fd0a4269862e7380441c675a4ce298bf05f2320fd8b76f26d2268486f3c519ec

General

Target

dee9c8b7a7b5bc440cc3cd3397f6fd51.exe
Size

2.6MB
MD5

dee9c8b7a7b5bc440cc3cd3397f6fd51
SHA1

b94a6449b0aa683a4dada1e94d12e706e527b101
SHA256

fd0a4269862e7380441c675a4ce298bf05f2320fd8b76f26d2268486f3c519ec
SHA512

fd87e07ce11ef55016fefad3b4a8e370bbf14d9747515be63c1afcd1503310f2948b87795301238b91d14bf1e9389346df45f326ee911b0518552ac80865ff3f
SSDEEP

49152:o1AE/sqRGawVJZL9LLc+6swMJndOyf+GG20/C2hCOqwO0ay3:IRGaaRfLz9vuao3

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3036	dee9c8b7a7b5bc440cc3cd3397f6fd51.exe

Executes dropped EXE 1 IoCs

pid	Process
3036	dee9c8b7a7b5bc440cc3cd3397f6fd51.exe

Loads dropped DLL 1 IoCs

pid	Process
2868	dee9c8b7a7b5bc440cc3cd3397f6fd51.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2868-1-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x0009000000012247-11.dat	upx
behavioral1/files/0x0009000000012247-13.dat	upx
behavioral1/files/0x0009000000012247-15.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	dee9c8b7a7b5bc440cc3cd3397f6fd51.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	dee9c8b7a7b5bc440cc3cd3397f6fd51.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	dee9c8b7a7b5bc440cc3cd3397f6fd51.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	dee9c8b7a7b5bc440cc3cd3397f6fd51.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2868	dee9c8b7a7b5bc440cc3cd3397f6fd51.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2868	dee9c8b7a7b5bc440cc3cd3397f6fd51.exe
3036	dee9c8b7a7b5bc440cc3cd3397f6fd51.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 3036	2868	dee9c8b7a7b5bc440cc3cd3397f6fd51.exe	28
PID 2868 wrote to memory of 3036	2868	dee9c8b7a7b5bc440cc3cd3397f6fd51.exe	28
PID 2868 wrote to memory of 3036	2868	dee9c8b7a7b5bc440cc3cd3397f6fd51.exe	28
PID 2868 wrote to memory of 3036	2868	dee9c8b7a7b5bc440cc3cd3397f6fd51.exe	28

C:\Users\Admin\AppData\Local\Temp\dee9c8b7a7b5bc440cc3cd3397f6fd51.exe
"C:\Users\Admin\AppData\Local\Temp\dee9c8b7a7b5bc440cc3cd3397f6fd51.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\dee9c8b7a7b5bc440cc3cd3397f6fd51.exe
  C:\Users\Admin\AppData\Local\Temp\dee9c8b7a7b5bc440cc3cd3397f6fd51.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dee9c8b7a7b5bc440cc3cd3397f6fd51.exe

Filesize
518KB

MD5
eed8d2fe73d1d2d65622d5d9ffefbca3

SHA1
17b4feba7e9bd2bbaa26cb9f014f560117ab18ae

SHA256
0879afe76ad15872bdbf8a3be2ccb568c2e597e71c5bf32af6603fa1611163ce

SHA512
4f7a652ea953f114068bfac7f089a40c49619819324e8d8e17897f8c488f8346f91c3103ebaa5820ad235777c066bcbd24b835af3d3b02ec8c7d8f7e4c13a7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dee9c8b7a7b5bc440cc3cd3397f6fd51.exe

Filesize
735KB

MD5
35f8fbb958b4cf16fc0180e4a5576360

SHA1
91ebe508336447fda1a747498fd9bde0d184ccca

SHA256
45db52bcf959904aea829bc9038eab1782eeda5afd729e711e7539d5e8469d30

SHA512
917933a9d64954fdca6c1de3b518f0e960b57174dcc023206d7d804c31870f3749f3833561e2bbc61fe95b7725fe9254caeff7c18f01d51fdaefb13b5cfa6f63

Download Submit
\Users\Admin\AppData\Local\Temp\dee9c8b7a7b5bc440cc3cd3397f6fd51.exe

Filesize
506KB

MD5
b7c228547b1e06efc1459dfb7f8915f0

SHA1
20fe427826767854d01769ff50b1e82dda832fff

SHA256
2b34de5e6e8767ddccbb97c0a431cbf58cf4384cb7cf040e96d42eea70ca85df

SHA512
fd679737794ce8b6523313525082253f44764d2c08b2eb975aeaa393bb904d4fb3158e346409c9de3913467d4b8a353315fca96aebde1a4d64a58681eef1b2ff

Download Submit
memory/2868-0-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2868-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2868-3-0x0000000002290000-0x00000000024EA000-memory.dmp

Filesize
2.4MB

Download
memory/2868-14-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2868-16-0x0000000003B90000-0x000000000452E000-memory.dmp

Filesize
9.6MB

Download
memory/2868-43-0x0000000003B90000-0x000000000452E000-memory.dmp

Filesize
9.6MB

Download
memory/3036-18-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/3036-21-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/3036-44-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing