6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409

Analysis

max time kernel
144s
max time network
161s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe
Size

723KB
MD5

191789aaedd52994238e6c4a1b575071
SHA1

023bf1848e8d3adfe67b3d44047ddffc84b6dea8
SHA256

6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409
SHA512

41732d03de63c94ac874e350cfcb7094813cbf290bb238aa490aa22d84807f6a07430af8075378b5177c5e25994750533c39a463d583696eefe353d801ac5a5f
SSDEEP

12288:XvNf3zlY70QznbpOZtpuAR3Wdg+49xdOKONYJxmVZatx72MD67HWEUR2Lc:Xv9lYAQzn1OZtpuiIwevYsatkQ6DVY2g

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b0000000122ca-54.dat	acprotect
behavioral1/files/0x000b0000000122ca-67.dat	acprotect
behavioral1/files/0x000b0000000122ca-66.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
896	BRClientName.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122ca-54.dat	upx
behavioral1/memory/1220-56-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral1/files/0x000b0000000122ca-67.dat	upx
behavioral1/files/0x000b0000000122ca-66.dat	upx
behavioral1/memory/896-73-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral1/memory/1220-79-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral1/memory/896-81-0x0000000010000000-0x0000000010128000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
836	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
1220	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe
1220	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe
1220	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe
896	BRClientName.exe
896	BRClientName.exe
1220	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\BRClientName.exe	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe
File opened for modification	C:\Windows\SysWOW64\BRClientName.exe	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe
File created	C:\Windows\SysWOW64\BRClientName.dll	BRClientName.exe
File opened for modification	C:\Windows\SysWOW64\BRClientName.dll	BRClientName.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\94980c1590b4df88453eaa4d915705e2.dat	BRClientName.exe
File created	C:\Windows\Fonts\94980c1590b4df88453eaa4d915705e2.dat	BRClientName.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372320755"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "NO"	BRClientName.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3773ECC0-49F6-11ED-AAA1-C6F54D7498C3} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
896	BRClientName.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1188	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1220	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe
896	BRClientName.exe
1188	IEXPLORE.EXE
1188	IEXPLORE.EXE
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 896	1220	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe	26
PID 1220 wrote to memory of 896	1220	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe	26
PID 1220 wrote to memory of 896	1220	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe	26
PID 1220 wrote to memory of 896	1220	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe	26
PID 1220 wrote to memory of 836	1220	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe	27
PID 1220 wrote to memory of 836	1220	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe	27
PID 1220 wrote to memory of 836	1220	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe	27
PID 1220 wrote to memory of 836	1220	6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe	27
PID 896 wrote to memory of 1188	896	BRClientName.exe	29
PID 896 wrote to memory of 1188	896	BRClientName.exe	29
PID 896 wrote to memory of 1188	896	BRClientName.exe	29
PID 896 wrote to memory of 1188	896	BRClientName.exe	29
PID 896 wrote to memory of 1188	896	BRClientName.exe	29
PID 1188 wrote to memory of 1040	1188	IEXPLORE.EXE	31
PID 1188 wrote to memory of 1040	1188	IEXPLORE.EXE	31
PID 1188 wrote to memory of 1040	1188	IEXPLORE.EXE	31
PID 1188 wrote to memory of 1040	1188	IEXPLORE.EXE	31

C:\Users\Admin\AppData\Local\Temp\6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe
"C:\Users\Admin\AppData\Local\Temp\6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\BRClientName.exe
  C:\Windows\system32\BRClientName.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1188 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""c:\6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe_And DeleteMe.bat""
  2⤵
  - Deletes itself
  PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\Exmlrpc.fne

Filesize
72KB

MD5
f79ee77a4f30401507e6f54a61598f58

SHA1
7f3ef4945f621ed2880ff5a10a126957b2011a17

SHA256
cf8e29720823eb114fbc3018569a7296ed3e6fcd6c4897f50c5c6e0e98d0b3f8

SHA512
26ccde784b06c46f60fb5a105c806c4d9dc1497fd79d39728fbcfa869d470ca2ba018b0665f3cbc05019fb0766dac2eb1084a6fdce2f9aaaae881beb09dd3739

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
407KB

MD5
783a2f0cc9d2c13f2cb980b5bd198005

SHA1
a1bafe779952f61946fe9003e48dddc65184c6da

SHA256
e21bf808a0f4c0d6e971267bb61cb00bd9acf45ddabd6db90f906ba064a3489f

SHA512
c35d6a39658722dc603e372c92ef18fe7700bfda435230cf5fc39c61c3044481a581cfe797c88fd131e6ecb5940ac31423b33b86b2d52e57df2a1c5669e2bbdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LXC1V9SC.txt

Filesize
596B

MD5
ea2cd68b7a25537f0275dfb59d37d304

SHA1
49035f39105947eb95ea2b39e2525a5fa9495b15

SHA256
d437408a3958e27d31daca17f405f012ebfd5f8e17265460635fa6c7208b503d

SHA512
d93b79d1938b61e7c871f87a2e58f5179093f46e506b17c520e7c91e8b7e78921ffd539cfdae062c24c7a899c89f816b4803debac0962c1729a35d84c0c4c191

Download Submit
C:\Windows\SysWOW64\BRClientName.exe

Filesize
723KB

MD5
191789aaedd52994238e6c4a1b575071

SHA1
023bf1848e8d3adfe67b3d44047ddffc84b6dea8

SHA256
6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409

SHA512
41732d03de63c94ac874e350cfcb7094813cbf290bb238aa490aa22d84807f6a07430af8075378b5177c5e25994750533c39a463d583696eefe353d801ac5a5f

Download Submit
C:\Windows\SysWOW64\BRClientName.exe

Filesize
723KB

MD5
191789aaedd52994238e6c4a1b575071

SHA1
023bf1848e8d3adfe67b3d44047ddffc84b6dea8

SHA256
6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409

SHA512
41732d03de63c94ac874e350cfcb7094813cbf290bb238aa490aa22d84807f6a07430af8075378b5177c5e25994750533c39a463d583696eefe353d801ac5a5f

Download Submit
\??\c:\6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409.exe_And DeleteMe.bat

Filesize
246B

MD5
f2edbe4699e6f85bd251bd111a2b99d2

SHA1
44aebd17a1a9cd03eea493e6710aab72a927930c

SHA256
5efdacbfd49fcb90165a0405dc91aad986b4113c4d4ae2cacb5d7a9d566b0619

SHA512
8f1d398c1d70ddc51c264211773f862bcff61587a7013be3b8586397bedd63890538435c4d1cb7505911d9224b83a7323049dbd8d0c320560e661654bdef1770

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
407KB

MD5
783a2f0cc9d2c13f2cb980b5bd198005

SHA1
a1bafe779952f61946fe9003e48dddc65184c6da

SHA256
e21bf808a0f4c0d6e971267bb61cb00bd9acf45ddabd6db90f906ba064a3489f

SHA512
c35d6a39658722dc603e372c92ef18fe7700bfda435230cf5fc39c61c3044481a581cfe797c88fd131e6ecb5940ac31423b33b86b2d52e57df2a1c5669e2bbdc

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
407KB

MD5
783a2f0cc9d2c13f2cb980b5bd198005

SHA1
a1bafe779952f61946fe9003e48dddc65184c6da

SHA256
e21bf808a0f4c0d6e971267bb61cb00bd9acf45ddabd6db90f906ba064a3489f

SHA512
c35d6a39658722dc603e372c92ef18fe7700bfda435230cf5fc39c61c3044481a581cfe797c88fd131e6ecb5940ac31423b33b86b2d52e57df2a1c5669e2bbdc

Download Submit
\Windows\SysWOW64\BRClientName.exe

Filesize
723KB

MD5
191789aaedd52994238e6c4a1b575071

SHA1
023bf1848e8d3adfe67b3d44047ddffc84b6dea8

SHA256
6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409

SHA512
41732d03de63c94ac874e350cfcb7094813cbf290bb238aa490aa22d84807f6a07430af8075378b5177c5e25994750533c39a463d583696eefe353d801ac5a5f

Download Submit
\Windows\SysWOW64\BRClientName.exe

Filesize
723KB

MD5
191789aaedd52994238e6c4a1b575071

SHA1
023bf1848e8d3adfe67b3d44047ddffc84b6dea8

SHA256
6f6a3384f0ef5e1f748fd6c032cc851a92d0e31c1f952db54d954dc1929ad409

SHA512
41732d03de63c94ac874e350cfcb7094813cbf290bb238aa490aa22d84807f6a07430af8075378b5177c5e25994750533c39a463d583696eefe353d801ac5a5f

Download Submit
memory/896-72-0x00000000003A0000-0x00000000003BE000-memory.dmp

Filesize
120KB

Download
memory/896-70-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/896-73-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/896-82-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/896-81-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/1220-56-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/1220-57-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/1220-69-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1220-78-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1220-79-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/1220-62-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1220-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download