16abdd01618b56b8c5d09def17edcef03a3f0f6dc649f7169b2f3f7d42b1a20f

General

Target

c6ee8ae5b1c12e17a9afb0efc561ecca.exe
Size

1.6MB
MD5

c6ee8ae5b1c12e17a9afb0efc561ecca
SHA1

038397f8d99651a2203e7f26ebf350bc025eaaad
SHA256

16abdd01618b56b8c5d09def17edcef03a3f0f6dc649f7169b2f3f7d42b1a20f
SHA512

9b08227c840457ab1aa5a5d0399cd5a864ab94009cf5ae5fc85826e44e993f914ffe20cab0f77a533949b844a259f89f4cbcaa4ec7b5b9b28ee687ec12898df6
SSDEEP

49152:2Vo5NsEdezucakLz0qld0/gHSvTRlibcakLz0O:QSNsEdezucakcqldagyvPibcakcO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1332	c6ee8ae5b1c12e17a9afb0efc561ecca.exe

Executes dropped EXE 1 IoCs

pid	Process
1332	c6ee8ae5b1c12e17a9afb0efc561ecca.exe

Loads dropped DLL 1 IoCs

pid	Process
1636	c6ee8ae5b1c12e17a9afb0efc561ecca.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1636-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000c000000012253-11.dat	upx
behavioral1/memory/1636-16-0x0000000023130000-0x000000002338C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2812	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c6ee8ae5b1c12e17a9afb0efc561ecca.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	c6ee8ae5b1c12e17a9afb0efc561ecca.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	c6ee8ae5b1c12e17a9afb0efc561ecca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c6ee8ae5b1c12e17a9afb0efc561ecca.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1636	c6ee8ae5b1c12e17a9afb0efc561ecca.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1636	c6ee8ae5b1c12e17a9afb0efc561ecca.exe
1332	c6ee8ae5b1c12e17a9afb0efc561ecca.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1332	1636	c6ee8ae5b1c12e17a9afb0efc561ecca.exe	29
PID 1636 wrote to memory of 1332	1636	c6ee8ae5b1c12e17a9afb0efc561ecca.exe	29
PID 1636 wrote to memory of 1332	1636	c6ee8ae5b1c12e17a9afb0efc561ecca.exe	29
PID 1636 wrote to memory of 1332	1636	c6ee8ae5b1c12e17a9afb0efc561ecca.exe	29
PID 1332 wrote to memory of 2812	1332	c6ee8ae5b1c12e17a9afb0efc561ecca.exe	30
PID 1332 wrote to memory of 2812	1332	c6ee8ae5b1c12e17a9afb0efc561ecca.exe	30
PID 1332 wrote to memory of 2812	1332	c6ee8ae5b1c12e17a9afb0efc561ecca.exe	30
PID 1332 wrote to memory of 2812	1332	c6ee8ae5b1c12e17a9afb0efc561ecca.exe	30
PID 1332 wrote to memory of 2808	1332	c6ee8ae5b1c12e17a9afb0efc561ecca.exe	32
PID 1332 wrote to memory of 2808	1332	c6ee8ae5b1c12e17a9afb0efc561ecca.exe	32
PID 1332 wrote to memory of 2808	1332	c6ee8ae5b1c12e17a9afb0efc561ecca.exe	32
PID 1332 wrote to memory of 2808	1332	c6ee8ae5b1c12e17a9afb0efc561ecca.exe	32
PID 2808 wrote to memory of 2708	2808	cmd.exe	34
PID 2808 wrote to memory of 2708	2808	cmd.exe	34
PID 2808 wrote to memory of 2708	2808	cmd.exe	34
PID 2808 wrote to memory of 2708	2808	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c6ee8ae5b1c12e17a9afb0efc561ecca.exe
"C:\Users\Admin\AppData\Local\Temp\c6ee8ae5b1c12e17a9afb0efc561ecca.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\c6ee8ae5b1c12e17a9afb0efc561ecca.exe
  C:\Users\Admin\AppData\Local\Temp\c6ee8ae5b1c12e17a9afb0efc561ecca.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c6ee8ae5b1c12e17a9afb0efc561ecca.exe" /TN w6CK1HQd991c /F
    3⤵
    - Creates scheduled task(s)
    PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN w6CK1HQd991c > C:\Users\Admin\AppData\Local\Temp\7uMczqjZH.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN w6CK1HQd991c
      4⤵
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7uMczqjZH.xml

Filesize
1KB

MD5
020e62813f1d2552e122cd2b98f01432

SHA1
c2116a6d6675e80e2fef1c2be553e47feb0f2f42

SHA256
b6e7f7bfbf30ee2b628467c4a53a4642b1a2b9eefeee16e64675b3a5d13fa7f6

SHA512
ecdf920fd23b0552d2d40f2744ed37ada07583a36adbbbaf5533188df665072c084ba0fe2be514a4e161ad532c2791fb15f4558c8107a7b5b856ba3bc53ec8e9

Download Submit
\Users\Admin\AppData\Local\Temp\c6ee8ae5b1c12e17a9afb0efc561ecca.exe

Filesize
1.6MB

MD5
19b5e1ee1a70712519a55cd72709414e

SHA1
16fd22af1f3869911f634c01ecf4f505fd6dd1f1

SHA256
98331653718c34b8f150e731e2262557a72f024c16a40c29bd6d41f6ce8c372f

SHA512
24d39414e509c1d94d0c46193601762122e30ba7800c6ab5a386c24051d421a8db7d40e2d1783c9dfe01b097eecee658bea920ae9000c719dbd90dd0f9c9ae41

Download Submit
memory/1332-31-0x00000000002D0000-0x000000000033B000-memory.dmp

Filesize
428KB

Download
memory/1332-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1332-21-0x0000000000250000-0x00000000002CE000-memory.dmp

Filesize
504KB

Download
memory/1332-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1332-55-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1636-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1636-16-0x0000000023130000-0x000000002338C000-memory.dmp

Filesize
2.4MB

Download
memory/1636-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1636-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1636-3-0x0000000000220000-0x000000000029E000-memory.dmp

Filesize
504KB

Download
memory/1636-54-0x0000000023130000-0x000000002338C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads