7735e96318ef550e2c604bbf7ede6d5a7208387d95e20450e4da23e366d2d0eb

General

Target

7735e96318ef550e2c604bbf7ede6d5a7208387d95e20450e4da23e366d2d0eb.exe
Size

940KB
MD5

621d76ff430144938d91d17cfe23bba0
SHA1

92bcf507778b4d4f6cde0b82aa1ae72807a508e6
SHA256

7735e96318ef550e2c604bbf7ede6d5a7208387d95e20450e4da23e366d2d0eb
SHA512

e39d5bd0770e382c8d8574442302d734fa57c95b235d1b9954dbf1cec567f8bfe28db1d1c8c40ad1529ff9777fe9cf3912853b4ec0b2c9f132f4efdccbc14459
SSDEEP

24576:EbXpQ7LRm65mp7JbmnD6qGwYy92sMJO5W0j/X/l:ELpQUooJbmnD6yYyILoft

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0003000000022dd2-132.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4324	CFLogin.exe
4932	System64.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000022dd2-132.dat	upx
behavioral2/memory/2556-133-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2556-151-0x0000000010000000-0x000000001003F000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
2556	7735e96318ef550e2c604bbf7ede6d5a7208387d95e20450e4da23e366d2d0eb.exe
4932	System64.exe
4932	System64.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System64.exe	System64.exe
File created	C:\Windows\SysWOW64\System64.exe	CFLogin.exe
File opened for modification	C:\Windows\SysWOW64\System64.exe	CFLogin.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4932 set thread context of 2204	4932	System64.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1652	2204	WerFault.exe	85

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2556	7735e96318ef550e2c604bbf7ede6d5a7208387d95e20450e4da23e366d2d0eb.exe
2556	7735e96318ef550e2c604bbf7ede6d5a7208387d95e20450e4da23e366d2d0eb.exe
2556	7735e96318ef550e2c604bbf7ede6d5a7208387d95e20450e4da23e366d2d0eb.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 4324	2556	7735e96318ef550e2c604bbf7ede6d5a7208387d95e20450e4da23e366d2d0eb.exe	83
PID 2556 wrote to memory of 4324	2556	7735e96318ef550e2c604bbf7ede6d5a7208387d95e20450e4da23e366d2d0eb.exe	83
PID 2556 wrote to memory of 4324	2556	7735e96318ef550e2c604bbf7ede6d5a7208387d95e20450e4da23e366d2d0eb.exe	83
PID 4932 wrote to memory of 2204	4932	System64.exe	85
PID 4932 wrote to memory of 2204	4932	System64.exe	85
PID 4932 wrote to memory of 2204	4932	System64.exe	85
PID 4932 wrote to memory of 2204	4932	System64.exe	85
PID 4932 wrote to memory of 2204	4932	System64.exe	85
PID 4932 wrote to memory of 2204	4932	System64.exe	85
PID 4932 wrote to memory of 2204	4932	System64.exe	85
PID 4932 wrote to memory of 2204	4932	System64.exe	85
PID 4932 wrote to memory of 2204	4932	System64.exe	85
PID 4932 wrote to memory of 2204	4932	System64.exe	85
PID 4932 wrote to memory of 2204	4932	System64.exe	85
PID 4932 wrote to memory of 2204	4932	System64.exe	85
PID 4932 wrote to memory of 2204	4932	System64.exe	85

C:\Users\Admin\AppData\Local\Temp\7735e96318ef550e2c604bbf7ede6d5a7208387d95e20450e4da23e366d2d0eb.exe
"C:\Users\Admin\AppData\Local\Temp\7735e96318ef550e2c604bbf7ede6d5a7208387d95e20450e4da23e366d2d0eb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\CFLogin.exe
  CFLogin.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4324

C:\Windows\SysWOW64\System64.exe
C:\Windows\SysWOW64\System64.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\SysWOW64\userinit.exe
  "C:\Windows\system32\userinit.exe"
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 12
    3⤵
    - Program crash
    PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2204 -ip 2204
1⤵
PID:2476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CFLogin.exe

Filesize
95KB

MD5
371c7c5e99495dbba5e6e99a51cd0ea7

SHA1
420a7792b4edbadeb1a93745a8c0153bfcc453db

SHA256
0ea1f4576b290c2a800efd3bb7af4b29a1097c9f6b9fed3f0e9b9fd8b9e686dc

SHA512
f03fbf0038be3bdab6853ec9a783d9b112ca60524328fd73819d7f44c751ff5db3c2abc90342526ebdf251c6f883b6927949f018da69079f331a170f760773dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFLogin.exe

Filesize
95KB

MD5
371c7c5e99495dbba5e6e99a51cd0ea7

SHA1
420a7792b4edbadeb1a93745a8c0153bfcc453db

SHA256
0ea1f4576b290c2a800efd3bb7af4b29a1097c9f6b9fed3f0e9b9fd8b9e686dc

SHA512
f03fbf0038be3bdab6853ec9a783d9b112ca60524328fd73819d7f44c751ff5db3c2abc90342526ebdf251c6f883b6927949f018da69079f331a170f760773dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
95KB

MD5
74643bfcb5506297fc0a08baa172db15

SHA1
d5b8d5a7b9ba10d346a28750f8bce0c5b9fa597b

SHA256
97988664ef4449da37eb18f1c3df31a44a7decd581ae7e35e8078768fc957d9a

SHA512
2a14130822ae0921885e03a4a10de39f9c40da71333036ec1b30747b93991c71d8ce65e6cdd29a77619d44b505489d2c231b498f660a1db0b392aa7f36717b4f

Download Submit
C:\Windows\SysWOW64\System64.exe

Filesize
95KB

MD5
371c7c5e99495dbba5e6e99a51cd0ea7

SHA1
420a7792b4edbadeb1a93745a8c0153bfcc453db

SHA256
0ea1f4576b290c2a800efd3bb7af4b29a1097c9f6b9fed3f0e9b9fd8b9e686dc

SHA512
f03fbf0038be3bdab6853ec9a783d9b112ca60524328fd73819d7f44c751ff5db3c2abc90342526ebdf251c6f883b6927949f018da69079f331a170f760773dc

Download Submit
C:\Windows\SysWOW64\System64.exe

Filesize
95KB

MD5
371c7c5e99495dbba5e6e99a51cd0ea7

SHA1
420a7792b4edbadeb1a93745a8c0153bfcc453db

SHA256
0ea1f4576b290c2a800efd3bb7af4b29a1097c9f6b9fed3f0e9b9fd8b9e686dc

SHA512
f03fbf0038be3bdab6853ec9a783d9b112ca60524328fd73819d7f44c751ff5db3c2abc90342526ebdf251c6f883b6927949f018da69079f331a170f760773dc

Download Submit
C:\Windows\SysWOW64\System64.exe

Filesize
95KB

MD5
371c7c5e99495dbba5e6e99a51cd0ea7

SHA1
420a7792b4edbadeb1a93745a8c0153bfcc453db

SHA256
0ea1f4576b290c2a800efd3bb7af4b29a1097c9f6b9fed3f0e9b9fd8b9e686dc

SHA512
f03fbf0038be3bdab6853ec9a783d9b112ca60524328fd73819d7f44c751ff5db3c2abc90342526ebdf251c6f883b6927949f018da69079f331a170f760773dc

Download Submit
C:\Windows\SysWOW64\System64.exe

Filesize
95KB

MD5
371c7c5e99495dbba5e6e99a51cd0ea7

SHA1
420a7792b4edbadeb1a93745a8c0153bfcc453db

SHA256
0ea1f4576b290c2a800efd3bb7af4b29a1097c9f6b9fed3f0e9b9fd8b9e686dc

SHA512
f03fbf0038be3bdab6853ec9a783d9b112ca60524328fd73819d7f44c751ff5db3c2abc90342526ebdf251c6f883b6927949f018da69079f331a170f760773dc

Download Submit
memory/2204-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2204-143-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2204-145-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2204-147-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2204-148-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2204-149-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2556-133-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2556-151-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing