fbc0d1667316478cfca0bd9f82505ab0314c26d31b0e87692b1901122cff9d30

General

Target

c81e5af768f9cf16fdb28fef2297c62d.exe
Size

2.5MB
MD5

c81e5af768f9cf16fdb28fef2297c62d
SHA1

960000d1d94bcfca3f1b03b8e26857235e2d7d01
SHA256

fbc0d1667316478cfca0bd9f82505ab0314c26d31b0e87692b1901122cff9d30
SHA512

185e79873ec96f78498036cc1f1556779cd17052fd63ef29c4bb88c008524ea570cf326e2386cdb400eda193ca16f774dec186afde2f89a4a38e060a9b4f3b17
SSDEEP

24576:ljHPrZH69YeFTHjtujvD8rlwtA3tK/gbiCEOsHhSenp1cYmo6Se6XRYg7miD97lW:RHtaNFz4gBwwI0rG/z7mClKXYUojCd

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2296	c81e5af768f9cf16fdb28fef2297c62d.exe

Executes dropped EXE 1 IoCs

pid	Process
2296	c81e5af768f9cf16fdb28fef2297c62d.exe

Loads dropped DLL 1 IoCs

pid	Process
1364	c81e5af768f9cf16fdb28fef2297c62d.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1364-0-0x0000000000400000-0x0000000000CE1000-memory.dmp	upx
behavioral1/files/0x0009000000012226-11.dat	upx
behavioral1/files/0x0009000000012226-15.dat	upx
behavioral1/files/0x0009000000012226-14.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c81e5af768f9cf16fdb28fef2297c62d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c81e5af768f9cf16fdb28fef2297c62d.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c81e5af768f9cf16fdb28fef2297c62d.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c81e5af768f9cf16fdb28fef2297c62d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1364	c81e5af768f9cf16fdb28fef2297c62d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1364	c81e5af768f9cf16fdb28fef2297c62d.exe
2296	c81e5af768f9cf16fdb28fef2297c62d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2296	1364	c81e5af768f9cf16fdb28fef2297c62d.exe	29
PID 1364 wrote to memory of 2296	1364	c81e5af768f9cf16fdb28fef2297c62d.exe	29
PID 1364 wrote to memory of 2296	1364	c81e5af768f9cf16fdb28fef2297c62d.exe	29
PID 1364 wrote to memory of 2296	1364	c81e5af768f9cf16fdb28fef2297c62d.exe	29

C:\Users\Admin\AppData\Local\Temp\c81e5af768f9cf16fdb28fef2297c62d.exe
"C:\Users\Admin\AppData\Local\Temp\c81e5af768f9cf16fdb28fef2297c62d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\c81e5af768f9cf16fdb28fef2297c62d.exe
  C:\Users\Admin\AppData\Local\Temp\c81e5af768f9cf16fdb28fef2297c62d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c81e5af768f9cf16fdb28fef2297c62d.exe

Filesize
2.2MB

MD5
ecbee504e7461bc0f10afc54ffc1b3ce

SHA1
4a044f2637af8a745c1aded14e33f3d95014b477

SHA256
a389ef72d336528c3c707ff74635587e6f2730c7c8bb846af7adbe79c8ea54a5

SHA512
64ef64112826e7ebf63619dc1664cdc81a7b5049b143c21f938769c7ff39048bdbdc754f8fbf1be3e0f6cb31ce11fa75e99f2a3f1d28b19f7edf45ea62f944ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\c81e5af768f9cf16fdb28fef2297c62d.exe

Filesize
2.0MB

MD5
f510ce35d60fa8113a63289e477c5bd0

SHA1
8989683ea85ac834d6b584527145d83ef9164b6d

SHA256
4ebfbfd702a8b07066ccedce220c0888d95f27a8b73e1248ebb8af61fbb01a07

SHA512
accba2acffab03ccef1fa4261a71ed7d5ae4b450b3d898c1f331e862d9a962723aa6310350b55544179486bf2fab71ac38b1a6665dbf5f3011bdce10334ab58a

Download Submit
\Users\Admin\AppData\Local\Temp\c81e5af768f9cf16fdb28fef2297c62d.exe

Filesize
640KB

MD5
07888447678ec9137d48a9cfea1fffce

SHA1
a9ca3026d0cce23cbccc335684203be56a9f46a3

SHA256
a075f6ff9b1f8672d2cf4d6f3a6f5ae641acddef7d78a1783303d807a123c5bb

SHA512
5c27b895bef80d54a721eac6faf2d9173671f6613829ffe26bd8c98d13b58b0f6131602eec3fa472825c2f2c3dd0a241b1afcdd0806b8c4f2d92658d0f653398

Download Submit
memory/1364-1-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/1364-3-0x0000000001EE0000-0x000000000210E000-memory.dmp

Filesize
2.2MB

Download
memory/1364-0-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download
memory/1364-17-0x00000000037A0000-0x0000000004081000-memory.dmp

Filesize
8.9MB

Download
memory/1364-16-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/1364-44-0x00000000037A0000-0x0000000004081000-memory.dmp

Filesize
8.9MB

Download
memory/2296-21-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download
memory/2296-24-0x0000000002110000-0x000000000233E000-memory.dmp

Filesize
2.2MB

Download
memory/2296-45-0x0000000000400000-0x0000000000CE1000-memory.dmp

Filesize
8.9MB

Download

Analysis

Sharing