97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb

General

Target

97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb.exe
Size

257KB
MD5

6c223895ea905ce600d0181250f29b39
SHA1

6f5f13a5ea5c383c7531786e5ded485ba80b6303
SHA256

97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb
SHA512

3a588cef72037a160a54f6ac82d24d258dfb71485881f87a3e654996509373d1d3b970757dbdecd0bf5296f6662e463551d50941ef25bf833cecfad3501368c3
SSDEEP

3072:Oxd5qdyipX2MB46XN0MKFkAFXrKnYhbwIz3qsuegTqAxMJSvbYjAo6fEuOHCBIv/:Oxdo3cMBrARnhbwIz6sOHiJob6AFdq

Score

9^/10

evasion trojan upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c0000000054a8-57.dat	acprotect
behavioral1/files/0x000c0000000054a8-58.dat	acprotect
behavioral1/files/0x000c0000000054a8-60.dat	acprotect
behavioral1/files/0x000c0000000054a8-59.dat	acprotect

Blocklisted process makes network request 3 IoCs

flow	pid	Process
1	916	rundll32.exe
2	916	rundll32.exe
4	916	rundll32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-57.dat	upx
behavioral1/files/0x000c0000000054a8-58.dat	upx
behavioral1/files/0x000c0000000054a8-60.dat	upx
behavioral1/files/0x000c0000000054a8-59.dat	upx
behavioral1/memory/916-61-0x0000000000230000-0x000000000025C000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
916	rundll32.exe
916	rundll32.exe
916	rundll32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2020	916	WerFault.exe	27

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 916	768	97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb.exe	27
PID 768 wrote to memory of 916	768	97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb.exe	27
PID 768 wrote to memory of 916	768	97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb.exe	27
PID 768 wrote to memory of 916	768	97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb.exe	27
PID 768 wrote to memory of 916	768	97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb.exe	27
PID 768 wrote to memory of 916	768	97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb.exe	27
PID 768 wrote to memory of 916	768	97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb.exe	27
PID 916 wrote to memory of 2020	916	rundll32.exe	28
PID 916 wrote to memory of 2020	916	rundll32.exe	28
PID 916 wrote to memory of 2020	916	rundll32.exe	28
PID 916 wrote to memory of 2020	916	rundll32.exe	28

C:\Users\Admin\AppData\Local\Temp\97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb.exe
"C:\Users\Admin\AppData\Local\Temp\97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysTem32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 504
    3⤵
    - Program crash
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl

Filesize
57KB

MD5
3b8daad17fc3576b7ce42bd8e88eb40f

SHA1
de9610ea1cb66036241155b678696099cb2816dd

SHA256
23dbd9d60a2c06a3d47b9abbe7800ce0e3d067e373724c175049aeb853fddd0c

SHA512
77573a6b6ba7ab46129f5191dcf9e204484dfa012a59ac5536aa7f74f63f6bee8213a36e0603ca4a836be9f983941444db2ef73573435e122dd1fea35fac593a

Download Submit
\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl

Filesize
57KB

MD5
3b8daad17fc3576b7ce42bd8e88eb40f

SHA1
de9610ea1cb66036241155b678696099cb2816dd

SHA256
23dbd9d60a2c06a3d47b9abbe7800ce0e3d067e373724c175049aeb853fddd0c

SHA512
77573a6b6ba7ab46129f5191dcf9e204484dfa012a59ac5536aa7f74f63f6bee8213a36e0603ca4a836be9f983941444db2ef73573435e122dd1fea35fac593a

Download Submit
\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl

Filesize
57KB

MD5
3b8daad17fc3576b7ce42bd8e88eb40f

SHA1
de9610ea1cb66036241155b678696099cb2816dd

SHA256
23dbd9d60a2c06a3d47b9abbe7800ce0e3d067e373724c175049aeb853fddd0c

SHA512
77573a6b6ba7ab46129f5191dcf9e204484dfa012a59ac5536aa7f74f63f6bee8213a36e0603ca4a836be9f983941444db2ef73573435e122dd1fea35fac593a

Download Submit
\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl

Filesize
57KB

MD5
3b8daad17fc3576b7ce42bd8e88eb40f

SHA1
de9610ea1cb66036241155b678696099cb2816dd

SHA256
23dbd9d60a2c06a3d47b9abbe7800ce0e3d067e373724c175049aeb853fddd0c

SHA512
77573a6b6ba7ab46129f5191dcf9e204484dfa012a59ac5536aa7f74f63f6bee8213a36e0603ca4a836be9f983941444db2ef73573435e122dd1fea35fac593a

Download Submit
memory/768-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/916-61-0x0000000000230000-0x000000000025C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing