e0db3439a5592b527db3582a8a543d788b5ae67591f92f9c7ad94fc8245ae645

General

Target

deeef6cb6bd552fac36dfc1b9c3e7dac.exe
Size

2.0MB
MD5

deeef6cb6bd552fac36dfc1b9c3e7dac
SHA1

9325da20ad2a14f849c6be51df12689b0132e196
SHA256

e0db3439a5592b527db3582a8a543d788b5ae67591f92f9c7ad94fc8245ae645
SHA512

201d34c491baee9e9007887c6d35f373f5276952243287095cf68c5e060acbedf361d0bb66b48c77d57ea4a7b56b699c38f8fd7aad6788a6761b0f9e7322a91e
SSDEEP

49152:fCTQ5VAM8Lt0EbPhFSTs09Os4Lwy/Rhxl6uuVBpTEmVSr157RbuSTs09Os4Lwy/S:fCEVj8Lt0EbPhFSTt9Os4Ltbxl6RzQmk

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1008	deeef6cb6bd552fac36dfc1b9c3e7dac.exe

Executes dropped EXE 1 IoCs

pid	Process
1008	deeef6cb6bd552fac36dfc1b9c3e7dac.exe

Loads dropped DLL 1 IoCs

pid	Process
1728	deeef6cb6bd552fac36dfc1b9c3e7dac.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1728-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b0000000121e6-11.dat	upx
behavioral1/memory/1728-16-0x0000000023400000-0x000000002365C000-memory.dmp	upx
behavioral1/files/0x000b0000000121e6-17.dat	upx
behavioral1/memory/1008-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2536	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	deeef6cb6bd552fac36dfc1b9c3e7dac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	deeef6cb6bd552fac36dfc1b9c3e7dac.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	deeef6cb6bd552fac36dfc1b9c3e7dac.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	deeef6cb6bd552fac36dfc1b9c3e7dac.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1728	deeef6cb6bd552fac36dfc1b9c3e7dac.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1728	deeef6cb6bd552fac36dfc1b9c3e7dac.exe
1008	deeef6cb6bd552fac36dfc1b9c3e7dac.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1008	1728	deeef6cb6bd552fac36dfc1b9c3e7dac.exe	29
PID 1728 wrote to memory of 1008	1728	deeef6cb6bd552fac36dfc1b9c3e7dac.exe	29
PID 1728 wrote to memory of 1008	1728	deeef6cb6bd552fac36dfc1b9c3e7dac.exe	29
PID 1728 wrote to memory of 1008	1728	deeef6cb6bd552fac36dfc1b9c3e7dac.exe	29
PID 1008 wrote to memory of 2536	1008	deeef6cb6bd552fac36dfc1b9c3e7dac.exe	30
PID 1008 wrote to memory of 2536	1008	deeef6cb6bd552fac36dfc1b9c3e7dac.exe	30
PID 1008 wrote to memory of 2536	1008	deeef6cb6bd552fac36dfc1b9c3e7dac.exe	30
PID 1008 wrote to memory of 2536	1008	deeef6cb6bd552fac36dfc1b9c3e7dac.exe	30
PID 1008 wrote to memory of 2672	1008	deeef6cb6bd552fac36dfc1b9c3e7dac.exe	32
PID 1008 wrote to memory of 2672	1008	deeef6cb6bd552fac36dfc1b9c3e7dac.exe	32
PID 1008 wrote to memory of 2672	1008	deeef6cb6bd552fac36dfc1b9c3e7dac.exe	32
PID 1008 wrote to memory of 2672	1008	deeef6cb6bd552fac36dfc1b9c3e7dac.exe	32
PID 2672 wrote to memory of 2712	2672	cmd.exe	34
PID 2672 wrote to memory of 2712	2672	cmd.exe	34
PID 2672 wrote to memory of 2712	2672	cmd.exe	34
PID 2672 wrote to memory of 2712	2672	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\deeef6cb6bd552fac36dfc1b9c3e7dac.exe
"C:\Users\Admin\AppData\Local\Temp\deeef6cb6bd552fac36dfc1b9c3e7dac.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\deeef6cb6bd552fac36dfc1b9c3e7dac.exe
  C:\Users\Admin\AppData\Local\Temp\deeef6cb6bd552fac36dfc1b9c3e7dac.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\deeef6cb6bd552fac36dfc1b9c3e7dac.exe" /TN JWBTdycj2e1b /F
    3⤵
    - Creates scheduled task(s)
    PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN JWBTdycj2e1b > C:\Users\Admin\AppData\Local\Temp\pBxX7wf.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN JWBTdycj2e1b
      4⤵
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\deeef6cb6bd552fac36dfc1b9c3e7dac.exe

Filesize
2.0MB

MD5
81e49c570b8bb24e9f2d724e873666c5

SHA1
01e07385e642571542035feeee7f38d4754f4d66

SHA256
178001a7d3a6fae7aeecde27a263197299987fea91acb72deff4516d02d5974c

SHA512
91ea56ebb683f164b2297b4d97d0b711b55a85377cfa2730b388ad9f9fd6578b4024db686f3de749c752d181d577c1679528272c083d5320da7bfcde5cdc0f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pBxX7wf.xml

Filesize
1KB

MD5
0259572fad2cb375cb5d0c629ed3afcd

SHA1
3c12adb9a0301869b7a10092b0deb747aac68f2c

SHA256
feddc7e89f58f4aac8ce88a68dcb815880e7d708b5b6914527196c29dd80dee5

SHA512
6e86da3d20442499e8d4b0be8f23588e6de62b047dfd6766790013fe5752487e66abd86a04709894ee4fdc659e5ae7b4499fea38099d9a9e01bcba1bb2bfc6b0

Download Submit
\Users\Admin\AppData\Local\Temp\deeef6cb6bd552fac36dfc1b9c3e7dac.exe

Filesize
1.9MB

MD5
66bddf69311acd10137409836bb85be6

SHA1
f158f407cc3d48f9f9b287f25ce27900163242c4

SHA256
43c3769fc6d477849a0fcc1ac4fed6790b342a3bbb5b7146820d52715268bcbf

SHA512
d7f1091c622744e3c6d2598685ecf442de3d6dae1ec2b7e355251460e2ac1c0bd490af77e2475862b431f00b29b062a57310d2ef782b46adf255b398f20157a4

Download Submit
memory/1008-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1008-20-0x0000000000320000-0x000000000039E000-memory.dmp

Filesize
504KB

Download
memory/1008-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1008-29-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1008-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1728-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1728-16-0x0000000023400000-0x000000002365C000-memory.dmp

Filesize
2.4MB

Download
memory/1728-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1728-4-0x00000000002F0000-0x000000000036E000-memory.dmp

Filesize
504KB

Download
memory/1728-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads