f4c53397da423fab6051e38a4d5f90102e9373c74eb4ead1dcd2362ac0ff9fab

General

Target

c9fdd791a203086624168fe3f3141962.exe
Size

3.9MB
MD5

c9fdd791a203086624168fe3f3141962
SHA1

767c33c28a211ea7770b2e0970122c6ef43aaba3
SHA256

f4c53397da423fab6051e38a4d5f90102e9373c74eb4ead1dcd2362ac0ff9fab
SHA512

a4583a5e66b68d7b1f4c8214e9f7ffec52ee8cf41b0ed3503872087e629fb200f6ff0a3135fa14c6b81d4a83324e777169be06d72edaf76833b7cbe811696972
SSDEEP

98304:CnOzNTZQ31A9zyULG+UEOGMIMj7A9zyULG+4FA1v6FvjC5TA9zyULG+UEOGMIMj0:CnOzNVzLqtvFI1zLqlAEBjC58zLqtvFN

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2216	c9fdd791a203086624168fe3f3141962.exe

Executes dropped EXE 1 IoCs

pid	Process
2216	c9fdd791a203086624168fe3f3141962.exe

Loads dropped DLL 1 IoCs

pid	Process
3028	c9fdd791a203086624168fe3f3141962.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3028-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012257-11.dat	upx
behavioral1/memory/2216-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012257-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2648	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c9fdd791a203086624168fe3f3141962.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c9fdd791a203086624168fe3f3141962.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c9fdd791a203086624168fe3f3141962.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c9fdd791a203086624168fe3f3141962.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3028	c9fdd791a203086624168fe3f3141962.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3028	c9fdd791a203086624168fe3f3141962.exe
2216	c9fdd791a203086624168fe3f3141962.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2216	3028	c9fdd791a203086624168fe3f3141962.exe	29
PID 3028 wrote to memory of 2216	3028	c9fdd791a203086624168fe3f3141962.exe	29
PID 3028 wrote to memory of 2216	3028	c9fdd791a203086624168fe3f3141962.exe	29
PID 3028 wrote to memory of 2216	3028	c9fdd791a203086624168fe3f3141962.exe	29
PID 2216 wrote to memory of 2648	2216	c9fdd791a203086624168fe3f3141962.exe	30
PID 2216 wrote to memory of 2648	2216	c9fdd791a203086624168fe3f3141962.exe	30
PID 2216 wrote to memory of 2648	2216	c9fdd791a203086624168fe3f3141962.exe	30
PID 2216 wrote to memory of 2648	2216	c9fdd791a203086624168fe3f3141962.exe	30
PID 2216 wrote to memory of 2632	2216	c9fdd791a203086624168fe3f3141962.exe	32
PID 2216 wrote to memory of 2632	2216	c9fdd791a203086624168fe3f3141962.exe	32
PID 2216 wrote to memory of 2632	2216	c9fdd791a203086624168fe3f3141962.exe	32
PID 2216 wrote to memory of 2632	2216	c9fdd791a203086624168fe3f3141962.exe	32
PID 2632 wrote to memory of 3060	2632	cmd.exe	34
PID 2632 wrote to memory of 3060	2632	cmd.exe	34
PID 2632 wrote to memory of 3060	2632	cmd.exe	34
PID 2632 wrote to memory of 3060	2632	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c9fdd791a203086624168fe3f3141962.exe
"C:\Users\Admin\AppData\Local\Temp\c9fdd791a203086624168fe3f3141962.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\c9fdd791a203086624168fe3f3141962.exe
  C:\Users\Admin\AppData\Local\Temp\c9fdd791a203086624168fe3f3141962.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c9fdd791a203086624168fe3f3141962.exe" /TN 5xzkGEJ1bdbc /F
    3⤵
    - Creates scheduled task(s)
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc > C:\Users\Admin\AppData\Local\Temp\GIKCLYP.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc
      4⤵
      PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GIKCLYP.xml

Filesize
1KB

MD5
5ebe3bce842809ce872162a9388e1fbe

SHA1
79b2b66fd86f6f02a638e008b437e02b9c9db1f7

SHA256
b79418beffa8900d6102cc98782f2e0367c9e855854af8fd847047784bdef358

SHA512
2f8c6c18e3616bf3ad51981f048cb4db8a9060f64db68b5576575e4ee6c8d8d91b40eb33c4cf5ba135307006bd9ccffc7776269065df41dfdc208d6356b9a927

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9fdd791a203086624168fe3f3141962.exe

Filesize
1.6MB

MD5
8aad6548ac9266be36d70f6113893b64

SHA1
3c9a5c2e00095025031a7001fb48c6bcc4831452

SHA256
d7bcd9b80531d0f3fde7671bf1a30fb92654c1b8b5528b1835c1f17a59a103f3

SHA512
0f42ec028e3b7f401e0dd08311590b351f8edd6f3f404f542c1a2f211dbc4f5ef823a3a4b968b2ade30b9b3032c38c6aee7c726e2e22380314ecdf4c8c608a7d

Download Submit
\Users\Admin\AppData\Local\Temp\c9fdd791a203086624168fe3f3141962.exe

Filesize
1.2MB

MD5
d919d95120f29f4383d20d617bd81aca

SHA1
ed09cfed52eb70cd7697b1f30308377b917db296

SHA256
dffb2b97a341f1003d424d5fda30ffb4205ebb35b3163cfc550e848f84705485

SHA512
135b46825c61222461adcf7c1f7e25178560b04ecd85d36aa3c213389a783e1a4e543279a0a482d8c13fad46ded7cb66c15a8188c5bf5c17eb5b6d63e0ca4484

Download Submit
memory/2216-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2216-21-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2216-31-0x00000000002F0000-0x000000000035B000-memory.dmp

Filesize
428KB

Download
memory/2216-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2216-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3028-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3028-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3028-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3028-15-0x0000000023790000-0x00000000239EC000-memory.dmp

Filesize
2.4MB

Download
memory/3028-3-0x0000000000230000-0x00000000002AE000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads