5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05

General

Target

5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe
Size

255KB
MD5

6dc9d5018df6db88c73694b4935b7c80
SHA1

a3ccb83cdeba5c3f8f33222c66faab0f566ef10e
SHA256

5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05
SHA512

86a2719259c22f62cb901f2e603a3b4a25b929d041f600993f28ba5c486dca8fe725faf2895cabd7e2cccc7fd912b838ba69b7cfc4b58fdca6900557ef8c1610
SSDEEP

3072:+GR8Y6hDaAyQIrZBbSJ27ml1LKt/ndVwkr+zXVUYRom8SbR:+GR8Y6lpYyludrCFUcom8iR

Score

9^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000005c50-60.dat	acprotect
behavioral1/files/0x0007000000005c50-59.dat	acprotect
behavioral1/files/0x0007000000005c50-61.dat	acprotect
behavioral1/files/0x0007000000005c50-62.dat	acprotect
behavioral1/files/0x0007000000005c50-63.dat	acprotect

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000005c50-60.dat	upx
behavioral1/files/0x0007000000005c50-59.dat	upx
behavioral1/files/0x0007000000005c50-61.dat	upx
behavioral1/files/0x0007000000005c50-62.dat	upx
behavioral1/files/0x0007000000005c50-63.dat	upx
behavioral1/memory/1256-64-0x0000000010000000-0x000000001000E000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1256	rundll32.exe
1256	rundll32.exe
1256	rundll32.exe
1256	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\.Net Recovery = "rundll32.exe dotnetfx.dll,repair"	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dotnetfx.dll	5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1292	1476	WerFault.exe	19

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1256	1476	5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe	27
PID 1476 wrote to memory of 1256	1476	5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe	27
PID 1476 wrote to memory of 1256	1476	5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe	27
PID 1476 wrote to memory of 1256	1476	5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe	27
PID 1476 wrote to memory of 1256	1476	5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe	27
PID 1476 wrote to memory of 1256	1476	5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe	27
PID 1476 wrote to memory of 1256	1476	5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe	27
PID 1476 wrote to memory of 1292	1476	5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe	28
PID 1476 wrote to memory of 1292	1476	5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe	28
PID 1476 wrote to memory of 1292	1476	5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe	28
PID 1476 wrote to memory of 1292	1476	5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe	28

C:\Users\Admin\AppData\Local\Temp\5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe
"C:\Users\Admin\AppData\Local\Temp\5e519efcf0b462583d27be914ff29c93a9af432a4b98996f1b41069d87a92d05.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" dotnetfx.dll,repair
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  PID:1256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 272
  2⤵
  - Program crash
  PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dotnetfx.dll

Filesize
16KB

MD5
241b0dc14db6ad8abcab86e963765c30

SHA1
256bb8175bfcc525dca15ab88008b1f0aa071fe7

SHA256
c8053bee8ebc39f807cc0eb2237aba612b64f9c293f06c812b16da7f0716097a

SHA512
177218d81caef0dc787b74cfe158580ac1a7256fa20dc5f63b2c3cac0b7da43040de8eb3cee84db58216baf2df1ccda35b4e335cb7bc7174ed608cb3322f08ce

Download Submit
\Windows\SysWOW64\dotnetfx.dll

Filesize
16KB

MD5
241b0dc14db6ad8abcab86e963765c30

SHA1
256bb8175bfcc525dca15ab88008b1f0aa071fe7

SHA256
c8053bee8ebc39f807cc0eb2237aba612b64f9c293f06c812b16da7f0716097a

SHA512
177218d81caef0dc787b74cfe158580ac1a7256fa20dc5f63b2c3cac0b7da43040de8eb3cee84db58216baf2df1ccda35b4e335cb7bc7174ed608cb3322f08ce

Download Submit
\Windows\SysWOW64\dotnetfx.dll

Filesize
16KB

MD5
241b0dc14db6ad8abcab86e963765c30

SHA1
256bb8175bfcc525dca15ab88008b1f0aa071fe7

SHA256
c8053bee8ebc39f807cc0eb2237aba612b64f9c293f06c812b16da7f0716097a

SHA512
177218d81caef0dc787b74cfe158580ac1a7256fa20dc5f63b2c3cac0b7da43040de8eb3cee84db58216baf2df1ccda35b4e335cb7bc7174ed608cb3322f08ce

Download Submit
\Windows\SysWOW64\dotnetfx.dll

Filesize
16KB

MD5
241b0dc14db6ad8abcab86e963765c30

SHA1
256bb8175bfcc525dca15ab88008b1f0aa071fe7

SHA256
c8053bee8ebc39f807cc0eb2237aba612b64f9c293f06c812b16da7f0716097a

SHA512
177218d81caef0dc787b74cfe158580ac1a7256fa20dc5f63b2c3cac0b7da43040de8eb3cee84db58216baf2df1ccda35b4e335cb7bc7174ed608cb3322f08ce

Download Submit
\Windows\SysWOW64\dotnetfx.dll

Filesize
16KB

MD5
241b0dc14db6ad8abcab86e963765c30

SHA1
256bb8175bfcc525dca15ab88008b1f0aa071fe7

SHA256
c8053bee8ebc39f807cc0eb2237aba612b64f9c293f06c812b16da7f0716097a

SHA512
177218d81caef0dc787b74cfe158580ac1a7256fa20dc5f63b2c3cac0b7da43040de8eb3cee84db58216baf2df1ccda35b4e335cb7bc7174ed608cb3322f08ce

Download Submit
memory/1256-56-0x0000000000000000-mapping.dmp

Download
memory/1256-64-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/1292-57-0x0000000000000000-mapping.dmp

Download
memory/1476-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1476-55-0x00000000010E0000-0x0000000001111453-memory.dmp

Filesize
197KB

Download

Analysis

Sharing