aa5c23bffe92e7df946e1c59423bb1e5978043d0e7e38aeb4f7ae6924b9dc557

General

Target

aa5c23bffe92e7df946e1c59423bb1e5978043d0e7e38aeb4f7ae6924b9dc557.exe
Size

107KB
MD5

663d6f1455e3eeac90b58a208c3172f0
SHA1

b23639f4693e88d53d43c9869b06a3f39014ebd2
SHA256

aa5c23bffe92e7df946e1c59423bb1e5978043d0e7e38aeb4f7ae6924b9dc557
SHA512

d892d1935a373584e585f252147a5ad99d28909e8a9c8089096f1d3bb05890e9d8061be5a2ac7c9479000cfa7147f9bac31a041a1ed4d787cb02ba55b359dc52
SSDEEP

3072:IgXdZt9P6D3XJbC1PVTMF+LGT02bVcu+HZN+p5q:Ie344hio0fbVc5HZN+p5q

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000005c50-57.dat	acprotect
behavioral1/files/0x0008000000005c50-58.dat	acprotect
behavioral1/files/0x0008000000005c50-59.dat	acprotect
behavioral1/files/0x0008000000005c50-60.dat	acprotect
behavioral1/files/0x0008000000005c50-61.dat	acprotect

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1172	rundll32.exe
7	1172	rundll32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000005c50-57.dat	upx
behavioral1/files/0x0008000000005c50-58.dat	upx
behavioral1/files/0x0008000000005c50-59.dat	upx
behavioral1/files/0x0008000000005c50-60.dat	upx
behavioral1/files/0x0008000000005c50-61.dat	upx

Loads dropped DLL 4 IoCs

pid	Process
1172	rundll32.exe
1172	rundll32.exe
1172	rundll32.exe
1172	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1956	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1172	rundll32.exe
1172	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1172	1976	aa5c23bffe92e7df946e1c59423bb1e5978043d0e7e38aeb4f7ae6924b9dc557.exe	26
PID 1976 wrote to memory of 1172	1976	aa5c23bffe92e7df946e1c59423bb1e5978043d0e7e38aeb4f7ae6924b9dc557.exe	26
PID 1976 wrote to memory of 1172	1976	aa5c23bffe92e7df946e1c59423bb1e5978043d0e7e38aeb4f7ae6924b9dc557.exe	26
PID 1976 wrote to memory of 1172	1976	aa5c23bffe92e7df946e1c59423bb1e5978043d0e7e38aeb4f7ae6924b9dc557.exe	26
PID 1976 wrote to memory of 1172	1976	aa5c23bffe92e7df946e1c59423bb1e5978043d0e7e38aeb4f7ae6924b9dc557.exe	26
PID 1976 wrote to memory of 1172	1976	aa5c23bffe92e7df946e1c59423bb1e5978043d0e7e38aeb4f7ae6924b9dc557.exe	26
PID 1976 wrote to memory of 1172	1976	aa5c23bffe92e7df946e1c59423bb1e5978043d0e7e38aeb4f7ae6924b9dc557.exe	26
PID 1172 wrote to memory of 828	1172	rundll32.exe	30
PID 1172 wrote to memory of 828	1172	rundll32.exe	30
PID 1172 wrote to memory of 828	1172	rundll32.exe	30
PID 1172 wrote to memory of 828	1172	rundll32.exe	30
PID 828 wrote to memory of 1956	828	cmd.exe	32
PID 828 wrote to memory of 1956	828	cmd.exe	32
PID 828 wrote to memory of 1956	828	cmd.exe	32
PID 828 wrote to memory of 1956	828	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\aa5c23bffe92e7df946e1c59423bb1e5978043d0e7e38aeb4f7ae6924b9dc557.exe
"C:\Users\Admin\AppData\Local\Temp\aa5c23bffe92e7df946e1c59423bb1e5978043d0e7e38aeb4f7ae6924b9dc557.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\miniloader.dll",Install C:\Users\Admin\AppData\Local\Temp\activate.dat
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /e:on /d /c ping -n 6 127.0.0.1 && DEL /F "C:\Users\Admin\AppData\Local\Temp\miniloader.dll" >> nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 6 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\activate.dat

Filesize
1024B

MD5
8c410bcbdedb6750bc90a79775b62bfa

SHA1
442a14d64d751fd0eb24d13a641df1564d0fea76

SHA256
587a2743b7918b522304be5f723de3245a551b1473a7e9cae32e230c7d0c75ed

SHA512
99620584263a013cf5a5533971f13f04327d1b1b558e006543da638c27e8f11d70516782bef61c14f3bd4e386edbde8664dc050d0d548542b21bf15dfe987046

Download Submit
C:\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
76KB

MD5
a3fa5c73d9efda1ac7f9b70d08387e46

SHA1
900af6dc41e846ce84e5e692b53f732aadcc074e

SHA256
c30c903a0b7068ab021af249c762e56aff6778c85957b397892c1aa7bc6332b5

SHA512
e1b6d46be75ce15ca46ee2740e39cdb1a292faf1c31b907f9a8c509e4207931b597ccc24cde9b0b56341cc69caba8da4e5ec1c6840c84097bd07c9af2cec6b5d

Download Submit
\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
76KB

MD5
a3fa5c73d9efda1ac7f9b70d08387e46

SHA1
900af6dc41e846ce84e5e692b53f732aadcc074e

SHA256
c30c903a0b7068ab021af249c762e56aff6778c85957b397892c1aa7bc6332b5

SHA512
e1b6d46be75ce15ca46ee2740e39cdb1a292faf1c31b907f9a8c509e4207931b597ccc24cde9b0b56341cc69caba8da4e5ec1c6840c84097bd07c9af2cec6b5d

Download Submit
\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
76KB

MD5
a3fa5c73d9efda1ac7f9b70d08387e46

SHA1
900af6dc41e846ce84e5e692b53f732aadcc074e

SHA256
c30c903a0b7068ab021af249c762e56aff6778c85957b397892c1aa7bc6332b5

SHA512
e1b6d46be75ce15ca46ee2740e39cdb1a292faf1c31b907f9a8c509e4207931b597ccc24cde9b0b56341cc69caba8da4e5ec1c6840c84097bd07c9af2cec6b5d

Download Submit
\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
76KB

MD5
a3fa5c73d9efda1ac7f9b70d08387e46

SHA1
900af6dc41e846ce84e5e692b53f732aadcc074e

SHA256
c30c903a0b7068ab021af249c762e56aff6778c85957b397892c1aa7bc6332b5

SHA512
e1b6d46be75ce15ca46ee2740e39cdb1a292faf1c31b907f9a8c509e4207931b597ccc24cde9b0b56341cc69caba8da4e5ec1c6840c84097bd07c9af2cec6b5d

Download Submit
\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
76KB

MD5
a3fa5c73d9efda1ac7f9b70d08387e46

SHA1
900af6dc41e846ce84e5e692b53f732aadcc074e

SHA256
c30c903a0b7068ab021af249c762e56aff6778c85957b397892c1aa7bc6332b5

SHA512
e1b6d46be75ce15ca46ee2740e39cdb1a292faf1c31b907f9a8c509e4207931b597ccc24cde9b0b56341cc69caba8da4e5ec1c6840c84097bd07c9af2cec6b5d

Download Submit
memory/1172-62-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/1172-64-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/1172-67-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/1976-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing