Analysis
-
max time kernel
118s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
04-11-2021 15:10
Static task
static1
Behavioral task
behavioral1
Sample
aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe
Resource
win10-en-20210920
General
-
Target
aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe
-
Size
6.4MB
-
MD5
765661ae2b8e916652f91b80d33f0592
-
SHA1
055cc7c7162a16085e118ee07d0f5d1785f9ac87
-
SHA256
aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98
-
SHA512
bce2cc2ce7c49f2394518ce55887175debb9103808c9772dd338a20eb0dc4d21dc3c7050fbaca79baea66fd396205eb75b86e6eca979949f8b027dd5c1dce2e5
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 22 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI82\python39.dll acprotect \Users\Admin\AppData\Local\Temp\_MEI82\python39.dll acprotect C:\Users\Admin\AppData\Local\Temp\_MEI82\_ctypes.pyd acprotect \Users\Admin\AppData\Local\Temp\_MEI82\_ctypes.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI82\libffi-7.dll acprotect \Users\Admin\AppData\Local\Temp\_MEI82\libffi-7.dll acprotect C:\Users\Admin\AppData\Local\Temp\_MEI82\_socket.pyd acprotect \Users\Admin\AppData\Local\Temp\_MEI82\_socket.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI82\select.pyd acprotect \Users\Admin\AppData\Local\Temp\_MEI82\select.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI82\_queue.pyd acprotect \Users\Admin\AppData\Local\Temp\_MEI82\_queue.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI82\cryptography\hazmat\bindings\_rust.pyd acprotect \Users\Admin\AppData\Local\Temp\_MEI82\cryptography\hazmat\bindings\_rust.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI82\_hashlib.pyd acprotect \Users\Admin\AppData\Local\Temp\_MEI82\_hashlib.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI82\libcrypto-1_1.dll acprotect \Users\Admin\AppData\Local\Temp\_MEI82\libcrypto-1_1.dll acprotect C:\Users\Admin\AppData\Local\Temp\_MEI82\cryptography\hazmat\bindings\_openssl.pyd acprotect \Users\Admin\AppData\Local\Temp\_MEI82\cryptography\hazmat\bindings\_openssl.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI82\_cffi_backend.cp39-win32.pyd acprotect \Users\Admin\AppData\Local\Temp\_MEI82\_cffi_backend.cp39-win32.pyd acprotect -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI82\python39.dll upx \Users\Admin\AppData\Local\Temp\_MEI82\python39.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI82\_ctypes.pyd upx \Users\Admin\AppData\Local\Temp\_MEI82\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI82\libffi-7.dll upx \Users\Admin\AppData\Local\Temp\_MEI82\libffi-7.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI82\_socket.pyd upx \Users\Admin\AppData\Local\Temp\_MEI82\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI82\select.pyd upx \Users\Admin\AppData\Local\Temp\_MEI82\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI82\_queue.pyd upx \Users\Admin\AppData\Local\Temp\_MEI82\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI82\cryptography\hazmat\bindings\_rust.pyd upx \Users\Admin\AppData\Local\Temp\_MEI82\cryptography\hazmat\bindings\_rust.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI82\_hashlib.pyd upx \Users\Admin\AppData\Local\Temp\_MEI82\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI82\libcrypto-1_1.dll upx \Users\Admin\AppData\Local\Temp\_MEI82\libcrypto-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI82\cryptography\hazmat\bindings\_openssl.pyd upx \Users\Admin\AppData\Local\Temp\_MEI82\cryptography\hazmat\bindings\_openssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI82\_cffi_backend.cp39-win32.pyd upx \Users\Admin\AppData\Local\Temp\_MEI82\_cffi_backend.cp39-win32.pyd upx -
Loads dropped DLL 13 IoCs
Processes:
aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exepid process 1220 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe 1220 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe 1220 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe 1220 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe 1220 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe 1220 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe 1220 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe 1220 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe 1220 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe 1220 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe 1220 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe 1220 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe 1220 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exedescription pid process target process PID 8 wrote to memory of 1220 8 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe PID 8 wrote to memory of 1220 8 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe PID 8 wrote to memory of 1220 8 aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe"C:\Users\Admin\AppData\Local\Temp\aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe"C:\Users\Admin\AppData\Local\Temp\aa4815b23651a8f1df468a90fb47e0855ba99d3a74886ac4cb47801efb24fc98.exe"2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI82\VCRUNTIME140.dllMD5
b8ae902fe1909c0c725ba669074292e2
SHA146524eff65947cbef0e08f97c98a7b750d6077f3
SHA256657ab198c4035ec4b6ff6cf863c2ec99962593547af41b772593715de2df459c
SHA5124a70740da0d5cdbd6b3c3869bcf6141cb32c929cb73728bd2044dd16896a3a1cafa28b0714fadcdb265172b62fa113095d379f3a7c16a248e86c8f7f89ecd0f4
-
C:\Users\Admin\AppData\Local\Temp\_MEI82\_cffi_backend.cp39-win32.pydMD5
6620ba42c35b64acfff425f62e93709d
SHA1a39f3f1a2538e5908a047f41cf00896aa4731262
SHA2565ab7c8c172ea29638766e912b1c9b15276542d44ec49f4d91c7af63e5357a83a
SHA5120a9d7a97f0083136b7aef48eb4281b3229ed4ed55aa8350c9d1cde622a94aa0867eb795917a688f7eb1ae95f99d389f14c084e9c93492901e8acfc526ff922bf
-
C:\Users\Admin\AppData\Local\Temp\_MEI82\_ctypes.pydMD5
38451fe7d1c394f250026cb39cd627a8
SHA1fc5cbb9152decc26d10823dd613a9ab615eeda70
SHA2567191f94b040fd1daf7707cb71f8ab92773d9b795da7fa18789f6d08a41203c9a
SHA512a41852e7b52c36ec8a76b267a1254e5496d9a549b9ccfe964ee64e158b1bd6959f35bc67d3df6db77578a8287822fa9643980f7d5db9d2e2856172fb148f678d
-
C:\Users\Admin\AppData\Local\Temp\_MEI82\_hashlib.pydMD5
2624d9a7cae295e166765144b3cc25a0
SHA190c21f1693cd2c68cf9d79cbf577b70f43ea55b9
SHA25663c2ba1b70ccb705e4d153e15975870c42be2c1b48d386c94ad6e129c3d035ab
SHA51292521ef2963521bb106738267a06fa0cb4bf56d99f38241dbaa3413734747c1eb58ec73da781539dff1cfcf84f18d2c2028b5e091ac12c103f5ad8cb1c214f0b
-
C:\Users\Admin\AppData\Local\Temp\_MEI82\_queue.pydMD5
c72e44ff31c1727add704a7cd3d9d4d7
SHA1b98702b0ba739760f8289ce1c9e3d74bbc1e8743
SHA256a9d16038606153f3f10e78480c7657ef2fa0af36a77c4caac8450bdb7c434582
SHA512d03e4934d50f55591664d189049f7573a75aed59317421e469d8ea65c3608c072f458486fc3e03cd4676ccc838cc5b4b6de863d1bcc4f5286419b589832da58a
-
C:\Users\Admin\AppData\Local\Temp\_MEI82\_socket.pydMD5
1524f0c3a2e4b99b5773d112b62df086
SHA195325b4b5bb67c7a47be3981186fd9ce7c778d87
SHA2563d50491cd2bdcc3f98bcb79b68504b6262c73234555f45ff7db8dcdfca512fe9
SHA512587d756e99b11250a6a505d6efd287ab6d088fb991f3310262f32bb4012662ac88804901b7aad56a533d1f14023a7d87f5d7a588db30e9e8eed587af461168b3
-
C:\Users\Admin\AppData\Local\Temp\_MEI82\base_library.zipMD5
43f92e893d69970c5dd5883c56ce2dd3
SHA13c62261ae6aadb87784229c2265a3996b10b6432
SHA2564c390c6349750187e91e5319baf324eeb386f569d7dfacdbc712c5b49d9aa2b3
SHA512784eed5e2b381cc68d1bcbc8048e3b6578528062fd34cfd0b5098050d2ab12186fe370ec6353ad573aee71b19b7172ab67f65d3d694c9dc92256bdb256631ab4
-
C:\Users\Admin\AppData\Local\Temp\_MEI82\cryptography\hazmat\bindings\_openssl.pydMD5
672c17b6639bea02c628d46376b82ff8
SHA1089584b54cea4db7bd42d616e3c91991a46d82a2
SHA2561058bdb3731792e78865a664f460f17591445278785d2cb4c6406382863a4165
SHA51258134d532aa5d48b9a186d13c72350d120fdcff570d797e4ec7f9876040123a7e2d4df07aeb08deccdba85bb6caae6a0f970a197228b3752e0f9470f336c6f8c
-
C:\Users\Admin\AppData\Local\Temp\_MEI82\cryptography\hazmat\bindings\_rust.pydMD5
9b5cd6c5838327bdaa1b1a1d55d6691a
SHA1f273b9aa7aea3af6c9d3c09fd4ec63b1ae76bb30
SHA2568772745ed885781bd3867cde8c23c07c8d9ff67b11941fbf89f3cfbf4a3db3b3
SHA512d3cc2af1aaaf91cdb1c483f4f541c652ce714ebbda0bc842e68ec403457bce109a47ac6f6514510cb8de7aa6171b8be89ba79e60334c321d6ff09f55c5f3ca96
-
C:\Users\Admin\AppData\Local\Temp\_MEI82\libcrypto-1_1.dllMD5
d444a4d727eda8b1ff941415c17930b5
SHA17b85bef7ec6e7a808df24fef791c8fd7a8ab3111
SHA256ce30548ce3b32a351e2f84b991eb2b000108367513b939c8999928be520e2086
SHA512b54ab37e26bffc4d82f05ac739970d665ea6274988ba2c75bc802397438ac94eb78e32350f4135342fe7b74e34534127a77e72292b24a0af8f8d3c4229fa058e
-
C:\Users\Admin\AppData\Local\Temp\_MEI82\libffi-7.dllMD5
e3adbe89834e45e41962a5c932f93eca
SHA14b1e91af7655f4649c934c923b44c24f3726ce1c
SHA2560d248e8b0fa8dc6d4339721b5848b2bec4a1a914ba5745fdb027e936cd63e3e3
SHA512e3ec88c578c78ecf41277aa2311bc7811e63f55f61e6b2dd881cdc9a3e686f585b1003dc1691170b1a3cfc00a8a854a780e914b582a01546b97f3711ed331d87
-
C:\Users\Admin\AppData\Local\Temp\_MEI82\python3.DLLMD5
c4854fb4dc3017e204fa2f534cf66fd3
SHA1a2d29257a674cbba241f1bf4ba1f1a7ffa9d95b0
SHA2568f43294fc0413661b4703415d5672cd587b336bc6bc4c97033c4f3abd65305e7
SHA512c0c60aafa911a2d1694a7956a32b8328bb266e7dfe8719e9a6d5aded6372023828b6d227a02d7973edecab37daf47f59ba32a4c861542287fb95ede8bb2a362f
-
C:\Users\Admin\AppData\Local\Temp\_MEI82\python39.dllMD5
9e8ad37c6ee0f6d0d7e5f73411261459
SHA1bdc649eed0a898b7df9768d34c7016e657d06bcc
SHA256f00cd2eec777fcdb6568b428d1374f780a7cf492de23ec0e37478a883a91f575
SHA51287ccf224be3a4ece4324f6dc8cbc538c8ede330e2ffb9135a8c866d44132f4e59a5a2f633e9a6d96413b1b2e64a194d2b63bd685b7e6ad9398f872e4d3f357dc
-
C:\Users\Admin\AppData\Local\Temp\_MEI82\select.pydMD5
af2235e9c13c0f1344931cbd98f3e7de
SHA1b321b0cbf4da3c5826fece36e1f404c0f44b88ee
SHA2565695a476b638922fa899b0064ad1b5c8564f0ba1017e0ba78592adde5b101c98
SHA512bcdd2c3b5c8dd19d96b45b293b41dbb904a4f9cfe191d7e66fe5943c7598760b44dcba9957bbf9345313125fd580eae0e0a9dd82035e09bea04516ef4c759e25
-
\Users\Admin\AppData\Local\Temp\_MEI82\VCRUNTIME140.dllMD5
b8ae902fe1909c0c725ba669074292e2
SHA146524eff65947cbef0e08f97c98a7b750d6077f3
SHA256657ab198c4035ec4b6ff6cf863c2ec99962593547af41b772593715de2df459c
SHA5124a70740da0d5cdbd6b3c3869bcf6141cb32c929cb73728bd2044dd16896a3a1cafa28b0714fadcdb265172b62fa113095d379f3a7c16a248e86c8f7f89ecd0f4
-
\Users\Admin\AppData\Local\Temp\_MEI82\_cffi_backend.cp39-win32.pydMD5
6620ba42c35b64acfff425f62e93709d
SHA1a39f3f1a2538e5908a047f41cf00896aa4731262
SHA2565ab7c8c172ea29638766e912b1c9b15276542d44ec49f4d91c7af63e5357a83a
SHA5120a9d7a97f0083136b7aef48eb4281b3229ed4ed55aa8350c9d1cde622a94aa0867eb795917a688f7eb1ae95f99d389f14c084e9c93492901e8acfc526ff922bf
-
\Users\Admin\AppData\Local\Temp\_MEI82\_ctypes.pydMD5
38451fe7d1c394f250026cb39cd627a8
SHA1fc5cbb9152decc26d10823dd613a9ab615eeda70
SHA2567191f94b040fd1daf7707cb71f8ab92773d9b795da7fa18789f6d08a41203c9a
SHA512a41852e7b52c36ec8a76b267a1254e5496d9a549b9ccfe964ee64e158b1bd6959f35bc67d3df6db77578a8287822fa9643980f7d5db9d2e2856172fb148f678d
-
\Users\Admin\AppData\Local\Temp\_MEI82\_hashlib.pydMD5
2624d9a7cae295e166765144b3cc25a0
SHA190c21f1693cd2c68cf9d79cbf577b70f43ea55b9
SHA25663c2ba1b70ccb705e4d153e15975870c42be2c1b48d386c94ad6e129c3d035ab
SHA51292521ef2963521bb106738267a06fa0cb4bf56d99f38241dbaa3413734747c1eb58ec73da781539dff1cfcf84f18d2c2028b5e091ac12c103f5ad8cb1c214f0b
-
\Users\Admin\AppData\Local\Temp\_MEI82\_queue.pydMD5
c72e44ff31c1727add704a7cd3d9d4d7
SHA1b98702b0ba739760f8289ce1c9e3d74bbc1e8743
SHA256a9d16038606153f3f10e78480c7657ef2fa0af36a77c4caac8450bdb7c434582
SHA512d03e4934d50f55591664d189049f7573a75aed59317421e469d8ea65c3608c072f458486fc3e03cd4676ccc838cc5b4b6de863d1bcc4f5286419b589832da58a
-
\Users\Admin\AppData\Local\Temp\_MEI82\_socket.pydMD5
1524f0c3a2e4b99b5773d112b62df086
SHA195325b4b5bb67c7a47be3981186fd9ce7c778d87
SHA2563d50491cd2bdcc3f98bcb79b68504b6262c73234555f45ff7db8dcdfca512fe9
SHA512587d756e99b11250a6a505d6efd287ab6d088fb991f3310262f32bb4012662ac88804901b7aad56a533d1f14023a7d87f5d7a588db30e9e8eed587af461168b3
-
\Users\Admin\AppData\Local\Temp\_MEI82\cryptography\hazmat\bindings\_openssl.pydMD5
672c17b6639bea02c628d46376b82ff8
SHA1089584b54cea4db7bd42d616e3c91991a46d82a2
SHA2561058bdb3731792e78865a664f460f17591445278785d2cb4c6406382863a4165
SHA51258134d532aa5d48b9a186d13c72350d120fdcff570d797e4ec7f9876040123a7e2d4df07aeb08deccdba85bb6caae6a0f970a197228b3752e0f9470f336c6f8c
-
\Users\Admin\AppData\Local\Temp\_MEI82\cryptography\hazmat\bindings\_rust.pydMD5
9b5cd6c5838327bdaa1b1a1d55d6691a
SHA1f273b9aa7aea3af6c9d3c09fd4ec63b1ae76bb30
SHA2568772745ed885781bd3867cde8c23c07c8d9ff67b11941fbf89f3cfbf4a3db3b3
SHA512d3cc2af1aaaf91cdb1c483f4f541c652ce714ebbda0bc842e68ec403457bce109a47ac6f6514510cb8de7aa6171b8be89ba79e60334c321d6ff09f55c5f3ca96
-
\Users\Admin\AppData\Local\Temp\_MEI82\libcrypto-1_1.dllMD5
d444a4d727eda8b1ff941415c17930b5
SHA17b85bef7ec6e7a808df24fef791c8fd7a8ab3111
SHA256ce30548ce3b32a351e2f84b991eb2b000108367513b939c8999928be520e2086
SHA512b54ab37e26bffc4d82f05ac739970d665ea6274988ba2c75bc802397438ac94eb78e32350f4135342fe7b74e34534127a77e72292b24a0af8f8d3c4229fa058e
-
\Users\Admin\AppData\Local\Temp\_MEI82\libffi-7.dllMD5
e3adbe89834e45e41962a5c932f93eca
SHA14b1e91af7655f4649c934c923b44c24f3726ce1c
SHA2560d248e8b0fa8dc6d4339721b5848b2bec4a1a914ba5745fdb027e936cd63e3e3
SHA512e3ec88c578c78ecf41277aa2311bc7811e63f55f61e6b2dd881cdc9a3e686f585b1003dc1691170b1a3cfc00a8a854a780e914b582a01546b97f3711ed331d87
-
\Users\Admin\AppData\Local\Temp\_MEI82\python3.dllMD5
c4854fb4dc3017e204fa2f534cf66fd3
SHA1a2d29257a674cbba241f1bf4ba1f1a7ffa9d95b0
SHA2568f43294fc0413661b4703415d5672cd587b336bc6bc4c97033c4f3abd65305e7
SHA512c0c60aafa911a2d1694a7956a32b8328bb266e7dfe8719e9a6d5aded6372023828b6d227a02d7973edecab37daf47f59ba32a4c861542287fb95ede8bb2a362f
-
\Users\Admin\AppData\Local\Temp\_MEI82\python39.dllMD5
9e8ad37c6ee0f6d0d7e5f73411261459
SHA1bdc649eed0a898b7df9768d34c7016e657d06bcc
SHA256f00cd2eec777fcdb6568b428d1374f780a7cf492de23ec0e37478a883a91f575
SHA51287ccf224be3a4ece4324f6dc8cbc538c8ede330e2ffb9135a8c866d44132f4e59a5a2f633e9a6d96413b1b2e64a194d2b63bd685b7e6ad9398f872e4d3f357dc
-
\Users\Admin\AppData\Local\Temp\_MEI82\select.pydMD5
af2235e9c13c0f1344931cbd98f3e7de
SHA1b321b0cbf4da3c5826fece36e1f404c0f44b88ee
SHA2565695a476b638922fa899b0064ad1b5c8564f0ba1017e0ba78592adde5b101c98
SHA512bcdd2c3b5c8dd19d96b45b293b41dbb904a4f9cfe191d7e66fe5943c7598760b44dcba9957bbf9345313125fd580eae0e0a9dd82035e09bea04516ef4c759e25
-
memory/1220-115-0x0000000000000000-mapping.dmp