Analysis
-
max time kernel
13s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-05-2022 02:45
Static task
static1
Behavioral task
behavioral1
Sample
GetPassword.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
GetPassword.exe
Resource
win10v2004-20220414-en
General
-
Target
GetPassword.exe
-
Size
4.0MB
-
MD5
f0a1fe5a57b78e79f5e18373d001c4c5
-
SHA1
f70986a97286b6c1d6fcd7d6cd213733d923347e
-
SHA256
144e3d921c49a8a6d954df3b8fb8454b323d91ef8c0988616457179306ab6fdd
-
SHA512
19e6abcbd9bccaded67c7c9ce1cab178daa266e326fe26df2cd5895679e76cd782769796c7923bac8aca7aa36d8c938ed36ed82ffc28a53aadb0a02ac75dbb70
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 4 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI15202\python37.dll acprotect \Users\Admin\AppData\Local\Temp\_MEI15202\python37.dll acprotect C:\Users\Admin\AppData\Local\Temp\_MEI15202\_ctypes.pyd acprotect \Users\Admin\AppData\Local\Temp\_MEI15202\_ctypes.pyd acprotect -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI15202\python37.dll upx \Users\Admin\AppData\Local\Temp\_MEI15202\python37.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI15202\_ctypes.pyd upx \Users\Admin\AppData\Local\Temp\_MEI15202\_ctypes.pyd upx -
Loads dropped DLL 3 IoCs
Processes:
GetPassword.exepid process 1552 GetPassword.exe 1552 GetPassword.exe 1552 GetPassword.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
GetPassword.exedescription pid process Token: 35 1552 GetPassword.exe Token: SeShutdownPrivilege 1552 GetPassword.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
GetPassword.exedescription pid process target process PID 1520 wrote to memory of 1552 1520 GetPassword.exe GetPassword.exe PID 1520 wrote to memory of 1552 1520 GetPassword.exe GetPassword.exe PID 1520 wrote to memory of 1552 1520 GetPassword.exe GetPassword.exe PID 1520 wrote to memory of 1552 1520 GetPassword.exe GetPassword.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GetPassword.exe"C:\Users\Admin\AppData\Local\Temp\GetPassword.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GetPassword.exe"C:\Users\Admin\AppData\Local\Temp\GetPassword.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI15202\VCRUNTIME140.dllFilesize
81KB
MD5aeab74db6bc6c914997f1a8a9ff013ec
SHA16b717f23227d158d6aa566498c438b8f305a29b5
SHA25618ccb2dd8af853f4e6221bb5513e3154ef67ae61cee6ec319a8a97615987dc4b
SHA512a2832b7720599361e2537f79a2597acb1a2d5633fdfe20a0d1075e9457683fdb1d5676d121c0bf1a825ff99512dcd924254f1151b50aae922acc0cc10f461036
-
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_ctypes.pydFilesize
47KB
MD580c6c5f414828534b627d4f1d49441b9
SHA1be4e075f349c283e9fe28bacd587ea2f15b8b9d9
SHA256593fa1098c61ae4a075444202cd51700a96813562270f0ac069cf12b3568fbe5
SHA512885daec7c9b7fac16837d5a8f8f40998febaea212a4a61bc76667e12352be4ae80f8186c5e0a5458f2aef07232297b679c275c5d77a9e3bd811f34bcc10e2c4e
-
C:\Users\Admin\AppData\Local\Temp\_MEI15202\base_library.zipFilesize
777KB
MD5ca531de5744f22c704de726bd3353404
SHA1bc19aa77ad9bbac86bae3a7209bca5fc2d602ed3
SHA256a50f524eed66843246d6fdb765fb5a96c33b4aa4aab2efda7c11592c2ef80606
SHA51242e19ee714e2d7de0ed29645d21c50946abd90cec29d04bf1a6a7fba26cbe664b1c3bae55fa011b58d7ea33736e2a1667615abc93ad89f976591d8ccfcf4ff2c
-
C:\Users\Admin\AppData\Local\Temp\_MEI15202\python37.dllFilesize
1.0MB
MD56c6380043c7571b9090804178a200f1b
SHA19cb4e31a84dcb8bd2525628778c376db67108418
SHA25624529874761bb931bca4cd8816841c946762b5b3db1c0f77129d004902d0f10b
SHA512140845dfed436f5bc0258132c5bf1fcd50f8ccd9f3804a48d3a534e978729ef5268e8146b0f5ab0ab5c3e52d194bb1eb33cd0a85e9cf125d07cf2956b053c3a9
-
\Users\Admin\AppData\Local\Temp\_MEI15202\VCRUNTIME140.dllFilesize
81KB
MD5aeab74db6bc6c914997f1a8a9ff013ec
SHA16b717f23227d158d6aa566498c438b8f305a29b5
SHA25618ccb2dd8af853f4e6221bb5513e3154ef67ae61cee6ec319a8a97615987dc4b
SHA512a2832b7720599361e2537f79a2597acb1a2d5633fdfe20a0d1075e9457683fdb1d5676d121c0bf1a825ff99512dcd924254f1151b50aae922acc0cc10f461036
-
\Users\Admin\AppData\Local\Temp\_MEI15202\_ctypes.pydFilesize
47KB
MD580c6c5f414828534b627d4f1d49441b9
SHA1be4e075f349c283e9fe28bacd587ea2f15b8b9d9
SHA256593fa1098c61ae4a075444202cd51700a96813562270f0ac069cf12b3568fbe5
SHA512885daec7c9b7fac16837d5a8f8f40998febaea212a4a61bc76667e12352be4ae80f8186c5e0a5458f2aef07232297b679c275c5d77a9e3bd811f34bcc10e2c4e
-
\Users\Admin\AppData\Local\Temp\_MEI15202\python37.dllFilesize
1.0MB
MD56c6380043c7571b9090804178a200f1b
SHA19cb4e31a84dcb8bd2525628778c376db67108418
SHA25624529874761bb931bca4cd8816841c946762b5b3db1c0f77129d004902d0f10b
SHA512140845dfed436f5bc0258132c5bf1fcd50f8ccd9f3804a48d3a534e978729ef5268e8146b0f5ab0ab5c3e52d194bb1eb33cd0a85e9cf125d07cf2956b053c3a9
-
memory/1552-54-0x0000000000000000-mapping.dmp