564633ac15a409915ac4f1eb5de311ff751d8cbb6ada28c3c884eb2111ee8cc2

General

Target

cb15512d2e3321b0287e037f073caba7.exe
Size

10.2MB
MD5

cb15512d2e3321b0287e037f073caba7
SHA1

5322c01df10301540c00eefb56dd059a2820f626
SHA256

564633ac15a409915ac4f1eb5de311ff751d8cbb6ada28c3c884eb2111ee8cc2
SHA512

896fa8996cadb89d53ab6e9fcfb2f444a0c787d3b051f0f3ad773d13882c67743567fe6f201e0fef5b6daa5fd0f033e4acdf3bcd6a9de24460ee18d9a8243fc6
SSDEEP

98304:5RQkgYXHnF3TSGeMLCxN+CE9DlQk3A62085XHEvfd83TSGeMLCxN+CE9DlQk3:5RQkPH97pAN+Ck25EHd67pAN+Ck

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2556	cb15512d2e3321b0287e037f073caba7.exe

Executes dropped EXE 1 IoCs

pid	Process
2556	cb15512d2e3321b0287e037f073caba7.exe

Loads dropped DLL 1 IoCs

pid	Process
2408	cb15512d2e3321b0287e037f073caba7.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2408-1-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000a000000012241-11.dat	upx
behavioral1/files/0x000a000000012241-13.dat	upx
behavioral1/files/0x000a000000012241-14.dat	upx
behavioral1/memory/2556-19-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	cb15512d2e3321b0287e037f073caba7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	cb15512d2e3321b0287e037f073caba7.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	cb15512d2e3321b0287e037f073caba7.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	cb15512d2e3321b0287e037f073caba7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2408	cb15512d2e3321b0287e037f073caba7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2408	cb15512d2e3321b0287e037f073caba7.exe
2556	cb15512d2e3321b0287e037f073caba7.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2556	2408	cb15512d2e3321b0287e037f073caba7.exe	27
PID 2408 wrote to memory of 2556	2408	cb15512d2e3321b0287e037f073caba7.exe	27
PID 2408 wrote to memory of 2556	2408	cb15512d2e3321b0287e037f073caba7.exe	27
PID 2408 wrote to memory of 2556	2408	cb15512d2e3321b0287e037f073caba7.exe	27

C:\Users\Admin\AppData\Local\Temp\cb15512d2e3321b0287e037f073caba7.exe
"C:\Users\Admin\AppData\Local\Temp\cb15512d2e3321b0287e037f073caba7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\cb15512d2e3321b0287e037f073caba7.exe
  C:\Users\Admin\AppData\Local\Temp\cb15512d2e3321b0287e037f073caba7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cb15512d2e3321b0287e037f073caba7.exe

Filesize
1.7MB

MD5
42377163b20781764f74c7e7fdd26d7a

SHA1
9fd340cbe8db2b17b0788859ec57c1be3d4264fe

SHA256
43c65186b1700b210885f4c276d8e620480138a93f3492761073c72f41d704e6

SHA512
4bea4bb53e67b4039bf766cbde0e35ee247e70e9fa54aebea284c2236ef5413bef98c87ca0c193efdf91fabaac45022582efee4df3d2e5f36cdce7cbee612f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb15512d2e3321b0287e037f073caba7.exe

Filesize
2.2MB

MD5
ac2976e516acbe076c6d1b4ac47753b9

SHA1
c523f619693661470169309cc9926e9e8b0d3394

SHA256
ae9ee2a4c9b7bceeaa7925157a073c5ad1b7a1b9063a0a7fb288c4f5835cb01e

SHA512
b3dfd5dbf8d62e0ff322aef55916be743f8f8bb41d191c24f412f4d1f97d8aa8da7b9df0d25bb768b2edfce89b13e9db1b585dcd9295b31a3c0d92e3192df08b

Download Submit
\Users\Admin\AppData\Local\Temp\cb15512d2e3321b0287e037f073caba7.exe

Filesize
1.8MB

MD5
619bf1145d92637a5579a8c24c48498c

SHA1
71b1e63cb81676edd1dd07118f97b35912f2f840

SHA256
1adffa3d5b6fa69cd57e5cda51e0c68af85d00bc1e3e32603635fc343eee88ea

SHA512
592e2ffecdc33eec332956a10f9b949e77fabe14341e40d580f7da43906b193de97937d2d4a7dc36106979ecf161542553d6db0df2cc395727a4f46ec62c4b60

Download Submit
memory/2408-0-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2408-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2408-4-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2408-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2408-16-0x0000000004AA0000-0x000000000543E000-memory.dmp

Filesize
9.6MB

Download
memory/2408-34-0x0000000004AA0000-0x000000000543E000-memory.dmp

Filesize
9.6MB

Download
memory/2556-19-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2556-21-0x0000000002240000-0x000000000249A000-memory.dmp

Filesize
2.4MB

Download
memory/2556-35-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing