712c1df3975098d7c7ff68458bb6d5c2eb7186fbcc0d1f4b145adaafa768f180

General

Target

dfb95ff8292f962471ba871efdbefaaf.exe
Size

1003KB
MD5

dfb95ff8292f962471ba871efdbefaaf
SHA1

781c0c284e39e39b94c5b3d7e05ce803082bf1f8
SHA256

712c1df3975098d7c7ff68458bb6d5c2eb7186fbcc0d1f4b145adaafa768f180
SHA512

93c3d576adc6ba624b3be2a3158c347ecfec6d14067e832731672d4d9c3e38e2957f21a29971bc4c85f2c664165f676e13998104b01a79d8e6976eac88a201b3
SSDEEP

24576:Rigo6TqEzs74WgHlNa0erkZdEx3Knx6Y6:Ygo6T7zm4WgHlNBerkZdEx3Kns

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2852	dfb95ff8292f962471ba871efdbefaaf.exe

Executes dropped EXE 1 IoCs

pid	Process
2852	dfb95ff8292f962471ba871efdbefaaf.exe

Loads dropped DLL 1 IoCs

pid	Process
2928	dfb95ff8292f962471ba871efdbefaaf.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2928-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b00000001224f-11.dat	upx
behavioral1/memory/2852-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2880	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	dfb95ff8292f962471ba871efdbefaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	dfb95ff8292f962471ba871efdbefaaf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	dfb95ff8292f962471ba871efdbefaaf.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	dfb95ff8292f962471ba871efdbefaaf.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2928	dfb95ff8292f962471ba871efdbefaaf.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2928	dfb95ff8292f962471ba871efdbefaaf.exe
2852	dfb95ff8292f962471ba871efdbefaaf.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2852	2928	dfb95ff8292f962471ba871efdbefaaf.exe	29
PID 2928 wrote to memory of 2852	2928	dfb95ff8292f962471ba871efdbefaaf.exe	29
PID 2928 wrote to memory of 2852	2928	dfb95ff8292f962471ba871efdbefaaf.exe	29
PID 2928 wrote to memory of 2852	2928	dfb95ff8292f962471ba871efdbefaaf.exe	29
PID 2852 wrote to memory of 2880	2852	dfb95ff8292f962471ba871efdbefaaf.exe	30
PID 2852 wrote to memory of 2880	2852	dfb95ff8292f962471ba871efdbefaaf.exe	30
PID 2852 wrote to memory of 2880	2852	dfb95ff8292f962471ba871efdbefaaf.exe	30
PID 2852 wrote to memory of 2880	2852	dfb95ff8292f962471ba871efdbefaaf.exe	30
PID 2852 wrote to memory of 2736	2852	dfb95ff8292f962471ba871efdbefaaf.exe	32
PID 2852 wrote to memory of 2736	2852	dfb95ff8292f962471ba871efdbefaaf.exe	32
PID 2852 wrote to memory of 2736	2852	dfb95ff8292f962471ba871efdbefaaf.exe	32
PID 2852 wrote to memory of 2736	2852	dfb95ff8292f962471ba871efdbefaaf.exe	32
PID 2736 wrote to memory of 2460	2736	cmd.exe	34
PID 2736 wrote to memory of 2460	2736	cmd.exe	34
PID 2736 wrote to memory of 2460	2736	cmd.exe	34
PID 2736 wrote to memory of 2460	2736	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\dfb95ff8292f962471ba871efdbefaaf.exe
"C:\Users\Admin\AppData\Local\Temp\dfb95ff8292f962471ba871efdbefaaf.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\dfb95ff8292f962471ba871efdbefaaf.exe
  C:\Users\Admin\AppData\Local\Temp\dfb95ff8292f962471ba871efdbefaaf.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\dfb95ff8292f962471ba871efdbefaaf.exe" /TN ZBrUCVBB2555 /F
    3⤵
    - Creates scheduled task(s)
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN ZBrUCVBB2555 > C:\Users\Admin\AppData\Local\Temp\DWcES4a3.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN ZBrUCVBB2555
      4⤵
      PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DWcES4a3.xml

Filesize
1KB

MD5
f37c9f6834997dd96e6b56d75bb6d53f

SHA1
1c608e3af49fda6c0bcacfc01ec7db7a44779f72

SHA256
36a2a823c531c629a894070455045827c7d0cb8076e2e30fe2dd6ee33662ff33

SHA512
bf06d8840de2d428950229cfe8a219e05c5c7e0a13fcc6def537e74ce66371d4bd846d41a2fd13c441f3e62f2492d7ff7e599fa003211f50fb30238b86185abe

Download Submit
\Users\Admin\AppData\Local\Temp\dfb95ff8292f962471ba871efdbefaaf.exe

Filesize
1003KB

MD5
d9aa2cf7e1d00d60791486b62fb7fa08

SHA1
6f93842f44632739334913eb16642fed32f6237b

SHA256
152399d7eb03f4f000fef43bc68909678e3604c8972c56d5938cf1cdf59c79ec

SHA512
8ef42e2796fe3ab8d8881072a1b19c6b65aef4b6812e73df563e2df7b7187dd15f11ad53cd295fbec795fb0fab211217dcd1274e41051e7175e56e2f57daa4c4

Download Submit
memory/2852-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2852-19-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2852-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2852-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2852-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2928-3-0x00000000001E0000-0x000000000025E000-memory.dmp

Filesize
504KB

Download
memory/2928-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2928-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2928-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads