75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439

Analysis

max time kernel
18s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439.exe
Size

82KB
MD5

7b7c2fc6ba3522590124f1f5d6d40990
SHA1

98ea7b143ee5071b02730837d9ab0578d1182f68
SHA256

75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439
SHA512

8cafbe28acb4570bc4b39fc789bbe3c4b1beb131d676969f5aa9c56d8369cfd732dbf2f8250a73b293b6caaf85aa3f17b9458a72835ebf7a5a8ca52ef0a0ab9c
SSDEEP

768:9SFtXQnGjTfbXccQdavRRzEcxZRMy+MZLvVWEwf0lBWQkJPw/:EsU3scQyvzPHcST36JPw

Score

9^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000012315-59.dat	acprotect
behavioral1/files/0x000b000000012315-61.dat	acprotect
behavioral1/files/0x000b000000012315-64.dat	acprotect
behavioral1/files/0x000b000000012315-62.dat	acprotect
behavioral1/files/0x000b000000012315-60.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1916	myInsDll.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1968-55-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/files/0x000b000000012315-59.dat	upx
behavioral1/files/0x000b000000012315-61.dat	upx
behavioral1/files/0x000b000000012315-64.dat	upx
behavioral1/files/0x000b000000012315-62.dat	upx
behavioral1/files/0x000b000000012315-60.dat	upx
behavioral1/memory/1916-74-0x0000000010000000-0x0000000010108000-memory.dmp	upx

Loads dropped DLL 11 IoCs

pid	Process
1968	75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439.exe
1916	myInsDll.exe
1916	myInsDll.exe
1916	myInsDll.exe
1916	myInsDll.exe
1916	myInsDll.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SfcDisable = "4294967197"	myInsDll.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Unamsmqnws.dat	75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439.exe
File created	C:\Windows\SysWOW64\dnfwg.dll	75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439.exe
File created	C:\Windows\SysWOW64\myInsDll.exe	75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439.exe
File opened for modification	C:\Windows\SysWOW64\myInsDll.exe	75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439.exe
File created	C:\Windows\SysWOW64\sfc32.dll	myInsDll.exe
File opened for modification	C:\Windows\SysWOW64\sfc32.dll	myInsDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2044	1916	WerFault.exe	28

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1916	1968	75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439.exe	28
PID 1968 wrote to memory of 1916	1968	75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439.exe	28
PID 1968 wrote to memory of 1916	1968	75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439.exe	28
PID 1968 wrote to memory of 1916	1968	75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439.exe	28
PID 1916 wrote to memory of 840	1916	myInsDll.exe	29
PID 1916 wrote to memory of 840	1916	myInsDll.exe	29
PID 1916 wrote to memory of 840	1916	myInsDll.exe	29
PID 1916 wrote to memory of 840	1916	myInsDll.exe	29
PID 1916 wrote to memory of 2044	1916	myInsDll.exe	31
PID 1916 wrote to memory of 2044	1916	myInsDll.exe	31
PID 1916 wrote to memory of 2044	1916	myInsDll.exe	31
PID 1916 wrote to memory of 2044	1916	myInsDll.exe	31

C:\Users\Admin\AppData\Local\Temp\75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439.exe
"C:\Users\Admin\AppData\Local\Temp\75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\myInsDll.exe
  "C:\Windows\system32\myInsDll.exe" dnfwg.dll,abcdefghjk C:\Users\Admin\AppData\Local\Temp\75ba49bbb6ab9358a188e48d355389003494ca461f9550127c40afc8c8460439.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\sfc.exe
    "C:\Windows\system32\sfc.exe" /REVERT
    3⤵
    PID:840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 344
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dnfwg.dll

Filesize
30KB

MD5
d45ac07f17b08069cf0dc9a9d75f42b6

SHA1
8d4d844558ef64f0e6289f5922c7428fcaad1bc9

SHA256
00d658968a19e89936dd9db334dda9e4e372852e9f63947436a5f0a03ffdd6a5

SHA512
aa672fb73d988e38d3a3af9158698b469016fea818c196dbe61df9348e1fc4229dacb21250d1f7768b9f2bf8f4d119f90c8a99cb68d148d538c2742bc3f48e49

Download Submit
C:\Windows\SysWOW64\myInsDll.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\myInsDll.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\dnfwg.dll

Filesize
30KB

MD5
d45ac07f17b08069cf0dc9a9d75f42b6

SHA1
8d4d844558ef64f0e6289f5922c7428fcaad1bc9

SHA256
00d658968a19e89936dd9db334dda9e4e372852e9f63947436a5f0a03ffdd6a5

SHA512
aa672fb73d988e38d3a3af9158698b469016fea818c196dbe61df9348e1fc4229dacb21250d1f7768b9f2bf8f4d119f90c8a99cb68d148d538c2742bc3f48e49

Download Submit
\Windows\SysWOW64\dnfwg.dll

Filesize
30KB

MD5
d45ac07f17b08069cf0dc9a9d75f42b6

SHA1
8d4d844558ef64f0e6289f5922c7428fcaad1bc9

SHA256
00d658968a19e89936dd9db334dda9e4e372852e9f63947436a5f0a03ffdd6a5

SHA512
aa672fb73d988e38d3a3af9158698b469016fea818c196dbe61df9348e1fc4229dacb21250d1f7768b9f2bf8f4d119f90c8a99cb68d148d538c2742bc3f48e49

Download Submit
\Windows\SysWOW64\dnfwg.dll

Filesize
30KB

MD5
d45ac07f17b08069cf0dc9a9d75f42b6

SHA1
8d4d844558ef64f0e6289f5922c7428fcaad1bc9

SHA256
00d658968a19e89936dd9db334dda9e4e372852e9f63947436a5f0a03ffdd6a5

SHA512
aa672fb73d988e38d3a3af9158698b469016fea818c196dbe61df9348e1fc4229dacb21250d1f7768b9f2bf8f4d119f90c8a99cb68d148d538c2742bc3f48e49

Download Submit
\Windows\SysWOW64\dnfwg.dll

Filesize
30KB

MD5
d45ac07f17b08069cf0dc9a9d75f42b6

SHA1
8d4d844558ef64f0e6289f5922c7428fcaad1bc9

SHA256
00d658968a19e89936dd9db334dda9e4e372852e9f63947436a5f0a03ffdd6a5

SHA512
aa672fb73d988e38d3a3af9158698b469016fea818c196dbe61df9348e1fc4229dacb21250d1f7768b9f2bf8f4d119f90c8a99cb68d148d538c2742bc3f48e49

Download Submit
\Windows\SysWOW64\myInsDll.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\myInsDll.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\myInsDll.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\myInsDll.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\myInsDll.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\myInsDll.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\sfc32.dll

Filesize
40KB

MD5
84799328d87b3091a3bdd251e1ad31f9

SHA1
64dbbe8210049f4d762de22525a7fe4313bf99d0

SHA256
f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b

SHA512
0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4

Download Submit
memory/1916-74-0x0000000010000000-0x0000000010108000-memory.dmp

Filesize
1.0MB

Download
memory/1968-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1968-55-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download