09b6ed4ae71f8479fb74ea9f9d3df0546a6a64a0eea751e59f2994852d38755f

General

Target

cc09a1ddbd5006b4a9819187d4fecb39.exe
Size

3.9MB
MD5

cc09a1ddbd5006b4a9819187d4fecb39
SHA1

1b6a143fd9fd7de4fe5cd146c80749fe3c386b93
SHA256

09b6ed4ae71f8479fb74ea9f9d3df0546a6a64a0eea751e59f2994852d38755f
SHA512

3ba600d281ad7286f00d9a7ea421eadb7006edfcebfdcfe653687a1911934aea9f49193a36de454d92bf6d5d196cacf5321558e1f2247bca3ba21da9f120fae3
SSDEEP

98304:pV69eC13cakcibiqhMbMgOn7n0bcakcibiqhG/JewlX9HGnrcakcibiqhMbMgOn1:p+dlirybMgOnkdlirhwlXhGnrdlirybo

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1660	cc09a1ddbd5006b4a9819187d4fecb39.exe

Executes dropped EXE 1 IoCs

pid	Process
1660	cc09a1ddbd5006b4a9819187d4fecb39.exe

Loads dropped DLL 1 IoCs

pid	Process
1068	cc09a1ddbd5006b4a9819187d4fecb39.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1068-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b0000000139e0-11.dat	upx
behavioral1/memory/1068-16-0x00000000237A0000-0x00000000239FC000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2680	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	cc09a1ddbd5006b4a9819187d4fecb39.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	cc09a1ddbd5006b4a9819187d4fecb39.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	cc09a1ddbd5006b4a9819187d4fecb39.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	cc09a1ddbd5006b4a9819187d4fecb39.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1068	cc09a1ddbd5006b4a9819187d4fecb39.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1068	cc09a1ddbd5006b4a9819187d4fecb39.exe
1660	cc09a1ddbd5006b4a9819187d4fecb39.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 1660	1068	cc09a1ddbd5006b4a9819187d4fecb39.exe	29
PID 1068 wrote to memory of 1660	1068	cc09a1ddbd5006b4a9819187d4fecb39.exe	29
PID 1068 wrote to memory of 1660	1068	cc09a1ddbd5006b4a9819187d4fecb39.exe	29
PID 1068 wrote to memory of 1660	1068	cc09a1ddbd5006b4a9819187d4fecb39.exe	29
PID 1660 wrote to memory of 2680	1660	cc09a1ddbd5006b4a9819187d4fecb39.exe	30
PID 1660 wrote to memory of 2680	1660	cc09a1ddbd5006b4a9819187d4fecb39.exe	30
PID 1660 wrote to memory of 2680	1660	cc09a1ddbd5006b4a9819187d4fecb39.exe	30
PID 1660 wrote to memory of 2680	1660	cc09a1ddbd5006b4a9819187d4fecb39.exe	30
PID 1660 wrote to memory of 2604	1660	cc09a1ddbd5006b4a9819187d4fecb39.exe	32
PID 1660 wrote to memory of 2604	1660	cc09a1ddbd5006b4a9819187d4fecb39.exe	32
PID 1660 wrote to memory of 2604	1660	cc09a1ddbd5006b4a9819187d4fecb39.exe	32
PID 1660 wrote to memory of 2604	1660	cc09a1ddbd5006b4a9819187d4fecb39.exe	32
PID 2604 wrote to memory of 2644	2604	cmd.exe	34
PID 2604 wrote to memory of 2644	2604	cmd.exe	34
PID 2604 wrote to memory of 2644	2604	cmd.exe	34
PID 2604 wrote to memory of 2644	2604	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\cc09a1ddbd5006b4a9819187d4fecb39.exe
"C:\Users\Admin\AppData\Local\Temp\cc09a1ddbd5006b4a9819187d4fecb39.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Local\Temp\cc09a1ddbd5006b4a9819187d4fecb39.exe
  C:\Users\Admin\AppData\Local\Temp\cc09a1ddbd5006b4a9819187d4fecb39.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\cc09a1ddbd5006b4a9819187d4fecb39.exe" /TN 6ek6uOO9da42 /F
    3⤵
    - Creates scheduled task(s)
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 6ek6uOO9da42 > C:\Users\Admin\AppData\Local\Temp\P5IKXeE13.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN 6ek6uOO9da42
      4⤵
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\P5IKXeE13.xml

Filesize
1KB

MD5
6b572ee1c8fb1026627f24b04b02c49e

SHA1
09e9a77d82a3bca091a73215ee08f6a2f6343ba8

SHA256
e167bdf4ac6881a60596f4db270dbb71218536f11499346427228b4956f50489

SHA512
babb424f8297fcf1fdf1ed377f880fedf6d40af7098a06256061bbf7719a580accdeaf1d4795dd1c604539b6491fd424414493aa2c54e742d5fa564b8f77876f

Download Submit
\Users\Admin\AppData\Local\Temp\cc09a1ddbd5006b4a9819187d4fecb39.exe

Filesize
3.9MB

MD5
aaf99ddff6c84785e3f75d0a8f87b03d

SHA1
ee09d2a07c3bd0b451685a6c9f0dc960be3b1c7d

SHA256
4f3155d919f102dfc592fc225b43f1dca966350c5c7a45caad7c8d4e4ecafd28

SHA512
357fe190520252da793a79f4ea45dc6ed77be8a2ae426276a209fde60adc4f34302136fd2bedb763c8ed1a03a919ac7f10e3f6bcdd95993f6f33c3f3f6542760

Download Submit
memory/1068-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1068-2-0x0000000000240000-0x00000000002BE000-memory.dmp

Filesize
504KB

Download
memory/1068-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1068-16-0x00000000237A0000-0x00000000239FC000-memory.dmp

Filesize
2.4MB

Download
memory/1068-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1660-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1660-21-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/1660-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1660-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1660-45-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads