57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 11:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7.exe
Size

758KB
MD5

79876c967a8967534beacbd8c5a256d3
SHA1

304d5e552b083e33a57752866f39f6075fb10d34
SHA256

57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7
SHA512

6a237962062a598672d80765e2b032d82e58b939ab053416967e4f3e6fc0e2efde5b4e7097b786d7a56dde6d2c80ef354a973a3c74c6e69a7997f01398ddd153
SSDEEP

12288:wOHPCq20LORRDCAq71C81Tm4PH8UNTn+2HHgBiMO/NO3+A/Bmw3MGOFxYCNAmfe2:wSaqzLkRbq7/oY8g+egMM6gj/BmwcGED

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000000b2d2-55.dat	acprotect
behavioral1/files/0x000500000000b2d2-67.dat	acprotect
behavioral1/files/0x000500000000b2d2-66.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
936	update.exe

Loads dropped DLL 6 IoCs

pid	Process
1064	57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7.exe
1064	57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7.exe
936	update.exe
936	update.exe
936	update.exe
936	update.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\KB888111.log	update.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	936	update.exe
Token: SeRestorePrivilege	936	update.exe
Token: SeRestorePrivilege	936	update.exe
Token: SeRestorePrivilege	936	update.exe
Token: SeRestorePrivilege	936	update.exe
Token: SeRestorePrivilege	936	update.exe
Token: SeRestorePrivilege	936	update.exe
Token: SeBackupPrivilege	936	update.exe
Token: SeRestorePrivilege	936	update.exe
Token: SeShutdownPrivilege	936	update.exe
Token: SeSecurityPrivilege	936	update.exe
Token: SeTakeOwnershipPrivilege	936	update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1064	57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 936	1064	57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7.exe	27
PID 1064 wrote to memory of 936	1064	57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7.exe	27
PID 1064 wrote to memory of 936	1064	57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7.exe	27
PID 1064 wrote to memory of 936	1064	57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7.exe	27
PID 1064 wrote to memory of 936	1064	57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7.exe	27
PID 1064 wrote to memory of 936	1064	57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7.exe	27
PID 1064 wrote to memory of 936	1064	57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7.exe	27

C:\Users\Admin\AppData\Local\Temp\57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7.exe
"C:\Users\Admin\AppData\Local\Temp\57831738034581423a6530514ccf74f6b514e5762fdf92e3a9464d67d98244e7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064
- \??\c:\f6303a207af1b70fdf792680267de0\update\update.exe
  c:\f6303a207af1b70fdf792680267de0\update\update.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rak4B3.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\f6303a207af1b70fdf792680267de0\update\update.exe

Filesize
614KB

MD5
9b7b88d5acf4c227cb26d27546c42ab9

SHA1
56451d35203932aa76804823a4283950287d153e

SHA256
86872bca330888b320ba98bad64b2547a6231beeb786c921b736380eb5495b07

SHA512
d3c03ac4dbf441ea64ab3e8de6710a305e2435c9ac48af6dfc90f85dfbf5cb1cb4c60b470cdad51bc3710f47d638c0f9ac152ec1611ecf6c2b65f898050b8cb8

Download Submit
\??\c:\f6303a207af1b70fdf792680267de0\Update\HDAUpdate_Srv2k3.inf

Filesize
6KB

MD5
ee1bf12b2e945948468466f33842b661

SHA1
28d7e13563c762dd4b4c185ffe30a3e071b2b7c3

SHA256
601b711c3ad1e93bd38dea33933c874fef9ce972d046a14f58263e509dfbe935

SHA512
927ca39ead39ae3de7ad43ed9f0cc9866eccc42fdfd8a5538ca69b96eae573617df80fdc4cc32a06219cec276c46f6339497cb36faa18c0cf3a681f386fd9611

Download Submit
\??\c:\f6303a207af1b70fdf792680267de0\update\update.exe

Filesize
614KB

MD5
9b7b88d5acf4c227cb26d27546c42ab9

SHA1
56451d35203932aa76804823a4283950287d153e

SHA256
86872bca330888b320ba98bad64b2547a6231beeb786c921b736380eb5495b07

SHA512
d3c03ac4dbf441ea64ab3e8de6710a305e2435c9ac48af6dfc90f85dfbf5cb1cb4c60b470cdad51bc3710f47d638c0f9ac152ec1611ecf6c2b65f898050b8cb8

Download Submit
\??\c:\f6303a207af1b70fdf792680267de0\update\updatebr.inf

Filesize
387B

MD5
55ea3cf40853c7fe0ba2f8e7960d976b

SHA1
ca40eb9f58ff876b1bf9a362ffb6f692f993f0a4

SHA256
38470a6b1cde7454969bfb45eabc2d337b19eed62d2f87d26e4ac69363da6fae

SHA512
92b51287a33bc98acb8aaf6fa1e057516e6792b0852716684ecc2d2b2d4ed3933c9e5c9b93fbb4f296401a989912ee30bfbc9aae3a0b160e8b55a3dde2a846a4

Download Submit
\Users\Admin\AppData\Local\Temp\rak4B3.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\rak4B3.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\f6303a207af1b70fdf792680267de0\update\update.exe

Filesize
614KB

MD5
9b7b88d5acf4c227cb26d27546c42ab9

SHA1
56451d35203932aa76804823a4283950287d153e

SHA256
86872bca330888b320ba98bad64b2547a6231beeb786c921b736380eb5495b07

SHA512
d3c03ac4dbf441ea64ab3e8de6710a305e2435c9ac48af6dfc90f85dfbf5cb1cb4c60b470cdad51bc3710f47d638c0f9ac152ec1611ecf6c2b65f898050b8cb8

Download Submit
\f6303a207af1b70fdf792680267de0\update\update.exe

Filesize
614KB

MD5
9b7b88d5acf4c227cb26d27546c42ab9

SHA1
56451d35203932aa76804823a4283950287d153e

SHA256
86872bca330888b320ba98bad64b2547a6231beeb786c921b736380eb5495b07

SHA512
d3c03ac4dbf441ea64ab3e8de6710a305e2435c9ac48af6dfc90f85dfbf5cb1cb4c60b470cdad51bc3710f47d638c0f9ac152ec1611ecf6c2b65f898050b8cb8

Download Submit
\f6303a207af1b70fdf792680267de0\update\update.exe

Filesize
614KB

MD5
9b7b88d5acf4c227cb26d27546c42ab9

SHA1
56451d35203932aa76804823a4283950287d153e

SHA256
86872bca330888b320ba98bad64b2547a6231beeb786c921b736380eb5495b07

SHA512
d3c03ac4dbf441ea64ab3e8de6710a305e2435c9ac48af6dfc90f85dfbf5cb1cb4c60b470cdad51bc3710f47d638c0f9ac152ec1611ecf6c2b65f898050b8cb8

Download Submit
\f6303a207af1b70fdf792680267de0\update\update.exe

Filesize
614KB

MD5
9b7b88d5acf4c227cb26d27546c42ab9

SHA1
56451d35203932aa76804823a4283950287d153e

SHA256
86872bca330888b320ba98bad64b2547a6231beeb786c921b736380eb5495b07

SHA512
d3c03ac4dbf441ea64ab3e8de6710a305e2435c9ac48af6dfc90f85dfbf5cb1cb4c60b470cdad51bc3710f47d638c0f9ac152ec1611ecf6c2b65f898050b8cb8

Download Submit
memory/936-71-0x0000000000DB0000-0x0000000000E23000-memory.dmp

Filesize
460KB

Download
memory/936-72-0x0000000000DB0000-0x0000000000E23000-memory.dmp

Filesize
460KB

Download
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1064-68-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/1064-69-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1064-70-0x00000000008C0000-0x0000000000933000-memory.dmp

Filesize
460KB

Download
memory/1064-74-0x00000000008C0000-0x0000000000933000-memory.dmp

Filesize
460KB

Download
memory/1064-73-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download