906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c

Analysis

max time kernel
7s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c.exe
Size

8.1MB
MD5

31167139d58c329260deeb03953159f8
SHA1

584759bb66a0fa0fddab6365c3c2bc45d4345138
SHA256

906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c
SHA512

5127ed88f74ca143da3381c4dba108f18d8e48ab4d4ee8a8c98bbbf3892c4118ddf0739ea78b381ccd16d52026e1f64df917d590a1bff9fa11dfd54e88bf2d74
SSDEEP

98304:PeaqOlwanJbtzWC9z4tArcOEAxjEoZpUm09qhIc9y0dkLHdWWr8J58IKFpTSB+Ri:VVljZwC9oAhE2ERm0fc9J3yo5o/SB1Eq

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00140000000054ab-54.dat	acprotect
behavioral1/files/0x00140000000054ab-66.dat	acprotect
behavioral1/files/0x00140000000054ab-67.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
664	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
976	906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c.exe
976	906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c.exe
664	setup.exe
664	setup.exe
664	setup.exe
664	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
976	906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 664	976	906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c.exe	27
PID 976 wrote to memory of 664	976	906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c.exe	27
PID 976 wrote to memory of 664	976	906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c.exe	27
PID 976 wrote to memory of 664	976	906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c.exe	27
PID 976 wrote to memory of 664	976	906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c.exe	27
PID 976 wrote to memory of 664	976	906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c.exe	27
PID 976 wrote to memory of 664	976	906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c.exe	27

C:\Users\Admin\AppData\Local\Temp\906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c.exe
"C:\Users\Admin\AppData\Local\Temp\906820e5081a745717013821e2fb4bebce15615db4418001e9350da3c865380c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\ae216\setup.exe
  C:\Users\Admin\AppData\Local\Temp\ae216\setup.exe -d "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ae216\Chinese.dat

Filesize
4KB

MD5
f95c73605747d8740f940ace40485e52

SHA1
02e94df5b3d2d3368305eefd2859eb6db2b77013

SHA256
a024be6c2ac0b92d1b713d23321b322c661e742755fe778c4b6ddb2c46e5c939

SHA512
235d749f8c1857ddfaf8e1080017ce91fbfb76371ed49aea151c5961c81e9473dcf6386b871be477f92e509ee6551181670a89b1765d8fea720e4595401e1f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae216\Setup.ini

Filesize
5KB

MD5
583cb168ececd21757fcf60446dcddd2

SHA1
e8cb861e9a2ebb7c7d57dcae35a224f50f997910

SHA256
5ef82845726bd8b9798e6c6ef5c43b1876d2ffa9e83092e023ee6a405b3d06e2

SHA512
1bd08a6f4316ca3f7c7f588b41349d3746ccf398eaf62fdfbd656119812e9b5cae835de671d03aac9c482918f1b4d3330f4a11ab9a589756887bddcc31ba810a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae216\setup.exe

Filesize
428KB

MD5
96af56181c0ffa91d41d634e80feffc3

SHA1
01d305982da3c1827986721b1975e31b81ff3a5a

SHA256
b5bcd935a0ee93baf07a47418e111b2707eb39b451eb6384e8a7acf1304e2182

SHA512
749be7d42b4be38c4b10454ba071282362ed9ab03f5ece072c6a9384f6d71c538bb3bca3060c3792c1f3f360ce69ef8f25f51b56ee6fb9df9eebf3f332670cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae216\setup.exe

Filesize
428KB

MD5
96af56181c0ffa91d41d634e80feffc3

SHA1
01d305982da3c1827986721b1975e31b81ff3a5a

SHA256
b5bcd935a0ee93baf07a47418e111b2707eb39b451eb6384e8a7acf1304e2182

SHA512
749be7d42b4be38c4b10454ba071282362ed9ab03f5ece072c6a9384f6d71c538bb3bca3060c3792c1f3f360ce69ef8f25f51b56ee6fb9df9eebf3f332670cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqkA094.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\ae216\setup.exe

Filesize
428KB

MD5
96af56181c0ffa91d41d634e80feffc3

SHA1
01d305982da3c1827986721b1975e31b81ff3a5a

SHA256
b5bcd935a0ee93baf07a47418e111b2707eb39b451eb6384e8a7acf1304e2182

SHA512
749be7d42b4be38c4b10454ba071282362ed9ab03f5ece072c6a9384f6d71c538bb3bca3060c3792c1f3f360ce69ef8f25f51b56ee6fb9df9eebf3f332670cf0

Download Submit
\Users\Admin\AppData\Local\Temp\ae216\setup.exe

Filesize
428KB

MD5
96af56181c0ffa91d41d634e80feffc3

SHA1
01d305982da3c1827986721b1975e31b81ff3a5a

SHA256
b5bcd935a0ee93baf07a47418e111b2707eb39b451eb6384e8a7acf1304e2182

SHA512
749be7d42b4be38c4b10454ba071282362ed9ab03f5ece072c6a9384f6d71c538bb3bca3060c3792c1f3f360ce69ef8f25f51b56ee6fb9df9eebf3f332670cf0

Download Submit
\Users\Admin\AppData\Local\Temp\ae216\setup.exe

Filesize
428KB

MD5
96af56181c0ffa91d41d634e80feffc3

SHA1
01d305982da3c1827986721b1975e31b81ff3a5a

SHA256
b5bcd935a0ee93baf07a47418e111b2707eb39b451eb6384e8a7acf1304e2182

SHA512
749be7d42b4be38c4b10454ba071282362ed9ab03f5ece072c6a9384f6d71c538bb3bca3060c3792c1f3f360ce69ef8f25f51b56ee6fb9df9eebf3f332670cf0

Download Submit
\Users\Admin\AppData\Local\Temp\ae216\setup.exe

Filesize
428KB

MD5
96af56181c0ffa91d41d634e80feffc3

SHA1
01d305982da3c1827986721b1975e31b81ff3a5a

SHA256
b5bcd935a0ee93baf07a47418e111b2707eb39b451eb6384e8a7acf1304e2182

SHA512
749be7d42b4be38c4b10454ba071282362ed9ab03f5ece072c6a9384f6d71c538bb3bca3060c3792c1f3f360ce69ef8f25f51b56ee6fb9df9eebf3f332670cf0

Download Submit
\Users\Admin\AppData\Local\Temp\oqkA094.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\oqkA094.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/664-60-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/664-61-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/664-70-0x0000000000360000-0x00000000003D3000-memory.dmp

Filesize
460KB

Download
memory/976-57-0x0000000000280000-0x00000000002F3000-memory.dmp

Filesize
460KB

Download
memory/976-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download