ccbff7edb9835a7814de961d4a9e57a268a8afa291bde0237eb02e4d91b69edb

General

Target

c6a5ef0560ecc2f2e81736a7106ac2ef.exe
Size

5.1MB
MD5

c6a5ef0560ecc2f2e81736a7106ac2ef
SHA1

cb926478c98273f38e266f30f8c240c1aab87b3d
SHA256

ccbff7edb9835a7814de961d4a9e57a268a8afa291bde0237eb02e4d91b69edb
SHA512

c8ca640ae2f6dcaf56321a6d8500ef29e4f8bc6499d5489aeac21b2d456d46c45a37836a675133b0e78cae16dc8fe4da8d232991c2b33b573305b49a37924a0a
SSDEEP

49152:yUdMFOLnwyY7AQCzn9/AS+nTikwhhay3mZEHCti9x5P2qpEwd+e/SEHPis4EDyWP:yjEwgQCzzPR3tR9vewdFPx4dWP3

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2916	c6a5ef0560ecc2f2e81736a7106ac2ef.exe

Executes dropped EXE 1 IoCs

pid	Process
2916	c6a5ef0560ecc2f2e81736a7106ac2ef.exe

Loads dropped DLL 1 IoCs

pid	Process
2248	c6a5ef0560ecc2f2e81736a7106ac2ef.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2248-1-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000a000000012255-14.dat	upx
behavioral1/files/0x000a000000012255-13.dat	upx
behavioral1/files/0x000a000000012255-11.dat	upx
behavioral1/memory/2916-18-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c6a5ef0560ecc2f2e81736a7106ac2ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c6a5ef0560ecc2f2e81736a7106ac2ef.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c6a5ef0560ecc2f2e81736a7106ac2ef.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c6a5ef0560ecc2f2e81736a7106ac2ef.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2248	c6a5ef0560ecc2f2e81736a7106ac2ef.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2248	c6a5ef0560ecc2f2e81736a7106ac2ef.exe
2916	c6a5ef0560ecc2f2e81736a7106ac2ef.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2916	2248	c6a5ef0560ecc2f2e81736a7106ac2ef.exe	28
PID 2248 wrote to memory of 2916	2248	c6a5ef0560ecc2f2e81736a7106ac2ef.exe	28
PID 2248 wrote to memory of 2916	2248	c6a5ef0560ecc2f2e81736a7106ac2ef.exe	28
PID 2248 wrote to memory of 2916	2248	c6a5ef0560ecc2f2e81736a7106ac2ef.exe	28

C:\Users\Admin\AppData\Local\Temp\c6a5ef0560ecc2f2e81736a7106ac2ef.exe
"C:\Users\Admin\AppData\Local\Temp\c6a5ef0560ecc2f2e81736a7106ac2ef.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\c6a5ef0560ecc2f2e81736a7106ac2ef.exe
  C:\Users\Admin\AppData\Local\Temp\c6a5ef0560ecc2f2e81736a7106ac2ef.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c6a5ef0560ecc2f2e81736a7106ac2ef.exe

Filesize
1.6MB

MD5
05923a273c80365c2152307c022e81ab

SHA1
0910dd25b57a15f09d970a1611c4d29df9d33ad1

SHA256
684733af46220675d432bb6ecd49eb63c38dcce87e78bbb7b6565ccbde9ce9b4

SHA512
3af7cc1c5affda9c1709b7ea7ba6f3ff9cca8b0ef7fb8e6d54544ad194d6438674a82786f31a3875513f947acae87781f75122b60f712b6f93009945c1b387f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6a5ef0560ecc2f2e81736a7106ac2ef.exe

Filesize
1.7MB

MD5
28dba6bd1c43dca7e0080bb3a20ce918

SHA1
5660cfef9072d76174c53210045acd7e6d46a654

SHA256
d66b7a27dbbdf52ededb88ab0907ea16261f78829ce6af133641780b34ff33e8

SHA512
df9bb48a56f1bd1bcc39b56437caa9a1d29a36a3958cc8c7cd48bb25208dd7ccb2253a9edf161fa98b52957afad585687280eb09338536cbd030b28d44950670

Download Submit
\Users\Admin\AppData\Local\Temp\c6a5ef0560ecc2f2e81736a7106ac2ef.exe

Filesize
1.5MB

MD5
025601f561b6f41da0a32ec5714e4fef

SHA1
16192107bb7750a79b8f19183ac5af711547dd90

SHA256
b37d0dc10cc0d613a03a92d8287ab8b238d70e45f9fdddc836af71806413f394

SHA512
1a51e945a3294872984762456527972afca00b17cb808f10bef8f619fda700e75a2bafd6c24902e4d896d1f3288b2bf1884d8717eeed2adcc8e371e2a3f0f5e4

Download Submit
memory/2248-3-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2248-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2248-0-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2248-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2248-16-0x0000000004060000-0x00000000049FE000-memory.dmp

Filesize
9.6MB

Download
memory/2248-43-0x0000000004060000-0x00000000049FE000-memory.dmp

Filesize
9.6MB

Download
memory/2916-18-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2916-20-0x00000000021E0000-0x000000000243A000-memory.dmp

Filesize
2.4MB

Download
memory/2916-44-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing