Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 23:40
Static task
static1
Behavioral task
behavioral1
Sample
ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe
Resource
win10v2004-20220812-en
General
-
Target
ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe
-
Size
21KB
-
MD5
3cb33cb9ba35db393157f0cbd507d20a
-
SHA1
3fa313f05d6bc4e0c147ad066a1d643bc540e4cf
-
SHA256
ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc
-
SHA512
99654d6f586568619d54427407f38b71f2602258f730cf107ddb9c4051b19b7e044880676a2824508013f2531028a2b02c9bb17076b309913a60e8388aa39791
-
SSDEEP
384:Ihr3k1JShXqN7oG5SPnm6HITRDt7Svy0aGaBYxQo3G90SZ54Uf:Mr010hXqkITJt7YynXIS0SX
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Program Files (x86)\captcha7.dll acprotect C:\Program Files (x86)\captcha7.dll acprotect -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 6 4804 rundll32.exe 9 4804 rundll32.exe -
Processes:
resource yara_rule C:\Program Files (x86)\captcha7.dll upx C:\Program Files (x86)\captcha7.dll upx behavioral2/memory/4804-139-0x0000000010000000-0x000000001000F000-memory.dmp upx behavioral2/memory/4804-140-0x0000000010000000-0x000000001000F000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4804 rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Captcha7 = "rundll \"C:\\Program Files (x86)\\captcha7.dll\",captcha" rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exedescription ioc process File created C:\Program Files (x86)\captcha7.dll ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe File opened for modification C:\Program Files (x86)\captcha7.dll ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
rundll32.exepid process 4804 rundll32.exe 4804 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exedescription pid process target process PID 4940 wrote to memory of 4804 4940 ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe rundll32.exe PID 4940 wrote to memory of 4804 4940 ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe rundll32.exe PID 4940 wrote to memory of 4804 4940 ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe rundll32.exe PID 4940 wrote to memory of 2120 4940 ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe cmd.exe PID 4940 wrote to memory of 2120 4940 ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe cmd.exe PID 4940 wrote to memory of 2120 4940 ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe"C:\Users\Admin\AppData\Local\Temp\ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Program Files (x86)\captcha7.dll",captcha2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\captcha.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\captcha7.dllFilesize
16KB
MD503777cde0dac045bad579e77195d0090
SHA14c6fc63b72caafb7fa7cbe0207247f53b4e789dd
SHA256b74b8fc8c1fdfb909a3407069d6cf2f3218749d9965ba33b3f48e8252b62c4d8
SHA512c45c2067800372e195e7e4f29ada6953c45de68b22c488c6fe28225f6098cb8f1b95008e69185519a79175e160d0ebe79d084819fd37581b2491ae12aeb2db2c
-
C:\Program Files (x86)\captcha7.dllFilesize
16KB
MD503777cde0dac045bad579e77195d0090
SHA14c6fc63b72caafb7fa7cbe0207247f53b4e789dd
SHA256b74b8fc8c1fdfb909a3407069d6cf2f3218749d9965ba33b3f48e8252b62c4d8
SHA512c45c2067800372e195e7e4f29ada6953c45de68b22c488c6fe28225f6098cb8f1b95008e69185519a79175e160d0ebe79d084819fd37581b2491ae12aeb2db2c
-
\??\c:\captcha.batFilesize
268B
MD58a66043d2425dc4ed7ed8e84e908e535
SHA189a8700b681e572689fb9026383dfc0fa72c6970
SHA256c00b13e8333de21ffbb95289465fa181d4960a2581d1ff04f7f4deac9459acb3
SHA512096b7a83e64128c87cfcce6b3f4cdd00db5496eb53e26554bc3115c50011922266c5a1169a3bfff90279de87aa0d72f415ca3a0d50b355d3f01945dfc84b99c7
-
memory/2120-134-0x0000000000000000-mapping.dmp
-
memory/4804-133-0x0000000000000000-mapping.dmp
-
memory/4804-139-0x0000000010000000-0x000000001000F000-memory.dmpFilesize
60KB
-
memory/4804-140-0x0000000010000000-0x000000001000F000-memory.dmpFilesize
60KB
-
memory/4940-132-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4940-135-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB