c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8

General

Target

c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe
Size

26KB
MD5

8f999bc022a3b43e421413c8fe56a50d
SHA1

9613ad87734ef93f4beda19677e9aa039695886c
SHA256

c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8
SHA512

70ff48630105f6f8980f0a5065489a86348e26f776e0a15d5d6e36c2442965ca8781973360c4b9022e65f2d22a3ba4cb212ce858435aa207eeabbd9e580e39d3
SSDEEP

768:EdS/C4/VfxyLb3k28DQ3KFkDBYmpJrOtLKRz7D:5KAVSkmBOtK

Score

9^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000022e4e-137.dat	acprotect
behavioral2/files/0x0007000000022e4e-138.dat	acprotect

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022e4e-137.dat	upx
behavioral2/files/0x0007000000022e4e-138.dat	upx
behavioral2/memory/1208-140-0x0000000010000000-0x0000000010011000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe

Loads dropped DLL 1 IoCs

pid	Process
1208	rundll32.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SfcDisable = "4294967197"	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rescom.dll	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe
File created	C:\Windows\SysWOW64\MacSys.dll	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe
File created	C:\Windows\SysWOW64\bitmap.bat	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Ê¢´óÍøÂç\Ã°ÏÕµºonline\comres.dll	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe
File created	C:\Program Files\Ê¢´óÍøÂç\Ã°ÏÕµºonline\MacSys.dll	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe
File created	C:\Program Files\Ê¢´óÍøÂç\Ã°ÏÕµºonline\SysComs.dll	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe
File created	C:\Program Files\Ê¢´óÍøÂç\Ã°ÏÕµºonline\comres.dll	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4856	1208	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4132	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe
4132	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 2752	4132	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe	80
PID 4132 wrote to memory of 2752	4132	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe	80
PID 4132 wrote to memory of 2752	4132	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe	80
PID 4132 wrote to memory of 1208	4132	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe	82
PID 4132 wrote to memory of 1208	4132	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe	82
PID 4132 wrote to memory of 1208	4132	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe	82
PID 4132 wrote to memory of 2992	4132	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe	83
PID 4132 wrote to memory of 2992	4132	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe	83
PID 4132 wrote to memory of 2992	4132	c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe	83

C:\Users\Admin\AppData\Local\Temp\c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe
"C:\Users\Admin\AppData\Local\Temp\c1bde58f971eb367e8872c703dd0456273efc4922eb0d2da558a67ec599e7cc8.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\SysWOW64\sfc.exe
  C:\Windows\system32\sfc.exe /REVERT
  2⤵
  PID:2752
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\MacSys.dll,init
  2⤵
  - Loads dropped DLL
  - Modifies WinLogon
  PID:1208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 664
    3⤵
    - Program crash
    PID:4856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\system32\bitmap.bat
  2⤵
  PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1208 -ip 1208
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MacSys.dll

Filesize
14KB

MD5
911fc8da19a0d0384d831a0b80067fc7

SHA1
90395638c542c94491f19b331218085e887d660d

SHA256
04dab09e334c04ff70a21d8b6d0f1315d545d8852ce7068821c4ccb14748f4e2

SHA512
9c6395eeb5d5c4cf5ec87ac93a4cd3fa7195116a00b00b03ca92e9a977945d28a829780f4c6698bbaea59877b8c59b3d1d4d3f42b06956054200af7d5bce9b4e

Download Submit
C:\Windows\SysWOW64\MacSys.dll

Filesize
14KB

MD5
911fc8da19a0d0384d831a0b80067fc7

SHA1
90395638c542c94491f19b331218085e887d660d

SHA256
04dab09e334c04ff70a21d8b6d0f1315d545d8852ce7068821c4ccb14748f4e2

SHA512
9c6395eeb5d5c4cf5ec87ac93a4cd3fa7195116a00b00b03ca92e9a977945d28a829780f4c6698bbaea59877b8c59b3d1d4d3f42b06956054200af7d5bce9b4e

Download Submit
C:\Windows\SysWOW64\bitmap.bat

Filesize
257B

MD5
3c07867d69f784f3bff28a14d3754fc3

SHA1
4b208c8eb2ee12df033acae720f3d4c64ce7a77b

SHA256
58b580cba985b22b38d9a38c758f17fc688f798457a5e15c82ee1da78c89868c

SHA512
38ae1ff3bbe741691b35b096c48fd28fbf9c92cc76ffe38c8f73f56e426cf4b2840e7eba041138887a0b498b2a8f3b62ad55cd1cfa9037250039e0b32d42f491

Download Submit
memory/1208-140-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/4132-132-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4132-136-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing