5923791af9a81975698c79bfacc45a87fdba73b63e188883875b8cf6719c5d4a

General

Target

c896c5818094009495a1d5bff2f8d46d.exe
Size

3.9MB
MD5

c896c5818094009495a1d5bff2f8d46d
SHA1

7c60228762533bc0664aee00765a4827948234f6
SHA256

5923791af9a81975698c79bfacc45a87fdba73b63e188883875b8cf6719c5d4a
SHA512

04b427f5159039e9b832fb25a03b010767491a083ae80f4f335b04e28fade1411d6c7e7396c430e1be9a0ff42b07b0105b7dce8245df2c858907f0ef4b5d7fb9
SSDEEP

98304:LqXHP50DBeP1mA9zyULG+e+djJ8uskbJA9zyULG+R3pnZ9y0+hRbZA9zyULG+e+0:LaateNnzLqf+Nx1b2zLqspv+yzLqf+N7

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2596	c896c5818094009495a1d5bff2f8d46d.exe

Executes dropped EXE 1 IoCs

pid	Process
2596	c896c5818094009495a1d5bff2f8d46d.exe

Loads dropped DLL 1 IoCs

pid	Process
1196	c896c5818094009495a1d5bff2f8d46d.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1196-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000d0000000122d5-11.dat	upx
behavioral1/memory/1196-16-0x0000000023810000-0x0000000023A6C000-memory.dmp	upx
behavioral1/files/0x000d0000000122d5-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2548	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c896c5818094009495a1d5bff2f8d46d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c896c5818094009495a1d5bff2f8d46d.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c896c5818094009495a1d5bff2f8d46d.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c896c5818094009495a1d5bff2f8d46d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1196	c896c5818094009495a1d5bff2f8d46d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1196	c896c5818094009495a1d5bff2f8d46d.exe
2596	c896c5818094009495a1d5bff2f8d46d.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2596	1196	c896c5818094009495a1d5bff2f8d46d.exe	29
PID 1196 wrote to memory of 2596	1196	c896c5818094009495a1d5bff2f8d46d.exe	29
PID 1196 wrote to memory of 2596	1196	c896c5818094009495a1d5bff2f8d46d.exe	29
PID 1196 wrote to memory of 2596	1196	c896c5818094009495a1d5bff2f8d46d.exe	29
PID 2596 wrote to memory of 2548	2596	c896c5818094009495a1d5bff2f8d46d.exe	30
PID 2596 wrote to memory of 2548	2596	c896c5818094009495a1d5bff2f8d46d.exe	30
PID 2596 wrote to memory of 2548	2596	c896c5818094009495a1d5bff2f8d46d.exe	30
PID 2596 wrote to memory of 2548	2596	c896c5818094009495a1d5bff2f8d46d.exe	30
PID 2596 wrote to memory of 2588	2596	c896c5818094009495a1d5bff2f8d46d.exe	32
PID 2596 wrote to memory of 2588	2596	c896c5818094009495a1d5bff2f8d46d.exe	32
PID 2596 wrote to memory of 2588	2596	c896c5818094009495a1d5bff2f8d46d.exe	32
PID 2596 wrote to memory of 2588	2596	c896c5818094009495a1d5bff2f8d46d.exe	32
PID 2588 wrote to memory of 2500	2588	cmd.exe	34
PID 2588 wrote to memory of 2500	2588	cmd.exe	34
PID 2588 wrote to memory of 2500	2588	cmd.exe	34
PID 2588 wrote to memory of 2500	2588	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c896c5818094009495a1d5bff2f8d46d.exe
"C:\Users\Admin\AppData\Local\Temp\c896c5818094009495a1d5bff2f8d46d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\c896c5818094009495a1d5bff2f8d46d.exe
  C:\Users\Admin\AppData\Local\Temp\c896c5818094009495a1d5bff2f8d46d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c896c5818094009495a1d5bff2f8d46d.exe" /TN guALCTR926f5 /F
    3⤵
    - Creates scheduled task(s)
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN guALCTR926f5 > C:\Users\Admin\AppData\Local\Temp\gdAdl.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN guALCTR926f5
      4⤵
      PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c896c5818094009495a1d5bff2f8d46d.exe

Filesize
3.9MB

MD5
b3a931ff3536b893c385f7ba6eab54a4

SHA1
a494e5c87cbdb1a3f1745dfbedcb186d701213e8

SHA256
518e8afed3636d39e330962e7cbe256548a7e7c8893cb366fd4c6f3d55b2316b

SHA512
abde402bd4571b1a18eb58e5d36aa21f97168a30588ba646f16bc3cb56263fe6952dd29b1cc3181d9aad7c10b27ebb0221b3287ec3d5ac0b87fc8032c5e135e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdAdl.xml

Filesize
1KB

MD5
514b53706bac3d9e3a0e2579d60daeb9

SHA1
0595c4d441ac1b224d9e2f8e996c92cf2a86e0c2

SHA256
2144713c554bb9bbe7bd9a6624edfc18b0d39bb6eab92c85cfe4b429812180f5

SHA512
e72603db09d9a204f28d2b60635dc3c59e0f4d9fe1f90630563a01a72b20ad8444defe983642496e06975132723b2a9a37a85f57e22f29f53c17becf4a2a5ee5

Download Submit
\Users\Admin\AppData\Local\Temp\c896c5818094009495a1d5bff2f8d46d.exe

Filesize
128KB

MD5
7485e0967452888ce358130794b2ca45

SHA1
a7d9f5b5bb7cad4afedb59779b90b607b2e6de86

SHA256
e852fcb9351e539469134bb414454438633919dee074ea9b5b0265bfad6bf55d

SHA512
de8044a981d9dddeaf5dd39b1feebbd6979fa2bc8cec8b52ff2a1c511dc0450259096c469ee4ee1ac070c05f8aa18d9cda0abcf93625477d3d2905065c6d6c1d

Download Submit
memory/1196-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1196-16-0x0000000023810000-0x0000000023A6C000-memory.dmp

Filesize
2.4MB

Download
memory/1196-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1196-3-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/1196-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2596-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2596-21-0x0000000000320000-0x000000000039E000-memory.dmp

Filesize
504KB

Download
memory/2596-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2596-29-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2596-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads