b9042178f7a0ab0c5e4b23f4176c6c4764b2c1c103c81557c2e94b6d4df0d225

General

Target

cb96dd64182105a61033276e9a9795fd.exe
Size

3.9MB
MD5

cb96dd64182105a61033276e9a9795fd
SHA1

a32af5d2c394afb65af6c7e1c0069d1eb6643120
SHA256

b9042178f7a0ab0c5e4b23f4176c6c4764b2c1c103c81557c2e94b6d4df0d225
SHA512

6fa2cb3f821ec7f3a1e2f770d589638d0198e5921d14188cb8664264253b3e47db5d9d6a8194aea280035d90e3cc9ad56a9a466edbb0debd712f9f9c318d028d
SSDEEP

98304:EP8i0kA9zyULG+j0ugPsQYLKA9zyULG+SbzXjTA9zyULG+j0ugPsQYLKA9zyULG+:E0i+zLqwhrzLq/8zLqwhrzLq

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2568	cb96dd64182105a61033276e9a9795fd.exe

Executes dropped EXE 1 IoCs

pid	Process
2568	cb96dd64182105a61033276e9a9795fd.exe

Loads dropped DLL 1 IoCs

pid	Process
2936	cb96dd64182105a61033276e9a9795fd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2936-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012239-11.dat	upx
behavioral1/memory/2936-16-0x00000000235F0000-0x000000002384C000-memory.dmp	upx
behavioral1/memory/2568-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2952	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	cb96dd64182105a61033276e9a9795fd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	cb96dd64182105a61033276e9a9795fd.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	cb96dd64182105a61033276e9a9795fd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	cb96dd64182105a61033276e9a9795fd.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2936	cb96dd64182105a61033276e9a9795fd.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2936	cb96dd64182105a61033276e9a9795fd.exe
2568	cb96dd64182105a61033276e9a9795fd.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2568	2936	cb96dd64182105a61033276e9a9795fd.exe	29
PID 2936 wrote to memory of 2568	2936	cb96dd64182105a61033276e9a9795fd.exe	29
PID 2936 wrote to memory of 2568	2936	cb96dd64182105a61033276e9a9795fd.exe	29
PID 2936 wrote to memory of 2568	2936	cb96dd64182105a61033276e9a9795fd.exe	29
PID 2568 wrote to memory of 2952	2568	cb96dd64182105a61033276e9a9795fd.exe	30
PID 2568 wrote to memory of 2952	2568	cb96dd64182105a61033276e9a9795fd.exe	30
PID 2568 wrote to memory of 2952	2568	cb96dd64182105a61033276e9a9795fd.exe	30
PID 2568 wrote to memory of 2952	2568	cb96dd64182105a61033276e9a9795fd.exe	30
PID 2568 wrote to memory of 2452	2568	cb96dd64182105a61033276e9a9795fd.exe	32
PID 2568 wrote to memory of 2452	2568	cb96dd64182105a61033276e9a9795fd.exe	32
PID 2568 wrote to memory of 2452	2568	cb96dd64182105a61033276e9a9795fd.exe	32
PID 2568 wrote to memory of 2452	2568	cb96dd64182105a61033276e9a9795fd.exe	32
PID 2452 wrote to memory of 2888	2452	cmd.exe	34
PID 2452 wrote to memory of 2888	2452	cmd.exe	34
PID 2452 wrote to memory of 2888	2452	cmd.exe	34
PID 2452 wrote to memory of 2888	2452	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\cb96dd64182105a61033276e9a9795fd.exe
"C:\Users\Admin\AppData\Local\Temp\cb96dd64182105a61033276e9a9795fd.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\cb96dd64182105a61033276e9a9795fd.exe
  C:\Users\Admin\AppData\Local\Temp\cb96dd64182105a61033276e9a9795fd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\cb96dd64182105a61033276e9a9795fd.exe" /TN uoFCMKY16031 /F
    3⤵
    - Creates scheduled task(s)
    PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uoFCMKY16031 > C:\Users\Admin\AppData\Local\Temp\ivKOeFj1Y.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN uoFCMKY16031
      4⤵
      PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ivKOeFj1Y.xml

Filesize
1KB

MD5
0f18b61dacbb74a828a1ca142fb3b882

SHA1
85cd8a5285071c0ac36e14af8f114e2c1ffc2399

SHA256
a06e716ea1c31fd31a978cbf772b3fa6318a8bef37ff2cf8bc291dec7f14a4dc

SHA512
2953150086f40f1f972d56c6efa31c2e72eed5f9c69b94374893d12cbc404a2fe1baf998ea066f88583a19d6d19b0ff9a1b5dd98caeb10b7ac46901678c2d0b6

Download Submit
\Users\Admin\AppData\Local\Temp\cb96dd64182105a61033276e9a9795fd.exe

Filesize
3.9MB

MD5
7abc039b2227c1e1319ec8935a51625d

SHA1
30a6b6f58d87ded6526c96874fb1343b3f951836

SHA256
52dfdddb34b14b83c2655293a0f4071ebf6d15f614364a4bf33ce310fd4c25ab

SHA512
60e912378766319f6a447c26a0cbad0e07b77e46f1ca4bec9d83e2834fceabcef9fece7985895fe17d0af9ffed215e2858f73afc519a6c8110f41fc6893b64a2

Download Submit
memory/2568-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2568-20-0x0000000000340000-0x00000000003BE000-memory.dmp

Filesize
504KB

Download
memory/2568-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2568-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2568-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2936-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2936-2-0x00000000016D0000-0x000000000174E000-memory.dmp

Filesize
504KB

Download
memory/2936-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2936-16-0x00000000235F0000-0x000000002384C000-memory.dmp

Filesize
2.4MB

Download
memory/2936-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads