4c1baefb3e979faa7733ff1269d1909553eb583c9994c93e80207993ab05b414

General

Target

tesetup.exe
Size

8.5MB
MD5

e2117b1bcb242413dac0c2ab781185cf
SHA1

87b125bd59fc9ff51e2b34ce7af0fcb63e4a906b
SHA256

17f049fecfce6461a398d914d6c265d0e0a074fa601310698b436445135b4797
SHA512

abdeb1512b4b4488b6b1c9fb0bfeba3cd5dae3eb3ac25d530497fd7cde4dc1dccd3fbc953afef404234b6c79e1d128b70807a332c54684cf17168b4eaba56362

Score

9^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsc2BF1.tmp\version.dll	acprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsc2BF1.tmp\version.dll	upx

Loads dropped DLL 8 IoCs

Processes:

tesetup.exe

pid process

1632 tesetup.exe
1632 tesetup.exe
1632 tesetup.exe
1632 tesetup.exe
1632 tesetup.exe
1632 tesetup.exe
1632 tesetup.exe
1632 tesetup.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1632	tesetup.exe
1632	tesetup.exe
1632	tesetup.exe
1632	tesetup.exe
1632	tesetup.exe
1632	tesetup.exe
1632	tesetup.exe
1632	tesetup.exe

Drops file in Program Files directory 64 IoCs

Processes:

tesetup.exe

description	ioc	process
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\settings.ini	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\Resources\RegistryCleaner\activenow_click.png	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\Danish.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\German.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\french_largo.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\dbghelp.dll	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\uninst.exe	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\Danish_kt.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\bosnian.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\MemfilesService.exe	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\Resources\TracksEraser\toolbar.png	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\Romana.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\french.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\russian.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\slovenian_jrudec.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\x64\Microsoft.VC90.ATL.manifest	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\French(CA).lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\Swedish(ulfclaesson).lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\x64\mfcm90u.dll	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\x64\ObjectAdmin.dll	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\Resources\RegistryCleaner\oc_btn_normal.png	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\Resources\TracksEraser\activenow_normal.png	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\German_Erik.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\Log.dll	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\Armenian.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\Czech.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\French(FR).lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\korean.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\GUDownloader.exe	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\dutch.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\japanese_lb.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\Resources\RegistryCleaner\tab_btn_hover.png	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\Resources\TracksEraser\tab_btn_normal.png	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\chineseT.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\hebrew.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\japanese.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\msvcr90.dll	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\Resources\TracksEraser\activenow_click.png	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\Resources\TracksEraser\tab_btn_hover.png	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\Francais (Philippe).lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\Slovak_momirek.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\vietnamese.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\Hungarian_l2belteki.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\turkish.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\ObjectAdmin.dll	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\RestoreCenter.dll	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\Resources\TracksEraser\oc_btn_hover.png	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\Estonian.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\Zoulou.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\x64\ScanFile.dll	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\CrashReport.exe	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\TracksEraser.exe	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\Resources\RegistryCleaner\main_like.png	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\Resources\RegistryCleaner\oc_btn_hover.png	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\Espaol_River.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\Romanian(zocoza).lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\spanish_cannie new.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\x64\MemfilesService.exe	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\x64\Win64ShellLink.exe	tesetup.exe
File opened for modification	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\settings.ini	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\Resources\RegistryCleaner\tab_btn_normal.png	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\French by Joe.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\Romania.lng	tesetup.exe
File created	C:\Program Files (x86)\Glarysoft\Glary Tracks Eraser\languages\french_Morvant.lng	tesetup.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

tesetup.exe

pid process

1632 tesetup.exe
1632 tesetup.exe
1632 tesetup.exe
1632 tesetup.exe
1632 tesetup.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

tesetup.exe

pid process

1632 tesetup.exe

pid	process
1632	tesetup.exe
1632	tesetup.exe
1632	tesetup.exe
1632	tesetup.exe
1632	tesetup.exe

pid	process
1632	tesetup.exe

C:\Users\Admin\AppData\Local\Temp\tesetup.exe
"C:\Users\Admin\AppData\Local\Temp\tesetup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsc2BF1.tmp\Inetc.dll
MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
\Users\Admin\AppData\Local\Temp\nsc2BF1.tmp\InstallOptions.dll
MD5
5d425526856cbdb7b14c75df417b6ef3

SHA1
46407f40cac772bca3804dc80fd489f87668a9e3

SHA256
aaacc7ef5cb2baf2338ac8e8479227e0a6336a6509119543680efa1dcdbae6a6

SHA512
b806bf9622040d120b407ae83d20ae935c9ff210332062f8fa3eccecba2a41bd041cf9523d500f9ce11b73076b97a884907cc06722531c2fe9b8d96ec16124fb

Download Submit
\Users\Admin\AppData\Local\Temp\nsc2BF1.tmp\KillProcDLL.dll
MD5
2f8a43c3581af1f31ce8d9da0c03465b

SHA1
3cce52e1dd53191127a98b324644c5cc581295ca

SHA256
97b5b3985736cc0f49ceb2da68b01ce51fa821b6da3cec69cfeebfba8d626845

SHA512
fd4ffab70048664c2f9aab375bb4c5cd89b3ff525335633dfd895dddf2be0791c56f585a9675f0a91be0d20882260709c847e0c8757e0fb49f80a932b187eab2

Download Submit
\Users\Admin\AppData\Local\Temp\nsc2BF1.tmp\MachineCode.dll
MD5
9e102bef178d20898b745933435ec0e3

SHA1
fe9bc1b491eddad26258188dfc80e2cc7afe1056

SHA256
4ae3ee49863956c1d947bd702feb9b00d59d702f7e3be1a1d389f2217f5d5ba9

SHA512
d88304334d7e7068cf4d85b57ade7389ae26d45393d8122cf0bde8a3bccca0030ee91a3bdb6cf06b6fbb929ed4585fe82f12c6a1290ec8dc2724d8c7ccf96226

Download Submit
\Users\Admin\AppData\Local\Temp\nsc2BF1.tmp\System.dll
MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
\Users\Admin\AppData\Local\Temp\nsc2BF1.tmp\nsDialogs.dll
MD5
6e64e5d5f9498058a300b26b8741d9d5

SHA1
837ce28e5e02788da63a7f1d8f20207d2b0bf523

SHA256
8d4b1c275fd1cd0782a265080b56d1aec8d1c93edca5ef3b050d1d20d7b61f33

SHA512
f53514d36021d79f85df2494d403f03589b3ad848889b9224f962cc932ef740f127131a914c7171ad8136ca1ef631285ea1c80576db18ccf8ea56940eb00ea1e

Download Submit
\Users\Admin\AppData\Local\Temp\nsc2BF1.tmp\version.dll
MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
\Users\Admin\AppData\Local\Temp\nsc2BF1.tmp\xtInfoPlugin.dll
MD5
8f358cfd9f9e30e64c536cd7dc5ce415

SHA1
cbca484d99ce8da6badebfb507550974af821c21

SHA256
6f12201a1c80198b9c9a6667c459c348230c587839a1f7b1133e14720b708aca

SHA512
14c69403c62ee82b5357980f0c76a4d9b80c7725790e0b9691a60394efc2787361f6b7dee83ca62f1b9ef6eae90bdf7d033b8c4ba6bacd51403187004b944c8a

Download Submit
memory/1532-11-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp

Filesize
2.5MB

Download
memory/1632-2-0x0000000076341000-0x0000000076343000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads