Analysis
-
max time kernel
146s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 18:49
Static task
static1
Behavioral task
behavioral1
Sample
a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe
Resource
win7-20220414-en
General
-
Target
a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe
-
Size
132KB
-
MD5
1ed78fc38a21e92a182cce94a1c470ee
-
SHA1
98e18d7505e45c89cfb322b7f6300ca9ec623f33
-
SHA256
a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f
-
SHA512
6c8e4d31d6f0fb84298e1bbd58c15fe1f2f0940c31b7e283d05392cab8599d4df643dec282eaac4c05b75e65ce21ddde2ac5dceab0907a8c887981b022aa3544
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Windows\SysWOW64\avicap3.dll acprotect C:\Windows\SysWOW64\avicap3.dll acprotect -
Processes:
resource yara_rule C:\Windows\SysWOW64\avicap3.dll upx C:\Windows\SysWOW64\avicap3.dll upx -
Loads dropped DLL 2 IoCs
Processes:
a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exepid process 4532 a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe 4532 a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Modifies registry class 6 IoCs
Processes:
a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F64ED182-6535-4B9B-80B8-7B2AE466CE60}\InprocServer32 a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F64ED182-6535-4B9B-80B8-7B2AE466CE60} a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F64ED182-6535-4B9B-80B8-7B2AE466CE60}\InprocServer32\ = "C:\\Windows\\SysWow64\\avicap3.dll" a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F64ED182-6535-4B9B-80B8-7B2AE466CE60}\InprocServer32\ThreadingModel = "apartment" a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exepid process 4532 a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe 4532 a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe"C:\Users\Admin\AppData\Local\Temp\a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\avicap3.dllFilesize
86KB
MD54df772463f5042b81d22087483e7ed34
SHA18ecabe637b2240c61fe30b2e2c2857831e956d1c
SHA256207a2bffd792bd4f5075c80d4f5bb365db764c26d704d332acb06f44439d9e2f
SHA51229c1354b39eb92517ae6431cbd7c7f9f636d29caf915aacf3f4083d1650541f40e2e62fab1104811781ec00987726f81ce4d1e23c9287e0a957e78cb3a6c9d1d
-
C:\Windows\SysWOW64\avicap3.dllFilesize
86KB
MD54df772463f5042b81d22087483e7ed34
SHA18ecabe637b2240c61fe30b2e2c2857831e956d1c
SHA256207a2bffd792bd4f5075c80d4f5bb365db764c26d704d332acb06f44439d9e2f
SHA51229c1354b39eb92517ae6431cbd7c7f9f636d29caf915aacf3f4083d1650541f40e2e62fab1104811781ec00987726f81ce4d1e23c9287e0a957e78cb3a6c9d1d