aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98

Analysis

max time kernel
103s
max time network
122s
platform
windows10_x64
resource
win10-en-20211014
submitted
04-11-2021 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

765661ae2b8e916652f91b80d33f0592.exe
Size

6.4MB
MD5

765661ae2b8e916652f91b80d33f0592
SHA1

055cc7c7162a16085e118ee07d0f5d1785f9ac87
SHA256

aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98
SHA512

bce2cc2ce7c49f2394518ce55887175debb9103808c9772dd338a20eb0dc4d21dc3c7050fbaca79baea66fd396205eb75b86e6eca979949f8b027dd5c1dce2e5

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 22 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI14562\python39.dll	acprotect
\Users\Admin\AppData\Local\Temp\_MEI14562\python39.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_ctypes.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI14562\_ctypes.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14562\libffi-7.dll	acprotect
\Users\Admin\AppData\Local\Temp\_MEI14562\libffi-7.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_socket.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI14562\_socket.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14562\select.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI14562\select.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_queue.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI14562\_queue.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14562\cryptography\hazmat\bindings\_rust.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI14562\cryptography\hazmat\bindings\_rust.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_hashlib.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI14562\_hashlib.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14562\libcrypto-1_1.dll	acprotect
\Users\Admin\AppData\Local\Temp\_MEI14562\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14562\cryptography\hazmat\bindings\_openssl.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI14562\cryptography\hazmat\bindings\_openssl.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_cffi_backend.cp39-win32.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI14562\_cffi_backend.cp39-win32.pyd	acprotect

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI14562\python39.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI14562\python39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_ctypes.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI14562\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14562\libffi-7.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI14562\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_socket.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI14562\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14562\select.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI14562\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_queue.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI14562\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14562\cryptography\hazmat\bindings\_rust.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI14562\cryptography\hazmat\bindings\_rust.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_hashlib.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI14562\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14562\libcrypto-1_1.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI14562\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14562\cryptography\hazmat\bindings\_openssl.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI14562\cryptography\hazmat\bindings\_openssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_cffi_backend.cp39-win32.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI14562\_cffi_backend.cp39-win32.pyd	upx

Loads dropped DLL 13 IoCs

Processes:

765661ae2b8e916652f91b80d33f0592.exe

pid	process
4084	765661ae2b8e916652f91b80d33f0592.exe
4084	765661ae2b8e916652f91b80d33f0592.exe
4084	765661ae2b8e916652f91b80d33f0592.exe
4084	765661ae2b8e916652f91b80d33f0592.exe
4084	765661ae2b8e916652f91b80d33f0592.exe
4084	765661ae2b8e916652f91b80d33f0592.exe
4084	765661ae2b8e916652f91b80d33f0592.exe
4084	765661ae2b8e916652f91b80d33f0592.exe
4084	765661ae2b8e916652f91b80d33f0592.exe
4084	765661ae2b8e916652f91b80d33f0592.exe
4084	765661ae2b8e916652f91b80d33f0592.exe
4084	765661ae2b8e916652f91b80d33f0592.exe
4084	765661ae2b8e916652f91b80d33f0592.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

765661ae2b8e916652f91b80d33f0592.exe

description	pid	process	target process
PID 1456 wrote to memory of 4084	1456	765661ae2b8e916652f91b80d33f0592.exe	765661ae2b8e916652f91b80d33f0592.exe
PID 1456 wrote to memory of 4084	1456	765661ae2b8e916652f91b80d33f0592.exe	765661ae2b8e916652f91b80d33f0592.exe
PID 1456 wrote to memory of 4084	1456	765661ae2b8e916652f91b80d33f0592.exe	765661ae2b8e916652f91b80d33f0592.exe

C:\Users\Admin\AppData\Local\Temp\765661ae2b8e916652f91b80d33f0592.exe
"C:\Users\Admin\AppData\Local\Temp\765661ae2b8e916652f91b80d33f0592.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\765661ae2b8e916652f91b80d33f0592.exe
"C:\Users\Admin\AppData\Local\Temp\765661ae2b8e916652f91b80d33f0592.exe"
2⤵
- Loads dropped DLL
PID:4084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI14562\VCRUNTIME140.dll
MD5
b8ae902fe1909c0c725ba669074292e2

SHA1
46524eff65947cbef0e08f97c98a7b750d6077f3

SHA256
657ab198c4035ec4b6ff6cf863c2ec99962593547af41b772593715de2df459c

SHA512
4a70740da0d5cdbd6b3c3869bcf6141cb32c929cb73728bd2044dd16896a3a1cafa28b0714fadcdb265172b62fa113095d379f3a7c16a248e86c8f7f89ecd0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_cffi_backend.cp39-win32.pyd
MD5
6620ba42c35b64acfff425f62e93709d

SHA1
a39f3f1a2538e5908a047f41cf00896aa4731262

SHA256
5ab7c8c172ea29638766e912b1c9b15276542d44ec49f4d91c7af63e5357a83a

SHA512
0a9d7a97f0083136b7aef48eb4281b3229ed4ed55aa8350c9d1cde622a94aa0867eb795917a688f7eb1ae95f99d389f14c084e9c93492901e8acfc526ff922bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_ctypes.pyd
MD5
38451fe7d1c394f250026cb39cd627a8

SHA1
fc5cbb9152decc26d10823dd613a9ab615eeda70

SHA256
7191f94b040fd1daf7707cb71f8ab92773d9b795da7fa18789f6d08a41203c9a

SHA512
a41852e7b52c36ec8a76b267a1254e5496d9a549b9ccfe964ee64e158b1bd6959f35bc67d3df6db77578a8287822fa9643980f7d5db9d2e2856172fb148f678d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_hashlib.pyd
MD5
2624d9a7cae295e166765144b3cc25a0

SHA1
90c21f1693cd2c68cf9d79cbf577b70f43ea55b9

SHA256
63c2ba1b70ccb705e4d153e15975870c42be2c1b48d386c94ad6e129c3d035ab

SHA512
92521ef2963521bb106738267a06fa0cb4bf56d99f38241dbaa3413734747c1eb58ec73da781539dff1cfcf84f18d2c2028b5e091ac12c103f5ad8cb1c214f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_queue.pyd
MD5
c72e44ff31c1727add704a7cd3d9d4d7

SHA1
b98702b0ba739760f8289ce1c9e3d74bbc1e8743

SHA256
a9d16038606153f3f10e78480c7657ef2fa0af36a77c4caac8450bdb7c434582

SHA512
d03e4934d50f55591664d189049f7573a75aed59317421e469d8ea65c3608c072f458486fc3e03cd4676ccc838cc5b4b6de863d1bcc4f5286419b589832da58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\_socket.pyd
MD5
1524f0c3a2e4b99b5773d112b62df086

SHA1
95325b4b5bb67c7a47be3981186fd9ce7c778d87

SHA256
3d50491cd2bdcc3f98bcb79b68504b6262c73234555f45ff7db8dcdfca512fe9

SHA512
587d756e99b11250a6a505d6efd287ab6d088fb991f3310262f32bb4012662ac88804901b7aad56a533d1f14023a7d87f5d7a588db30e9e8eed587af461168b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\base_library.zip
MD5
43f92e893d69970c5dd5883c56ce2dd3

SHA1
3c62261ae6aadb87784229c2265a3996b10b6432

SHA256
4c390c6349750187e91e5319baf324eeb386f569d7dfacdbc712c5b49d9aa2b3

SHA512
784eed5e2b381cc68d1bcbc8048e3b6578528062fd34cfd0b5098050d2ab12186fe370ec6353ad573aee71b19b7172ab67f65d3d694c9dc92256bdb256631ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\cryptography\hazmat\bindings\_openssl.pyd
MD5
672c17b6639bea02c628d46376b82ff8

SHA1
089584b54cea4db7bd42d616e3c91991a46d82a2

SHA256
1058bdb3731792e78865a664f460f17591445278785d2cb4c6406382863a4165

SHA512
58134d532aa5d48b9a186d13c72350d120fdcff570d797e4ec7f9876040123a7e2d4df07aeb08deccdba85bb6caae6a0f970a197228b3752e0f9470f336c6f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\cryptography\hazmat\bindings\_rust.pyd
MD5
9b5cd6c5838327bdaa1b1a1d55d6691a

SHA1
f273b9aa7aea3af6c9d3c09fd4ec63b1ae76bb30

SHA256
8772745ed885781bd3867cde8c23c07c8d9ff67b11941fbf89f3cfbf4a3db3b3

SHA512
d3cc2af1aaaf91cdb1c483f4f541c652ce714ebbda0bc842e68ec403457bce109a47ac6f6514510cb8de7aa6171b8be89ba79e60334c321d6ff09f55c5f3ca96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\libcrypto-1_1.dll
MD5
d444a4d727eda8b1ff941415c17930b5

SHA1
7b85bef7ec6e7a808df24fef791c8fd7a8ab3111

SHA256
ce30548ce3b32a351e2f84b991eb2b000108367513b939c8999928be520e2086

SHA512
b54ab37e26bffc4d82f05ac739970d665ea6274988ba2c75bc802397438ac94eb78e32350f4135342fe7b74e34534127a77e72292b24a0af8f8d3c4229fa058e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\libffi-7.dll
MD5
e3adbe89834e45e41962a5c932f93eca

SHA1
4b1e91af7655f4649c934c923b44c24f3726ce1c

SHA256
0d248e8b0fa8dc6d4339721b5848b2bec4a1a914ba5745fdb027e936cd63e3e3

SHA512
e3ec88c578c78ecf41277aa2311bc7811e63f55f61e6b2dd881cdc9a3e686f585b1003dc1691170b1a3cfc00a8a854a780e914b582a01546b97f3711ed331d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\python3.DLL
MD5
c4854fb4dc3017e204fa2f534cf66fd3

SHA1
a2d29257a674cbba241f1bf4ba1f1a7ffa9d95b0

SHA256
8f43294fc0413661b4703415d5672cd587b336bc6bc4c97033c4f3abd65305e7

SHA512
c0c60aafa911a2d1694a7956a32b8328bb266e7dfe8719e9a6d5aded6372023828b6d227a02d7973edecab37daf47f59ba32a4c861542287fb95ede8bb2a362f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\python39.dll
MD5
9e8ad37c6ee0f6d0d7e5f73411261459

SHA1
bdc649eed0a898b7df9768d34c7016e657d06bcc

SHA256
f00cd2eec777fcdb6568b428d1374f780a7cf492de23ec0e37478a883a91f575

SHA512
87ccf224be3a4ece4324f6dc8cbc538c8ede330e2ffb9135a8c866d44132f4e59a5a2f633e9a6d96413b1b2e64a194d2b63bd685b7e6ad9398f872e4d3f357dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14562\select.pyd
MD5
af2235e9c13c0f1344931cbd98f3e7de

SHA1
b321b0cbf4da3c5826fece36e1f404c0f44b88ee

SHA256
5695a476b638922fa899b0064ad1b5c8564f0ba1017e0ba78592adde5b101c98

SHA512
bcdd2c3b5c8dd19d96b45b293b41dbb904a4f9cfe191d7e66fe5943c7598760b44dcba9957bbf9345313125fd580eae0e0a9dd82035e09bea04516ef4c759e25

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14562\VCRUNTIME140.dll
MD5
b8ae902fe1909c0c725ba669074292e2

SHA1
46524eff65947cbef0e08f97c98a7b750d6077f3

SHA256
657ab198c4035ec4b6ff6cf863c2ec99962593547af41b772593715de2df459c

SHA512
4a70740da0d5cdbd6b3c3869bcf6141cb32c929cb73728bd2044dd16896a3a1cafa28b0714fadcdb265172b62fa113095d379f3a7c16a248e86c8f7f89ecd0f4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14562\_cffi_backend.cp39-win32.pyd
MD5
6620ba42c35b64acfff425f62e93709d

SHA1
a39f3f1a2538e5908a047f41cf00896aa4731262

SHA256
5ab7c8c172ea29638766e912b1c9b15276542d44ec49f4d91c7af63e5357a83a

SHA512
0a9d7a97f0083136b7aef48eb4281b3229ed4ed55aa8350c9d1cde622a94aa0867eb795917a688f7eb1ae95f99d389f14c084e9c93492901e8acfc526ff922bf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14562\_ctypes.pyd
MD5
38451fe7d1c394f250026cb39cd627a8

SHA1
fc5cbb9152decc26d10823dd613a9ab615eeda70

SHA256
7191f94b040fd1daf7707cb71f8ab92773d9b795da7fa18789f6d08a41203c9a

SHA512
a41852e7b52c36ec8a76b267a1254e5496d9a549b9ccfe964ee64e158b1bd6959f35bc67d3df6db77578a8287822fa9643980f7d5db9d2e2856172fb148f678d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14562\_hashlib.pyd
MD5
2624d9a7cae295e166765144b3cc25a0

SHA1
90c21f1693cd2c68cf9d79cbf577b70f43ea55b9

SHA256
63c2ba1b70ccb705e4d153e15975870c42be2c1b48d386c94ad6e129c3d035ab

SHA512
92521ef2963521bb106738267a06fa0cb4bf56d99f38241dbaa3413734747c1eb58ec73da781539dff1cfcf84f18d2c2028b5e091ac12c103f5ad8cb1c214f0b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14562\_queue.pyd
MD5
c72e44ff31c1727add704a7cd3d9d4d7

SHA1
b98702b0ba739760f8289ce1c9e3d74bbc1e8743

SHA256
a9d16038606153f3f10e78480c7657ef2fa0af36a77c4caac8450bdb7c434582

SHA512
d03e4934d50f55591664d189049f7573a75aed59317421e469d8ea65c3608c072f458486fc3e03cd4676ccc838cc5b4b6de863d1bcc4f5286419b589832da58a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14562\_socket.pyd
MD5
1524f0c3a2e4b99b5773d112b62df086

SHA1
95325b4b5bb67c7a47be3981186fd9ce7c778d87

SHA256
3d50491cd2bdcc3f98bcb79b68504b6262c73234555f45ff7db8dcdfca512fe9

SHA512
587d756e99b11250a6a505d6efd287ab6d088fb991f3310262f32bb4012662ac88804901b7aad56a533d1f14023a7d87f5d7a588db30e9e8eed587af461168b3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14562\cryptography\hazmat\bindings\_openssl.pyd
MD5
672c17b6639bea02c628d46376b82ff8

SHA1
089584b54cea4db7bd42d616e3c91991a46d82a2

SHA256
1058bdb3731792e78865a664f460f17591445278785d2cb4c6406382863a4165

SHA512
58134d532aa5d48b9a186d13c72350d120fdcff570d797e4ec7f9876040123a7e2d4df07aeb08deccdba85bb6caae6a0f970a197228b3752e0f9470f336c6f8c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14562\cryptography\hazmat\bindings\_rust.pyd
MD5
9b5cd6c5838327bdaa1b1a1d55d6691a

SHA1
f273b9aa7aea3af6c9d3c09fd4ec63b1ae76bb30

SHA256
8772745ed885781bd3867cde8c23c07c8d9ff67b11941fbf89f3cfbf4a3db3b3

SHA512
d3cc2af1aaaf91cdb1c483f4f541c652ce714ebbda0bc842e68ec403457bce109a47ac6f6514510cb8de7aa6171b8be89ba79e60334c321d6ff09f55c5f3ca96

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14562\libcrypto-1_1.dll
MD5
d444a4d727eda8b1ff941415c17930b5

SHA1
7b85bef7ec6e7a808df24fef791c8fd7a8ab3111

SHA256
ce30548ce3b32a351e2f84b991eb2b000108367513b939c8999928be520e2086

SHA512
b54ab37e26bffc4d82f05ac739970d665ea6274988ba2c75bc802397438ac94eb78e32350f4135342fe7b74e34534127a77e72292b24a0af8f8d3c4229fa058e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14562\libffi-7.dll
MD5
e3adbe89834e45e41962a5c932f93eca

SHA1
4b1e91af7655f4649c934c923b44c24f3726ce1c

SHA256
0d248e8b0fa8dc6d4339721b5848b2bec4a1a914ba5745fdb027e936cd63e3e3

SHA512
e3ec88c578c78ecf41277aa2311bc7811e63f55f61e6b2dd881cdc9a3e686f585b1003dc1691170b1a3cfc00a8a854a780e914b582a01546b97f3711ed331d87

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14562\python3.dll
MD5
c4854fb4dc3017e204fa2f534cf66fd3

SHA1
a2d29257a674cbba241f1bf4ba1f1a7ffa9d95b0

SHA256
8f43294fc0413661b4703415d5672cd587b336bc6bc4c97033c4f3abd65305e7

SHA512
c0c60aafa911a2d1694a7956a32b8328bb266e7dfe8719e9a6d5aded6372023828b6d227a02d7973edecab37daf47f59ba32a4c861542287fb95ede8bb2a362f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14562\python39.dll
MD5
9e8ad37c6ee0f6d0d7e5f73411261459

SHA1
bdc649eed0a898b7df9768d34c7016e657d06bcc

SHA256
f00cd2eec777fcdb6568b428d1374f780a7cf492de23ec0e37478a883a91f575

SHA512
87ccf224be3a4ece4324f6dc8cbc538c8ede330e2ffb9135a8c866d44132f4e59a5a2f633e9a6d96413b1b2e64a194d2b63bd685b7e6ad9398f872e4d3f357dc

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14562\select.pyd
MD5
af2235e9c13c0f1344931cbd98f3e7de

SHA1
b321b0cbf4da3c5826fece36e1f404c0f44b88ee

SHA256
5695a476b638922fa899b0064ad1b5c8564f0ba1017e0ba78592adde5b101c98

SHA512
bcdd2c3b5c8dd19d96b45b293b41dbb904a4f9cfe191d7e66fe5943c7598760b44dcba9957bbf9345313125fd580eae0e0a9dd82035e09bea04516ef4c759e25

Download Submit
memory/4084-116-0x0000000000000000-mapping.dmp

Download