6bdc66465acbd57971b7339950e12803f365130d8c4c9de98974a00a67e493c8

General

Target

e0112670e35e0c738690fdc8853f45e4.exe
Size

501KB
MD5

e0112670e35e0c738690fdc8853f45e4
SHA1

750e8c7ce55a5201d2c4bc865c431517240ffa9e
SHA256

6bdc66465acbd57971b7339950e12803f365130d8c4c9de98974a00a67e493c8
SHA512

8d3310a87a02cc397db73b369f4ebdbe69b9a03f8959131cca71b9aea40566570c7f3438410937a5fded9afd9d75fadab919ddf09dab3198f59f4a082b3e57bf
SSDEEP

12288:ilRimM932LH1CBx+0+qhtB6TZ6SpXgEh8niZBnaJP+DWN1:Ts1CBA0+KsRFv8ncY+D

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1204	e0112670e35e0c738690fdc8853f45e4.exe

Executes dropped EXE 1 IoCs

pid	Process
1204	e0112670e35e0c738690fdc8853f45e4.exe

Loads dropped DLL 1 IoCs

pid	Process
2488	e0112670e35e0c738690fdc8853f45e4.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2488-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/memory/1204-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000012251-16.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2684	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	e0112670e35e0c738690fdc8853f45e4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	e0112670e35e0c738690fdc8853f45e4.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	e0112670e35e0c738690fdc8853f45e4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	e0112670e35e0c738690fdc8853f45e4.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2488	e0112670e35e0c738690fdc8853f45e4.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2488	e0112670e35e0c738690fdc8853f45e4.exe
1204	e0112670e35e0c738690fdc8853f45e4.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 1204	2488	e0112670e35e0c738690fdc8853f45e4.exe	29
PID 2488 wrote to memory of 1204	2488	e0112670e35e0c738690fdc8853f45e4.exe	29
PID 2488 wrote to memory of 1204	2488	e0112670e35e0c738690fdc8853f45e4.exe	29
PID 2488 wrote to memory of 1204	2488	e0112670e35e0c738690fdc8853f45e4.exe	29
PID 1204 wrote to memory of 2684	1204	e0112670e35e0c738690fdc8853f45e4.exe	30
PID 1204 wrote to memory of 2684	1204	e0112670e35e0c738690fdc8853f45e4.exe	30
PID 1204 wrote to memory of 2684	1204	e0112670e35e0c738690fdc8853f45e4.exe	30
PID 1204 wrote to memory of 2684	1204	e0112670e35e0c738690fdc8853f45e4.exe	30
PID 1204 wrote to memory of 2088	1204	e0112670e35e0c738690fdc8853f45e4.exe	32
PID 1204 wrote to memory of 2088	1204	e0112670e35e0c738690fdc8853f45e4.exe	32
PID 1204 wrote to memory of 2088	1204	e0112670e35e0c738690fdc8853f45e4.exe	32
PID 1204 wrote to memory of 2088	1204	e0112670e35e0c738690fdc8853f45e4.exe	32
PID 2088 wrote to memory of 2564	2088	cmd.exe	34
PID 2088 wrote to memory of 2564	2088	cmd.exe	34
PID 2088 wrote to memory of 2564	2088	cmd.exe	34
PID 2088 wrote to memory of 2564	2088	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\e0112670e35e0c738690fdc8853f45e4.exe
"C:\Users\Admin\AppData\Local\Temp\e0112670e35e0c738690fdc8853f45e4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\e0112670e35e0c738690fdc8853f45e4.exe
  C:\Users\Admin\AppData\Local\Temp\e0112670e35e0c738690fdc8853f45e4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\e0112670e35e0c738690fdc8853f45e4.exe" /TN ymuVbjyg4de6 /F
    3⤵
    - Creates scheduled task(s)
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN ymuVbjyg4de6 > C:\Users\Admin\AppData\Local\Temp\F6mCqObn.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN ymuVbjyg4de6
      4⤵
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F6mCqObn.xml

Filesize
1KB

MD5
1b34e86152eaf5862832e5104627aea0

SHA1
87d2e05a3a11ec5065ba8eb193304cca6ef22ada

SHA256
bcf394867a322d1f1695f8be1ac68f5a86c25ff0d780ca0e38822c0247af828b

SHA512
47205062411274542ca94034fc79ee7fab8a84da36085a403659801ed8d405df8e69ab0aaff6db278c2182443e41efa3409f698e82a9d9c272abe0fcaebc08c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0112670e35e0c738690fdc8853f45e4.exe

Filesize
501KB

MD5
40193ed648c58597ad69bdbf3a4f8844

SHA1
b6ebf5d9822fc132567f0c4ea8223cc04ca5a600

SHA256
706ac7ef77cfcea1022e6462d74b9a50ac4a103a19a81abc5cdef03a0bd03885

SHA512
64e1c93439ca214d0311793badaaf89d30b416b4016c542ab781eb120b0784d4988c30066b4b5448074e24fc7d06124d37750c3a27b4e3f400c33e24f22453c1

Download Submit
memory/1204-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1204-20-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/1204-26-0x0000000000300000-0x000000000036B000-memory.dmp

Filesize
428KB

Download
memory/1204-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1204-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2488-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2488-2-0x00000000001F0000-0x000000000026E000-memory.dmp

Filesize
504KB

Download
memory/2488-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2488-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads