3cb9916c36f5a9fbe42f8fa6903eb055e8b022662d183a1b424253e87ffffc16

General

Target

c740a523dd6d800ea6d8f3114d0c788f.exe
Size

1003KB
MD5

c740a523dd6d800ea6d8f3114d0c788f
SHA1

86204e719a8a653781dbf8d9912443b724f48e06
SHA256

3cb9916c36f5a9fbe42f8fa6903eb055e8b022662d183a1b424253e87ffffc16
SHA512

419deb320e596bbe023e4f86424b5e0123590bd2c9748f94f857be07213d0c7f6cac06767ef27573885401529ca63765132f7c5e468a08f7c234dfb3ee185333
SSDEEP

24576:GNoGxWpDJ4qKwOVbjuYtphkE01qGiQl8pncQyQkydc:GNoGgL4qfSeY3hT0qGiQipnByNy

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2284	c740a523dd6d800ea6d8f3114d0c788f.exe

Executes dropped EXE 1 IoCs

pid	Process
2284	c740a523dd6d800ea6d8f3114d0c788f.exe

Loads dropped DLL 1 IoCs

pid	Process
3036	c740a523dd6d800ea6d8f3114d0c788f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3036-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000d00000001445e-11.dat	upx
behavioral1/files/0x000d00000001445e-16.dat	upx
behavioral1/memory/2284-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2520	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c740a523dd6d800ea6d8f3114d0c788f.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c740a523dd6d800ea6d8f3114d0c788f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c740a523dd6d800ea6d8f3114d0c788f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c740a523dd6d800ea6d8f3114d0c788f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3036	c740a523dd6d800ea6d8f3114d0c788f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3036	c740a523dd6d800ea6d8f3114d0c788f.exe
2284	c740a523dd6d800ea6d8f3114d0c788f.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2284	3036	c740a523dd6d800ea6d8f3114d0c788f.exe	29
PID 3036 wrote to memory of 2284	3036	c740a523dd6d800ea6d8f3114d0c788f.exe	29
PID 3036 wrote to memory of 2284	3036	c740a523dd6d800ea6d8f3114d0c788f.exe	29
PID 3036 wrote to memory of 2284	3036	c740a523dd6d800ea6d8f3114d0c788f.exe	29
PID 2284 wrote to memory of 2520	2284	c740a523dd6d800ea6d8f3114d0c788f.exe	30
PID 2284 wrote to memory of 2520	2284	c740a523dd6d800ea6d8f3114d0c788f.exe	30
PID 2284 wrote to memory of 2520	2284	c740a523dd6d800ea6d8f3114d0c788f.exe	30
PID 2284 wrote to memory of 2520	2284	c740a523dd6d800ea6d8f3114d0c788f.exe	30
PID 2284 wrote to memory of 2548	2284	c740a523dd6d800ea6d8f3114d0c788f.exe	32
PID 2284 wrote to memory of 2548	2284	c740a523dd6d800ea6d8f3114d0c788f.exe	32
PID 2284 wrote to memory of 2548	2284	c740a523dd6d800ea6d8f3114d0c788f.exe	32
PID 2284 wrote to memory of 2548	2284	c740a523dd6d800ea6d8f3114d0c788f.exe	32
PID 2548 wrote to memory of 2648	2548	cmd.exe	34
PID 2548 wrote to memory of 2648	2548	cmd.exe	34
PID 2548 wrote to memory of 2648	2548	cmd.exe	34
PID 2548 wrote to memory of 2648	2548	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c740a523dd6d800ea6d8f3114d0c788f.exe
"C:\Users\Admin\AppData\Local\Temp\c740a523dd6d800ea6d8f3114d0c788f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\c740a523dd6d800ea6d8f3114d0c788f.exe
  C:\Users\Admin\AppData\Local\Temp\c740a523dd6d800ea6d8f3114d0c788f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c740a523dd6d800ea6d8f3114d0c788f.exe" /TN uoFCMKY16031 /F
    3⤵
    - Creates scheduled task(s)
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uoFCMKY16031 > C:\Users\Admin\AppData\Local\Temp\M9ITuM.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN uoFCMKY16031
      4⤵
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\M9ITuM.xml

Filesize
1KB

MD5
7a1b27d01ceb51770c1b7fd025c5f871

SHA1
37fd75d87841e1132cc1e757676f252313e1e51f

SHA256
6162c56b3a83967a992f87f3d0026aea71cc5fcd97ef361fb0bf3e47059ca748

SHA512
c5dc8f938fe71c970d34f661caf9770ba076a8e23dac1deb981e1d1c26d50485ef6bd0367fb5018161c5e2f1c660d18b55d7ca1375dd8cc437adb2830800bf44

Download Submit
C:\Users\Admin\AppData\Local\Temp\c740a523dd6d800ea6d8f3114d0c788f.exe

Filesize
1003KB

MD5
f06b825e2d82146d24ca3ae46347528b

SHA1
a3322c5d6585b273842b37f973a8ed072307051a

SHA256
5ec45978ca960c8b7aeee57b3aa928d122011f3be2368928b75fde8265540d8b

SHA512
2209b26c7dcb2e87f8f451528160346245d2692e43c9e6728c7fac124d4e206860ccd1e69c9bfe86d062f2f3af1d2015f4067b572b912359305d9323433b3bd7

Download Submit
\Users\Admin\AppData\Local\Temp\c740a523dd6d800ea6d8f3114d0c788f.exe

Filesize
192KB

MD5
8c11a273ba53f66f9dcc66a9c889004c

SHA1
193932149eeb3afe970a4bf718143691afd092d5

SHA256
f7e7d5e2217eb104f4166c58af1d2dfe2de397a82968ee35f7c3dc91a0f0cf90

SHA512
f1baa9855581a3ffba35d52a4ee4734b530f7d8681f1c4035fee7c88bbc078c97c0f63e2e3f1348d8094ab709e1e8764a197c7ae449ff746d51bc1148f1c6031

Download Submit
memory/2284-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2284-20-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2284-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2284-28-0x00000000002D0000-0x000000000033B000-memory.dmp

Filesize
428KB

Download
memory/2284-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3036-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3036-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3036-2-0x00000000001D0000-0x000000000024E000-memory.dmp

Filesize
504KB

Download
memory/3036-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads