2c5c64003c3f94043a887c5d468ab235d5729a845f8b2161217465a5c4014fab

General

Target

cc2253834d9f6dbf9f05a59c09e20cad.exe
Size

7.8MB
MD5

cc2253834d9f6dbf9f05a59c09e20cad
SHA1

c3ca6318dce514f4e7790b91947b4c243fb4313c
SHA256

2c5c64003c3f94043a887c5d468ab235d5729a845f8b2161217465a5c4014fab
SHA512

e6048a316bb5b3d258869de7d3423ddc9e5240c59d7ca3e8450dc2e6aba4c530dd56185bcd67a7211ad380610ee3cfbbcdd376a5dbe24bf771f76dac6eb28989
SSDEEP

196608:Im19dlirnhdiV1dlirBgLHH7rdlirnhdiV1dlir7RJ4XdlirnhdiV1dlirBgLHHS:IOYXdgLHH76XnfBXdgLHH76X

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2508	cc2253834d9f6dbf9f05a59c09e20cad.exe

Executes dropped EXE 1 IoCs

pid	Process
2508	cc2253834d9f6dbf9f05a59c09e20cad.exe

Loads dropped DLL 1 IoCs

pid	Process
2156	cc2253834d9f6dbf9f05a59c09e20cad.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2156-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000012255-11.dat	upx
behavioral1/memory/2156-16-0x0000000024020000-0x000000002427C000-memory.dmp	upx
behavioral1/files/0x000a000000012255-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2604	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	cc2253834d9f6dbf9f05a59c09e20cad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	cc2253834d9f6dbf9f05a59c09e20cad.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	cc2253834d9f6dbf9f05a59c09e20cad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	cc2253834d9f6dbf9f05a59c09e20cad.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2156	cc2253834d9f6dbf9f05a59c09e20cad.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2156	cc2253834d9f6dbf9f05a59c09e20cad.exe
2508	cc2253834d9f6dbf9f05a59c09e20cad.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2508	2156	cc2253834d9f6dbf9f05a59c09e20cad.exe	29
PID 2156 wrote to memory of 2508	2156	cc2253834d9f6dbf9f05a59c09e20cad.exe	29
PID 2156 wrote to memory of 2508	2156	cc2253834d9f6dbf9f05a59c09e20cad.exe	29
PID 2156 wrote to memory of 2508	2156	cc2253834d9f6dbf9f05a59c09e20cad.exe	29
PID 2508 wrote to memory of 2604	2508	cc2253834d9f6dbf9f05a59c09e20cad.exe	30
PID 2508 wrote to memory of 2604	2508	cc2253834d9f6dbf9f05a59c09e20cad.exe	30
PID 2508 wrote to memory of 2604	2508	cc2253834d9f6dbf9f05a59c09e20cad.exe	30
PID 2508 wrote to memory of 2604	2508	cc2253834d9f6dbf9f05a59c09e20cad.exe	30
PID 2508 wrote to memory of 2204	2508	cc2253834d9f6dbf9f05a59c09e20cad.exe	32
PID 2508 wrote to memory of 2204	2508	cc2253834d9f6dbf9f05a59c09e20cad.exe	32
PID 2508 wrote to memory of 2204	2508	cc2253834d9f6dbf9f05a59c09e20cad.exe	32
PID 2508 wrote to memory of 2204	2508	cc2253834d9f6dbf9f05a59c09e20cad.exe	32
PID 2204 wrote to memory of 2560	2204	cmd.exe	34
PID 2204 wrote to memory of 2560	2204	cmd.exe	34
PID 2204 wrote to memory of 2560	2204	cmd.exe	34
PID 2204 wrote to memory of 2560	2204	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\cc2253834d9f6dbf9f05a59c09e20cad.exe
"C:\Users\Admin\AppData\Local\Temp\cc2253834d9f6dbf9f05a59c09e20cad.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\cc2253834d9f6dbf9f05a59c09e20cad.exe
  C:\Users\Admin\AppData\Local\Temp\cc2253834d9f6dbf9f05a59c09e20cad.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\cc2253834d9f6dbf9f05a59c09e20cad.exe" /TN ZBrUCVBB2555 /F
    3⤵
    - Creates scheduled task(s)
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN ZBrUCVBB2555 > C:\Users\Admin\AppData\Local\Temp\tD3Opo.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN ZBrUCVBB2555
      4⤵
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cc2253834d9f6dbf9f05a59c09e20cad.exe

Filesize
7.8MB

MD5
abe3e50f78512582d4ac896cee136307

SHA1
e7eff3f16f26e38e88c1b7831bc1239184470f8d

SHA256
a5c212d8a88b0363529555b8f074ba4f9387e4b8a89f706e3947b226a8df1180

SHA512
bc455871bea6dbb546a775718de1d81ac43890873ebb8b0dc1abe0819155795e4b79f6ffa2e979beef6e2d8f05c94f5ed068baf69c618c8c6e46d15f021b77ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tD3Opo.xml

Filesize
1KB

MD5
5d06e072e1783a7f87f27ee9ea4ed2c1

SHA1
a276e8dcc9f3b70d17acd69c13959a929c6d01d4

SHA256
f17b20e4dfef5a0ce31408e5f56371d8b8902b720af1ebcf2ac9949c0d41d2a0

SHA512
f3afc2b2775641fc31728e64364ebfb1e2a5525c8dc7fd2edb6969cb02b26d4e5144e3ca5d3a2e126f0f713777550ec53d476919353d134a0ff7109d4c8632d6

Download Submit
\Users\Admin\AppData\Local\Temp\cc2253834d9f6dbf9f05a59c09e20cad.exe

Filesize
5.1MB

MD5
cad6ed0d2ee64f5363f3fe8fc09b4180

SHA1
dc6353f815358bc02370b633723bb822e828b2ac

SHA256
c8e1cf63993aa936ac12cdbbdc0de800c99a6a20e592575beda62058aa86e3fb

SHA512
e32544abaca8c198551e1a4014bd7a2ebe5ee7da7e18893a40665f942895e1bc300e817be0d6e6ea518f18767b169ead873a10840db9e84b7754da812d19fe47

Download Submit
memory/2156-2-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2156-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2156-16-0x0000000024020000-0x000000002427C000-memory.dmp

Filesize
2.4MB

Download
memory/2156-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2156-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2508-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2508-27-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/2508-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2508-21-0x0000000022E00000-0x0000000022E7E000-memory.dmp

Filesize
504KB

Download
memory/2508-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads