a325c0dc4a666858acb79cbe559b6a4226691cac13e49fdc5847d1514cd53431

General

Target

a325c0dc4a666858acb79cbe559b6a4226691cac13e49fdc5847d1514cd53431.exe
Size

181KB
MD5

0ba724c43f3552719cbb87a35cc85780
SHA1

e89716496311ed7b5ea2ab2b7fe233b5d517e99d
SHA256

a325c0dc4a666858acb79cbe559b6a4226691cac13e49fdc5847d1514cd53431
SHA512

7b408939bb3a4e03e090434d646a5c63fc23a8d7433b686544d4c2e642829cced8d84db5b4bbdaa4b2bdda74e16d37869c285839e1b996d29304f4862b7b6ed1
SSDEEP

3072:+WE7gVbgUVhxgeD7ZPZ+Bf/9dsNUQycoT6oPpjsuDoZK5Di3ceHNQU8twUbXq:+h7gVJNxZEB/VQyxIK5DibH+UbUbXq

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00140000000054ab-55.dat	acprotect
behavioral1/files/0x00140000000054ab-62.dat	acprotect
behavioral1/files/0x00140000000054ab-61.dat	acprotect
behavioral1/files/0x00140000000054ab-65.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
584	a325c0dc4a666858acb79cbe559b6a4226691cac13e49fdc5847d1514cd53431.exe
1956	explorer.exe
2044	DllHost.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	explorer.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	explorer.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	explorer.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
584	a325c0dc4a666858acb79cbe559b6a4226691cac13e49fdc5847d1514cd53431.exe
1956	explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 1956	584	a325c0dc4a666858acb79cbe559b6a4226691cac13e49fdc5847d1514cd53431.exe	28
PID 584 wrote to memory of 1956	584	a325c0dc4a666858acb79cbe559b6a4226691cac13e49fdc5847d1514cd53431.exe	28
PID 584 wrote to memory of 1956	584	a325c0dc4a666858acb79cbe559b6a4226691cac13e49fdc5847d1514cd53431.exe	28
PID 584 wrote to memory of 1956	584	a325c0dc4a666858acb79cbe559b6a4226691cac13e49fdc5847d1514cd53431.exe	28

C:\Users\Admin\AppData\Local\Temp\a325c0dc4a666858acb79cbe559b6a4226691cac13e49fdc5847d1514cd53431.exe
"C:\Users\Admin\AppData\Local\Temp\a325c0dc4a666858acb79cbe559b6a4226691cac13e49fdc5847d1514cd53431.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" "::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1956

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1376

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- Loads dropped DLL
PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\axkE908.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\axkE908.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\axkE908.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\axkE908.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/584-57-0x0000000000340000-0x00000000003B3000-memory.dmp

Filesize
460KB

Download
memory/584-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/584-56-0x0000000001000000-0x0000000001005000-memory.dmp

Filesize
20KB

Download
memory/584-69-0x0000000000340000-0x00000000003B3000-memory.dmp

Filesize
460KB

Download
memory/1376-63-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download
memory/1956-60-0x00000000747E1000-0x00000000747E3000-memory.dmp

Filesize
8KB

Download
memory/1956-64-0x00000000003D0000-0x0000000000443000-memory.dmp

Filesize
460KB

Download
memory/2044-67-0x0000000071491000-0x0000000071493000-memory.dmp

Filesize
8KB

Download
memory/2044-68-0x0000000000C20000-0x0000000000C93000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing