ef526dc295bc08acbed0469ea794a5cca7d606299b91691fcd064337ec2ededc

General

Target

c973fa7527655b6654c0b9ff6869a3b7.exe
Size

7.8MB
MD5

c973fa7527655b6654c0b9ff6869a3b7
SHA1

c33c8eb2b6503d035b212bb6d77c1151296ce3ad
SHA256

ef526dc295bc08acbed0469ea794a5cca7d606299b91691fcd064337ec2ededc
SHA512

18c300606d8f43b881e09f5e62a180090cb48685ff5bc25fd8445b62ba373e5a0bbceb2ca05e7d794dda504b1a6e0eb948f6c16bae7f9bde9306f9987be5d114
SSDEEP

196608:e+Zvfdlir8eCdlirl1aXdlir8eCdlirjE4XP1Dypdlir8eCdlirl1aXdlir8eCdE:ewvtTGEmwzT

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3056	c973fa7527655b6654c0b9ff6869a3b7.exe

Executes dropped EXE 1 IoCs

pid	Process
3056	c973fa7527655b6654c0b9ff6869a3b7.exe

Loads dropped DLL 1 IoCs

pid	Process
2360	c973fa7527655b6654c0b9ff6869a3b7.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2360-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000900000001447e-11.dat	upx
behavioral1/files/0x000900000001447e-15.dat	upx
behavioral1/memory/3056-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2600	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c973fa7527655b6654c0b9ff6869a3b7.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c973fa7527655b6654c0b9ff6869a3b7.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c973fa7527655b6654c0b9ff6869a3b7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c973fa7527655b6654c0b9ff6869a3b7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2360	c973fa7527655b6654c0b9ff6869a3b7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2360	c973fa7527655b6654c0b9ff6869a3b7.exe
3056	c973fa7527655b6654c0b9ff6869a3b7.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3056	2360	c973fa7527655b6654c0b9ff6869a3b7.exe	29
PID 2360 wrote to memory of 3056	2360	c973fa7527655b6654c0b9ff6869a3b7.exe	29
PID 2360 wrote to memory of 3056	2360	c973fa7527655b6654c0b9ff6869a3b7.exe	29
PID 2360 wrote to memory of 3056	2360	c973fa7527655b6654c0b9ff6869a3b7.exe	29
PID 3056 wrote to memory of 2600	3056	c973fa7527655b6654c0b9ff6869a3b7.exe	30
PID 3056 wrote to memory of 2600	3056	c973fa7527655b6654c0b9ff6869a3b7.exe	30
PID 3056 wrote to memory of 2600	3056	c973fa7527655b6654c0b9ff6869a3b7.exe	30
PID 3056 wrote to memory of 2600	3056	c973fa7527655b6654c0b9ff6869a3b7.exe	30
PID 3056 wrote to memory of 2900	3056	c973fa7527655b6654c0b9ff6869a3b7.exe	32
PID 3056 wrote to memory of 2900	3056	c973fa7527655b6654c0b9ff6869a3b7.exe	32
PID 3056 wrote to memory of 2900	3056	c973fa7527655b6654c0b9ff6869a3b7.exe	32
PID 3056 wrote to memory of 2900	3056	c973fa7527655b6654c0b9ff6869a3b7.exe	32
PID 2900 wrote to memory of 2912	2900	cmd.exe	34
PID 2900 wrote to memory of 2912	2900	cmd.exe	34
PID 2900 wrote to memory of 2912	2900	cmd.exe	34
PID 2900 wrote to memory of 2912	2900	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c973fa7527655b6654c0b9ff6869a3b7.exe
"C:\Users\Admin\AppData\Local\Temp\c973fa7527655b6654c0b9ff6869a3b7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\c973fa7527655b6654c0b9ff6869a3b7.exe
  C:\Users\Admin\AppData\Local\Temp\c973fa7527655b6654c0b9ff6869a3b7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c973fa7527655b6654c0b9ff6869a3b7.exe" /TN 6ek6uOO9da42 /F
    3⤵
    - Creates scheduled task(s)
    PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 6ek6uOO9da42 > C:\Users\Admin\AppData\Local\Temp\5nstd.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN 6ek6uOO9da42
      4⤵
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5nstd.xml

Filesize
1KB

MD5
9275f906dda076bbee7e00c02073d243

SHA1
01c844aa27ccf1868f7bd2affc3b63b3033a3c78

SHA256
507504cf600e43514f9a0cb11e94e79277d3b15002d8b4f2608e86b7b047fbc6

SHA512
c15ec3d1c23860045d352df4c3215e6988c465e518eef3a981d51e51cf531933d4efd8b087f2535d2f29cc3bd2a37f87b1379265bb21e43a290d5a8b8eb5971b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c973fa7527655b6654c0b9ff6869a3b7.exe

Filesize
7.8MB

MD5
5b15aafcd6016f9fa39b111ba1ef1286

SHA1
b4bf7b7b2441a90c5164d2d4a618ce5ef5a3ef31

SHA256
9c06ce525467f485530495a677e1d8b2e7daaae587d3678b0241000fee93e22e

SHA512
314dc2d49b48cd9c8c60c79a4b02a0f541ea66e938d5e47dfb102198232cbd59bb7ebc1cd5e7907f417bbfcd3a452781235948bfdf974416e069138a8c61738a

Download Submit
\Users\Admin\AppData\Local\Temp\c973fa7527655b6654c0b9ff6869a3b7.exe

Filesize
6.2MB

MD5
06b9ca98b5a26d2319ef37ca32590b0e

SHA1
28681b21e6be872455a51f4c2223e24ac3ecd6f4

SHA256
4bcf42eba0cd2431b851d7f6f450e8b974dcc4ffe73f2db0c6b59de20b3aa6cf

SHA512
1ffd7ffc0b7cd3bbb958628dd48e8a0bc2ce1fe9e70dbcaf911b1efc47435029a845d732f9fe1902b4fb998b7adc1fbaf70f39273d9193a86f7c42eeeba96b2e

Download Submit
memory/2360-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2360-2-0x0000000000380000-0x00000000003FE000-memory.dmp

Filesize
504KB

Download
memory/2360-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2360-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3056-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3056-19-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/3056-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3056-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/3056-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads