1a331904f3ff70d0bc86f3b3a2b91e356a2bcb61e16075f76d56491fb924b668

General

Target

d44029c223b1c016ec6d9bf5e762028f.exe
Size

10.2MB
MD5

d44029c223b1c016ec6d9bf5e762028f
SHA1

ea6cd68312580411bd1235a55b72b9b5565aaca3
SHA256

1a331904f3ff70d0bc86f3b3a2b91e356a2bcb61e16075f76d56491fb924b668
SHA512

e84dae636e73b4971d59efae5bf9ef1a91e32b40e9a4fdc99264e4451483d0069e3997e1ea63c797ddce88c8ee985a1c94c82f7473788d7eb5bdda2651382a2e
SSDEEP

98304:mxphNfIBVFPehiVe30g2yOEjjs9/g3n0QjIDZIWxQm30g2yOEjjs9/g3:Epht+8UjZUju/C0QjIDPxQbZUju/

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3068	d44029c223b1c016ec6d9bf5e762028f.exe

Executes dropped EXE 1 IoCs

pid	Process
3068	d44029c223b1c016ec6d9bf5e762028f.exe

Loads dropped DLL 1 IoCs

pid	Process
2360	d44029c223b1c016ec6d9bf5e762028f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2360-1-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000c00000001222a-11.dat	upx
behavioral1/files/0x000c00000001222a-14.dat	upx
behavioral1/files/0x000c00000001222a-13.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	d44029c223b1c016ec6d9bf5e762028f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	d44029c223b1c016ec6d9bf5e762028f.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	d44029c223b1c016ec6d9bf5e762028f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	d44029c223b1c016ec6d9bf5e762028f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2360	d44029c223b1c016ec6d9bf5e762028f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2360	d44029c223b1c016ec6d9bf5e762028f.exe
3068	d44029c223b1c016ec6d9bf5e762028f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3068	2360	d44029c223b1c016ec6d9bf5e762028f.exe	28
PID 2360 wrote to memory of 3068	2360	d44029c223b1c016ec6d9bf5e762028f.exe	28
PID 2360 wrote to memory of 3068	2360	d44029c223b1c016ec6d9bf5e762028f.exe	28
PID 2360 wrote to memory of 3068	2360	d44029c223b1c016ec6d9bf5e762028f.exe	28

C:\Users\Admin\AppData\Local\Temp\d44029c223b1c016ec6d9bf5e762028f.exe
"C:\Users\Admin\AppData\Local\Temp\d44029c223b1c016ec6d9bf5e762028f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\d44029c223b1c016ec6d9bf5e762028f.exe
  C:\Users\Admin\AppData\Local\Temp\d44029c223b1c016ec6d9bf5e762028f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d44029c223b1c016ec6d9bf5e762028f.exe

Filesize
1.2MB

MD5
8606f552cfeb2fa35ab93425789c132c

SHA1
00b0b0aa7f28884a5898da493f7f9de9f4ff77c0

SHA256
3beb2acfad428ebc164aa72bb8d594730e22bc8b7b1022527ea41152c55f21d2

SHA512
5da9ff03f9508e156a4ea3e4a25f4ef847c74b4c6587905a036600a9b0bbd0fac5052e24f560adf49ca3714a819977f4c0a05c25e94a978858e5ae8ab68cc531

Download Submit
C:\Users\Admin\AppData\Local\Temp\d44029c223b1c016ec6d9bf5e762028f.exe

Filesize
1.1MB

MD5
015bb60fab258fe416c0f3a901ae2efa

SHA1
99cc58527e1b9af54ef7456a35c1e3f5ad70f728

SHA256
d8d2c604a2e3f95b2254b0b64e6182f473c2fb74b7a567da2669c614fadbabf2

SHA512
e1433f71d16c5aa7e9e584c0dc5b92e5cd41cf90ead01b41557e61b513c216347ccc4eda82e7087046fdb68abd17793e4d089fe51551cef48f9d672dd36bd4da

Download Submit
\Users\Admin\AppData\Local\Temp\d44029c223b1c016ec6d9bf5e762028f.exe

Filesize
1.4MB

MD5
73eaf1eabfae212f8f21e748717c1fcf

SHA1
1f7d2d4025eaad5d116f3e8097b350be3dcd3fa5

SHA256
dfc9a500aa25006f07098ccabaf6177f0324322e94bef26a74f2e47515c95ac0

SHA512
c7471b727dc37918dccd02bc649cf3341582385ac0f9c8a1bb83a23485ee07388d7fffe870a488fa5c4645390212f5d4c693610bc60625305407d15a210b9edb

Download Submit
memory/2360-0-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2360-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2360-3-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2360-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2360-16-0x0000000004AA0000-0x000000000543E000-memory.dmp

Filesize
9.6MB

Download
memory/2360-42-0x0000000004AA0000-0x000000000543E000-memory.dmp

Filesize
9.6MB

Download
memory/3068-19-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/3068-23-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/3068-43-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing