744e9998edb7fb4f6382c07d12baf98d348c6170723c52c29d471cdfdc0613fd

General

Target

c92cb70677786b3e4d7e761c564c9a2d.exe
Size

3.0MB
MD5

c92cb70677786b3e4d7e761c564c9a2d
SHA1

8e7f75003b5bbc0ba41000c54dd8717b32408b1f
SHA256

744e9998edb7fb4f6382c07d12baf98d348c6170723c52c29d471cdfdc0613fd
SHA512

5ccff2e84e93f6c71a20c67cd5de5c63b5dd9caedd15c557fbaa75cdbe8a4a179a9780e53447220e7862678e8151a04613fe503d7f4359607d1df2714c55838f
SSDEEP

49152:GBwLRC2cakLVy5dv5sgpkB5+PcakLdI1eageTdHpPYV0cakLVy5dv5sgpkB5+Pcl:YWC2cakhy595sgp9cakBVageTlpPYV06

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2148	c92cb70677786b3e4d7e761c564c9a2d.exe

Executes dropped EXE 1 IoCs

pid	Process
2148	c92cb70677786b3e4d7e761c564c9a2d.exe

Loads dropped DLL 1 IoCs

pid	Process
1948	c92cb70677786b3e4d7e761c564c9a2d.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1948-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b00000001224f-11.dat	upx
behavioral1/files/0x000b00000001224f-17.dat	upx
behavioral1/memory/1948-16-0x0000000023430000-0x000000002368C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2512	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c92cb70677786b3e4d7e761c564c9a2d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c92cb70677786b3e4d7e761c564c9a2d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c92cb70677786b3e4d7e761c564c9a2d.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c92cb70677786b3e4d7e761c564c9a2d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1948	c92cb70677786b3e4d7e761c564c9a2d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1948	c92cb70677786b3e4d7e761c564c9a2d.exe
2148	c92cb70677786b3e4d7e761c564c9a2d.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2148	1948	c92cb70677786b3e4d7e761c564c9a2d.exe	29
PID 1948 wrote to memory of 2148	1948	c92cb70677786b3e4d7e761c564c9a2d.exe	29
PID 1948 wrote to memory of 2148	1948	c92cb70677786b3e4d7e761c564c9a2d.exe	29
PID 1948 wrote to memory of 2148	1948	c92cb70677786b3e4d7e761c564c9a2d.exe	29
PID 2148 wrote to memory of 2512	2148	c92cb70677786b3e4d7e761c564c9a2d.exe	30
PID 2148 wrote to memory of 2512	2148	c92cb70677786b3e4d7e761c564c9a2d.exe	30
PID 2148 wrote to memory of 2512	2148	c92cb70677786b3e4d7e761c564c9a2d.exe	30
PID 2148 wrote to memory of 2512	2148	c92cb70677786b3e4d7e761c564c9a2d.exe	30
PID 2148 wrote to memory of 3040	2148	c92cb70677786b3e4d7e761c564c9a2d.exe	32
PID 2148 wrote to memory of 3040	2148	c92cb70677786b3e4d7e761c564c9a2d.exe	32
PID 2148 wrote to memory of 3040	2148	c92cb70677786b3e4d7e761c564c9a2d.exe	32
PID 2148 wrote to memory of 3040	2148	c92cb70677786b3e4d7e761c564c9a2d.exe	32
PID 3040 wrote to memory of 2544	3040	cmd.exe	34
PID 3040 wrote to memory of 2544	3040	cmd.exe	34
PID 3040 wrote to memory of 2544	3040	cmd.exe	34
PID 3040 wrote to memory of 2544	3040	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c92cb70677786b3e4d7e761c564c9a2d.exe
"C:\Users\Admin\AppData\Local\Temp\c92cb70677786b3e4d7e761c564c9a2d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\c92cb70677786b3e4d7e761c564c9a2d.exe
  C:\Users\Admin\AppData\Local\Temp\c92cb70677786b3e4d7e761c564c9a2d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c92cb70677786b3e4d7e761c564c9a2d.exe" /TN 5xzkGEJ1bdbc /F
    3⤵
    - Creates scheduled task(s)
    PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc > C:\Users\Admin\AppData\Local\Temp\dFcDxA.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc
      4⤵
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c92cb70677786b3e4d7e761c564c9a2d.exe

Filesize
3.0MB

MD5
2c4184274bfafda3bdf052d8393d3fdd

SHA1
b8f9b05595d9013f42bd7d875d401933b453c43c

SHA256
02e1172342549cd16ffb843de22aeefe192373f0457d1c9fe8804689a5c51be0

SHA512
1192e1275b470f05fa6f22390efd844623db4d1b77b7a7a7fdef4fb47c911b64b3b1337e2ab3aebd2088c1c6f005f48c81f0b726f81d100c5a254303d84b6960

Download Submit
C:\Users\Admin\AppData\Local\Temp\dFcDxA.xml

Filesize
1KB

MD5
7611ad0d6b949c2069cc1f5d6105a684

SHA1
8a5639874276e3edf2ce8b1ef19dcd50419b86b6

SHA256
c21008f58142ea285f3372dadec409e1ebefc2e13590f79ba63963570991a7e7

SHA512
f414d1d7bde5c8d56acd3f82d958f950833edad6de4f5a6b72e044f83f68d39ee66c1977e68bc17922c36e7e12ae3c0ffbb9e7bca485e753b33d6491f2000300

Download Submit
\Users\Admin\AppData\Local\Temp\c92cb70677786b3e4d7e761c564c9a2d.exe

Filesize
768KB

MD5
6d47e17d1c03f962bb8967053544efeb

SHA1
a5866e72518b678635e05ba15a210be4236634dc

SHA256
f5d141f745804b80282f4a87e242a9937e882a988eeb9bfd951824eba789f812

SHA512
c7ea64cb1068debd3d66689fc7c2798f36b0d1d46fe321817a597ded273aa914200df1e4280285a329024092b5347d91f68bdf750ce595960b30c5665f125744

Download Submit
memory/1948-2-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/1948-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1948-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1948-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1948-16-0x0000000023430000-0x000000002368C000-memory.dmp

Filesize
2.4MB

Download
memory/2148-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2148-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2148-30-0x00000000001E0000-0x000000000024B000-memory.dmp

Filesize
428KB

Download
memory/2148-21-0x00000000002D0000-0x000000000034E000-memory.dmp

Filesize
504KB

Download
memory/2148-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads