79d67185df1612bf2dccd7ddcff550478a2e501d0256bbd5d89987f303f9b3ab

General

Target

c98be56d7b2871b7d99277ce02933719.exe
Size

765KB
MD5

c98be56d7b2871b7d99277ce02933719
SHA1

e4ebbe24cb57d3b97f678d81cfc6a01663f8c4a1
SHA256

79d67185df1612bf2dccd7ddcff550478a2e501d0256bbd5d89987f303f9b3ab
SHA512

266d7cac92a8af2896a88dfc14f5cfd72243401aebf283c51899635cf252cb034345288a93a10a85a2fa54e1a0f0927764cf28e6a6c75c84fd950bf56ca97708
SSDEEP

12288:geFDgXjU3mQJtl+kw/xK94KQk5KVtCEut3OsLP95cRMYdhJ3eaQ5flO9dJ5IECpC:n2XQzl+kw/xzOctreHcRWcjukL2Y

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2216	c98be56d7b2871b7d99277ce02933719.exe

Executes dropped EXE 1 IoCs

pid	Process
2216	c98be56d7b2871b7d99277ce02933719.exe

Loads dropped DLL 1 IoCs

pid	Process
3028	c98be56d7b2871b7d99277ce02933719.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3028-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012257-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2648	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c98be56d7b2871b7d99277ce02933719.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c98be56d7b2871b7d99277ce02933719.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c98be56d7b2871b7d99277ce02933719.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c98be56d7b2871b7d99277ce02933719.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3028	c98be56d7b2871b7d99277ce02933719.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3028	c98be56d7b2871b7d99277ce02933719.exe
2216	c98be56d7b2871b7d99277ce02933719.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2216	3028	c98be56d7b2871b7d99277ce02933719.exe	29
PID 3028 wrote to memory of 2216	3028	c98be56d7b2871b7d99277ce02933719.exe	29
PID 3028 wrote to memory of 2216	3028	c98be56d7b2871b7d99277ce02933719.exe	29
PID 3028 wrote to memory of 2216	3028	c98be56d7b2871b7d99277ce02933719.exe	29
PID 2216 wrote to memory of 2648	2216	c98be56d7b2871b7d99277ce02933719.exe	30
PID 2216 wrote to memory of 2648	2216	c98be56d7b2871b7d99277ce02933719.exe	30
PID 2216 wrote to memory of 2648	2216	c98be56d7b2871b7d99277ce02933719.exe	30
PID 2216 wrote to memory of 2648	2216	c98be56d7b2871b7d99277ce02933719.exe	30
PID 2216 wrote to memory of 2588	2216	c98be56d7b2871b7d99277ce02933719.exe	32
PID 2216 wrote to memory of 2588	2216	c98be56d7b2871b7d99277ce02933719.exe	32
PID 2216 wrote to memory of 2588	2216	c98be56d7b2871b7d99277ce02933719.exe	32
PID 2216 wrote to memory of 2588	2216	c98be56d7b2871b7d99277ce02933719.exe	32
PID 2588 wrote to memory of 2856	2588	cmd.exe	34
PID 2588 wrote to memory of 2856	2588	cmd.exe	34
PID 2588 wrote to memory of 2856	2588	cmd.exe	34
PID 2588 wrote to memory of 2856	2588	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c98be56d7b2871b7d99277ce02933719.exe
"C:\Users\Admin\AppData\Local\Temp\c98be56d7b2871b7d99277ce02933719.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\c98be56d7b2871b7d99277ce02933719.exe
  C:\Users\Admin\AppData\Local\Temp\c98be56d7b2871b7d99277ce02933719.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c98be56d7b2871b7d99277ce02933719.exe" /TN 5xzkGEJ1bdbc /F
    3⤵
    - Creates scheduled task(s)
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc > C:\Users\Admin\AppData\Local\Temp\Q8YzF6.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc
      4⤵
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Q8YzF6.xml

Filesize
1KB

MD5
7f6cf6cce5865ab2fb8b2e8b4896f2e2

SHA1
6add343cedd1dc0dfc8f7a9397057b4967071883

SHA256
376804066ae19231ef46d5ff4fb6e32fb0a8508e74c6ce499bcf686abb3e8f8f

SHA512
58929d644c5088b7397ba54bef65f9b2c2453bd447e30ed8ce04556fd0a38f1ef9383a3f6fc9514f3e98dd7c62aab7880e247614e3af304ca36bedfbe0bf5da3

Download Submit
\Users\Admin\AppData\Local\Temp\c98be56d7b2871b7d99277ce02933719.exe

Filesize
765KB

MD5
3828dfaf4ce6a26d120e473898d5d483

SHA1
c80157946e233f0d551f645c4c639a7513b6f139

SHA256
066b24fe60c5c8b3bc335f8a1e66d83f53a2800cb4b75250213fed77bf686115

SHA512
8df582537a7d647d9c481819e1da8a060bf87794bae96720d9ecc78442f01e45df2df9d571bb648efff9e0d69650e6556ae084dfad602d04360795615ad66fd7

Download Submit
memory/2216-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2216-21-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/2216-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2216-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2216-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3028-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3028-3-0x00000000016D0000-0x000000000174E000-memory.dmp

Filesize
504KB

Download
memory/3028-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3028-16-0x0000000022F30000-0x000000002318C000-memory.dmp

Filesize
2.4MB

Download
memory/3028-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads