1fe52ed0ac8e05abb44.exe

Filesize
3.9MB

MD5
0691b19a2cb2dd799cec3a2ed86740ad

SHA1
4f3566e35f4204e2da4a4f999f8d6b2ad5d24944

SHA256
25355c710a9f938740b67331c82d9b117f71b41b8c9b6b63f8f862ee4f1fa6c9

SHA512
f4e87f8532c04ff17085ebd9d10018571b708e419355c80714d1e397b8212f9be91fbc1dfa6a9318a82964c9a26c32bbf9be3a7ec9f65035b72eba1e0c3a47bb

Download Submit
memory/2780-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2780-2-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2780-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2780-16-0x00000000236A0000-0x00000000238FC000-memory.dmp

Filesize
2.4MB

Download
memory/2780-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3016-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3016-21-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/3016-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/3016-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3016-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads