e1e6e43766cd72569136fcd88e8da35015fe468c92c44623141bdb123337c898

Analysis

max time kernel
133s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2022, 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1e6e43766cd72569136fcd88e8da35015fe468c92c44623141bdb123337c898.exe
Size

805KB
MD5

687f7212a7facaeac62f4d87f1482600
SHA1

89c1067997f9571c711b718b517cdefbc6e1851c
SHA256

e1e6e43766cd72569136fcd88e8da35015fe468c92c44623141bdb123337c898
SHA512

2ddc13eaf738e5d6633c4ccdcaa54894cd26329b4a5d2fc07e7bf66c045cbd149c900f63a431c1859738e2351e121c012899a55e2d766260e55d4c8cde20d93e
SSDEEP

24576:aStlc3mN19i0zc/iCwipo0uw8AOo7hyiqfyERtGJvQLs:aStlc3c9i0zc/tfpo/DeyyEReQLs

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000022e0f-134.dat	acprotect
behavioral2/files/0x000a000000022e0f-133.dat	acprotect
behavioral2/files/0x000a000000022e0f-143.dat	acprotect
behavioral2/files/0x000a000000022e0f-145.dat	acprotect
behavioral2/files/0x000a000000022e0f-144.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4180	update.exe

Loads dropped DLL 7 IoCs

pid	Process
2280	e1e6e43766cd72569136fcd88e8da35015fe468c92c44623141bdb123337c898.exe
2280	e1e6e43766cd72569136fcd88e8da35015fe468c92c44623141bdb123337c898.exe
2280	e1e6e43766cd72569136fcd88e8da35015fe468c92c44623141bdb123337c898.exe
4180	update.exe
4180	update.exe
4180	update.exe
4180	update.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupapi.log	update.exe
File opened for modification	\??\c:\windows\KB2820917.log	update.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	4180	update.exe
Token: SeRestorePrivilege	4180	update.exe
Token: SeShutdownPrivilege	4180	update.exe
Token: SeSecurityPrivilege	4180	update.exe
Token: SeTakeOwnershipPrivilege	4180	update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2280	e1e6e43766cd72569136fcd88e8da35015fe468c92c44623141bdb123337c898.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 4180	2280	e1e6e43766cd72569136fcd88e8da35015fe468c92c44623141bdb123337c898.exe	79
PID 2280 wrote to memory of 4180	2280	e1e6e43766cd72569136fcd88e8da35015fe468c92c44623141bdb123337c898.exe	79
PID 2280 wrote to memory of 4180	2280	e1e6e43766cd72569136fcd88e8da35015fe468c92c44623141bdb123337c898.exe	79

C:\Users\Admin\AppData\Local\Temp\e1e6e43766cd72569136fcd88e8da35015fe468c92c44623141bdb123337c898.exe
"C:\Users\Admin\AppData\Local\Temp\e1e6e43766cd72569136fcd88e8da35015fe468c92c44623141bdb123337c898.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- \??\c:\e41121bd8092e9fd68ed5e4138\update\update.exe
  c:\e41121bd8092e9fd68ed5e4138\update\update.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gmi7D43.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmi7D43.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmi7D43.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmi7D43.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmi7D43.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\e41121bd8092e9fd68ed5e4138\_sfx_.dll

Filesize
25KB

MD5
ee207e35aea4d5df41d90221e1b66efa

SHA1
757469cf9ad2f21f267bbe730560114fdf8a89a5

SHA256
cf64c95e9a2d02967efc22b00efb3736156b913a95231eb63c1df45d43475e64

SHA512
43e9f75725daa4f3428b2d9cee2c2cc8b2f2e991b8e58d72d2f429fbdfb614c86d172f03d3f9da98756bd4e245643d9a57c6efa422d6c60ad364a2322245542d

Download Submit
C:\e41121bd8092e9fd68ed5e4138\update\update.exe

Filesize
712KB

MD5
9570121468658dcc6972f1dfa624a223

SHA1
61716952df7a03fc01ac919f44f07e9588840b8c

SHA256
bc2cde5db3027a726c81df78bdef10b5ec9a7b4a5ba297911c7b999638f76b33

SHA512
7c2168a6db5bf7dd7c09682983e9059524621834d0d9ae250382c74d714b0e99b625f5ee9a648e18de9fa25b580bac5ab770ad63c406a9f88c87ade1a372429c

Download Submit
C:\e41121bd8092e9fd68ed5e4138\update\updspapi.dll

Filesize
331KB

MD5
eb5c64286d987337f702813e73fcf615

SHA1
77c393b4cf5b61c29afa408ec1ebd93b22271e3f

SHA256
44062d8525a1de307491a46376d1831e23c27c18edb3de8f142d83eb7a21fc52

SHA512
0c71779a7b5a3507b5d0ccc0f9ff785032e1d8c32e76a0c0acadfd531d9ca87b61fd9742d69c610823a4315e181ad41f561811badbc262052d0f3ba86b9237a6

Download Submit
C:\e41121bd8092e9fd68ed5e4138\update\updspapi.dll

Filesize
331KB

MD5
eb5c64286d987337f702813e73fcf615

SHA1
77c393b4cf5b61c29afa408ec1ebd93b22271e3f

SHA256
44062d8525a1de307491a46376d1831e23c27c18edb3de8f142d83eb7a21fc52

SHA512
0c71779a7b5a3507b5d0ccc0f9ff785032e1d8c32e76a0c0acadfd531d9ca87b61fd9742d69c610823a4315e181ad41f561811badbc262052d0f3ba86b9237a6

Download Submit
memory/2280-142-0x0000000000630000-0x00000000006A4000-memory.dmp

Filesize
464KB

Download
memory/2280-132-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/2280-148-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/2280-149-0x0000000000630000-0x00000000006A4000-memory.dmp

Filesize
464KB

Download
memory/4180-141-0x0000000000511000-0x0000000000533000-memory.dmp

Filesize
136KB

Download
memory/4180-140-0x0000000000510000-0x0000000000564000-memory.dmp

Filesize
336KB

Download
memory/4180-146-0x0000000000C20000-0x0000000000C94000-memory.dmp

Filesize
464KB

Download
memory/4180-147-0x0000000000C20000-0x0000000000C94000-memory.dmp

Filesize
464KB

Download