b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93

General

Target

b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93.exe
Size

235KB
MD5

93daab6fc9b7259d284173bed17dd300
SHA1

119f522e48a02522673b0a33bb48e7c8fccdb0cc
SHA256

b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93
SHA512

cab980f08f76be4cf1a3a4fbc84791bbf3241c3560048484b105396a24074e5685cf756996a39929762a87fdf42c987bdcba8f06429d892e9338a6703aec990a
SSDEEP

6144:fatDyMkBnWce5ubtXcplbNi/DHBwNFwhl:y8nWcsmcrALaNFK

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000022e32-133.dat	acprotect
behavioral2/files/0x0007000000022e32-134.dat	acprotect
behavioral2/files/0x000b00000002171d-139.dat	acprotect
behavioral2/files/0x000b00000002171d-140.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2616	iaacws.EXE

Loads dropped DLL 4 IoCs

pid	Process
4568	b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93.exe
4568	b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93.exe
2616	iaacws.EXE
2616	iaacws.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\iaacws.EXE	b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93.exe
File opened for modification	C:\Windows\SysWOW64\iaacws.EXE	b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	iaacws.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	iaacws.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4568	b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4568	b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93.exe
2616	iaacws.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 3144	4568	b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93.exe	85
PID 4568 wrote to memory of 3144	4568	b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93.exe	85
PID 4568 wrote to memory of 3144	4568	b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93.exe	85

C:\Users\Admin\AppData\Local\Temp\b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93.exe
"C:\Users\Admin\AppData\Local\Temp\b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B6321A~1.EXE > nul
  2⤵
  PID:3144

C:\Windows\SysWOW64\iaacws.EXE
C:\Windows\SysWOW64\iaacws.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\khi4A67.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\khi4A67.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Windows\SysWOW64\iaacws.EXE

Filesize
235KB

MD5
93daab6fc9b7259d284173bed17dd300

SHA1
119f522e48a02522673b0a33bb48e7c8fccdb0cc

SHA256
b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93

SHA512
cab980f08f76be4cf1a3a4fbc84791bbf3241c3560048484b105396a24074e5685cf756996a39929762a87fdf42c987bdcba8f06429d892e9338a6703aec990a

Download Submit
C:\Windows\SysWOW64\iaacws.EXE

Filesize
235KB

MD5
93daab6fc9b7259d284173bed17dd300

SHA1
119f522e48a02522673b0a33bb48e7c8fccdb0cc

SHA256
b6321aebd1bc7c4a4e1782493109db04c6bdfc0ae4882f69dec602dc8e9aae93

SHA512
cab980f08f76be4cf1a3a4fbc84791bbf3241c3560048484b105396a24074e5685cf756996a39929762a87fdf42c987bdcba8f06429d892e9338a6703aec990a

Download Submit
C:\Windows\Temp\nqiA884.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Windows\Temp\nqiA884.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/2616-144-0x0000000000CE0000-0x0000000000D53000-memory.dmp

Filesize
460KB

Download
memory/2616-145-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2616-138-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4568-142-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4568-143-0x0000000000660000-0x00000000006D3000-memory.dmp

Filesize
460KB

Download
memory/4568-132-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4568-135-0x0000000000660000-0x00000000006D3000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing