5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf6

Analysis

max time kernel
382s
max time network
378s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/09/2022, 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
Size

1.8MB
MD5

11f76b1ce63cf90542ecdffc7fc7bae2
SHA1

da0101143ef0a9419aeda9b528abbd1a4289ff78
SHA256

5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf6
SHA512

b0b5946c44525d7675a0cd590011f98a192ca3977aac21d3d188f85602f1149f7ef88a0b21ea8dc238c5484a08d35a497dbe7ee18e2fb760892ad8a06d51ee77
SSDEEP

24576:kEex77nuApmK7JFt1g7TZaqdiXSp0c02uFG6dAk3xMjl:tK7b8Kbg7TZaqdwk0c05HGiy

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000000b2d2-55.dat	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000000b2d2-55.dat	upx
behavioral1/memory/1048-57-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	firefox.exe
Token: SeDebugPrivilege	1372	firefox.exe
Token: 33	2564	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2564	AUDIODG.EXE
Token: 33	2564	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2564	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1372	firefox.exe
1372	firefox.exe
1372	firefox.exe
1372	firefox.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1372	firefox.exe
1372	firefox.exe
1372	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
1048	5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 1372	668	firefox.exe	28
PID 668 wrote to memory of 1372	668	firefox.exe	28
PID 668 wrote to memory of 1372	668	firefox.exe	28
PID 668 wrote to memory of 1372	668	firefox.exe	28
PID 668 wrote to memory of 1372	668	firefox.exe	28
PID 668 wrote to memory of 1372	668	firefox.exe	28
PID 668 wrote to memory of 1372	668	firefox.exe	28
PID 668 wrote to memory of 1372	668	firefox.exe	28
PID 668 wrote to memory of 1372	668	firefox.exe	28
PID 668 wrote to memory of 1372	668	firefox.exe	28
PID 1372 wrote to memory of 1492	1372	firefox.exe	30
PID 1372 wrote to memory of 1492	1372	firefox.exe	30
PID 1372 wrote to memory of 1492	1372	firefox.exe	30
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 1044	1372	firefox.exe	31
PID 1372 wrote to memory of 880	1372	firefox.exe	32
PID 1372 wrote to memory of 880	1372	firefox.exe	32
PID 1372 wrote to memory of 880	1372	firefox.exe	32
PID 1372 wrote to memory of 880	1372	firefox.exe	32
PID 1372 wrote to memory of 880	1372	firefox.exe	32
PID 1372 wrote to memory of 880	1372	firefox.exe	32
PID 1372 wrote to memory of 880	1372	firefox.exe	32

C:\Users\Admin\AppData\Local\Temp\5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\5e61c19f634091264c187eb51acc8ac346914919e4f6a8b1e7a7087d0fcf8bf601~Rip - Copy - Copy.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:668
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.0.422912235\1861928880" -parentBuildID 20200403170909 -prefsHandle 1196 -prefMapHandle 1188 -prefsLen 1 -prefMapSize 220106 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 1280 gpu
    3⤵
    PID:1492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.3.1376912275\706406661" -childID 1 -isForBrowser -prefsHandle 912 -prefMapHandle 1568 -prefsLen 122 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 1764 tab
    3⤵
    PID:1044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.13.659412853\289373982" -childID 2 -isForBrowser -prefsHandle 2668 -prefMapHandle 2664 -prefsLen 6904 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 2684 tab
    3⤵
    PID:880

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1048-56-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1048-57-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1048-58-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download