144e3d921c49a8a6d954df3b8fb8454b323d91ef8c0988616457179306ab6fdd

General

Target

GetPassword.exe
Size

4.0MB
MD5

f0a1fe5a57b78e79f5e18373d001c4c5
SHA1

f70986a97286b6c1d6fcd7d6cd213733d923347e
SHA256

144e3d921c49a8a6d954df3b8fb8454b323d91ef8c0988616457179306ab6fdd
SHA512

19e6abcbd9bccaded67c7c9ce1cab178daa266e326fe26df2cd5895679e76cd782769796c7923bac8aca7aa36d8c938ed36ed82ffc28a53aadb0a02ac75dbb70

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI15202\python37.dll	acprotect
\Users\Admin\AppData\Local\Temp\_MEI15202\python37.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_ctypes.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI15202\_ctypes.pyd	acprotect

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI15202\python37.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI15202\python37.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_ctypes.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI15202\_ctypes.pyd	upx

Loads dropped DLL 3 IoCs

Processes:

GetPassword.exe

pid process

1552 GetPassword.exe
1552 GetPassword.exe
1552 GetPassword.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

GetPassword.exe

description pid process

Token: 35 1552 GetPassword.exe
Token: SeShutdownPrivilege 1552 GetPassword.exe

pid	process
1552	GetPassword.exe
1552	GetPassword.exe
1552	GetPassword.exe

description	pid	process
Token: 35	1552	GetPassword.exe
Token: SeShutdownPrivilege	1552	GetPassword.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

GetPassword.exe

description	pid	process	target process
PID 1520 wrote to memory of 1552	1520	GetPassword.exe	GetPassword.exe
PID 1520 wrote to memory of 1552	1520	GetPassword.exe	GetPassword.exe
PID 1520 wrote to memory of 1552	1520	GetPassword.exe	GetPassword.exe
PID 1520 wrote to memory of 1552	1520	GetPassword.exe	GetPassword.exe

C:\Users\Admin\AppData\Local\Temp\GetPassword.exe
"C:\Users\Admin\AppData\Local\Temp\GetPassword.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\GetPassword.exe
"C:\Users\Admin\AppData\Local\Temp\GetPassword.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1552

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI15202\VCRUNTIME140.dll
Filesize
81KB

MD5
aeab74db6bc6c914997f1a8a9ff013ec

SHA1
6b717f23227d158d6aa566498c438b8f305a29b5

SHA256
18ccb2dd8af853f4e6221bb5513e3154ef67ae61cee6ec319a8a97615987dc4b

SHA512
a2832b7720599361e2537f79a2597acb1a2d5633fdfe20a0d1075e9457683fdb1d5676d121c0bf1a825ff99512dcd924254f1151b50aae922acc0cc10f461036

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_ctypes.pyd
Filesize
47KB

MD5
80c6c5f414828534b627d4f1d49441b9

SHA1
be4e075f349c283e9fe28bacd587ea2f15b8b9d9

SHA256
593fa1098c61ae4a075444202cd51700a96813562270f0ac069cf12b3568fbe5

SHA512
885daec7c9b7fac16837d5a8f8f40998febaea212a4a61bc76667e12352be4ae80f8186c5e0a5458f2aef07232297b679c275c5d77a9e3bd811f34bcc10e2c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\base_library.zip
Filesize
777KB

MD5
ca531de5744f22c704de726bd3353404

SHA1
bc19aa77ad9bbac86bae3a7209bca5fc2d602ed3

SHA256
a50f524eed66843246d6fdb765fb5a96c33b4aa4aab2efda7c11592c2ef80606

SHA512
42e19ee714e2d7de0ed29645d21c50946abd90cec29d04bf1a6a7fba26cbe664b1c3bae55fa011b58d7ea33736e2a1667615abc93ad89f976591d8ccfcf4ff2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\python37.dll
Filesize
1.0MB

MD5
6c6380043c7571b9090804178a200f1b

SHA1
9cb4e31a84dcb8bd2525628778c376db67108418

SHA256
24529874761bb931bca4cd8816841c946762b5b3db1c0f77129d004902d0f10b

SHA512
140845dfed436f5bc0258132c5bf1fcd50f8ccd9f3804a48d3a534e978729ef5268e8146b0f5ab0ab5c3e52d194bb1eb33cd0a85e9cf125d07cf2956b053c3a9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15202\VCRUNTIME140.dll
Filesize
81KB

MD5
aeab74db6bc6c914997f1a8a9ff013ec

SHA1
6b717f23227d158d6aa566498c438b8f305a29b5

SHA256
18ccb2dd8af853f4e6221bb5513e3154ef67ae61cee6ec319a8a97615987dc4b

SHA512
a2832b7720599361e2537f79a2597acb1a2d5633fdfe20a0d1075e9457683fdb1d5676d121c0bf1a825ff99512dcd924254f1151b50aae922acc0cc10f461036

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15202\_ctypes.pyd
Filesize
47KB

MD5
80c6c5f414828534b627d4f1d49441b9

SHA1
be4e075f349c283e9fe28bacd587ea2f15b8b9d9

SHA256
593fa1098c61ae4a075444202cd51700a96813562270f0ac069cf12b3568fbe5

SHA512
885daec7c9b7fac16837d5a8f8f40998febaea212a4a61bc76667e12352be4ae80f8186c5e0a5458f2aef07232297b679c275c5d77a9e3bd811f34bcc10e2c4e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15202\python37.dll
Filesize
1.0MB

MD5
6c6380043c7571b9090804178a200f1b

SHA1
9cb4e31a84dcb8bd2525628778c376db67108418

SHA256
24529874761bb931bca4cd8816841c946762b5b3db1c0f77129d004902d0f10b

SHA512
140845dfed436f5bc0258132c5bf1fcd50f8ccd9f3804a48d3a534e978729ef5268e8146b0f5ab0ab5c3e52d194bb1eb33cd0a85e9cf125d07cf2956b053c3a9

Download Submit
memory/1552-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads