ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee

Reason

Machine shutdown

General

Target

ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
Size

929KB
MD5

0f43b40d5f15e33283c6f0dd2cc84e86
SHA1

6b7bb79bade4daff829704de0611b8763650e704
SHA256

ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee
SHA512

8d0ba92c65b18c55389adab9691ed65b74324194130fd638bf4391c09096c46b9c45e78133cbd38dd9041dd2c0cadc45ab3ebd5c0287c31063abe4f35b8b67aa
SSDEEP

12288:zya4OjigvrwsuIaEUMJaKqptyLuziCKvDNgQpwKTavW2gsBb46sefiikt+GKmLPW:2a7ZvkDZnJtmeiC6BuK+CsO6mL1KuCSC

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00140000000054ab-55.dat	acprotect
behavioral1/files/0x00140000000054ab-58.dat	acprotect
behavioral1/files/0x00140000000054ab-59.dat	acprotect
behavioral1/files/0x00140000000054ab-65.dat	acprotect
behavioral1/files/0x00140000000054ab-69.dat	acprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1520-72-0x0000000000400000-0x00000000004CB000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
856	regsvr32.exe
2044	regsvr32.exe
1744	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
1856	regedit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2036	shutdown.exe
Token: SeRemoteShutdownPrivilege	2036	shutdown.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 856	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	28
PID 1520 wrote to memory of 856	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	28
PID 1520 wrote to memory of 856	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	28
PID 1520 wrote to memory of 856	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	28
PID 1520 wrote to memory of 856	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	28
PID 1520 wrote to memory of 856	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	28
PID 1520 wrote to memory of 856	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	28
PID 1520 wrote to memory of 1856	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	29
PID 1520 wrote to memory of 1856	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	29
PID 1520 wrote to memory of 1856	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	29
PID 1520 wrote to memory of 1856	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	29
PID 1520 wrote to memory of 2044	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	30
PID 1520 wrote to memory of 2044	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	30
PID 1520 wrote to memory of 2044	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	30
PID 1520 wrote to memory of 2044	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	30
PID 1520 wrote to memory of 2044	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	30
PID 1520 wrote to memory of 2044	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	30
PID 1520 wrote to memory of 2044	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	30
PID 1520 wrote to memory of 1744	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	31
PID 1520 wrote to memory of 1744	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	31
PID 1520 wrote to memory of 1744	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	31
PID 1520 wrote to memory of 1744	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	31
PID 1520 wrote to memory of 1744	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	31
PID 1520 wrote to memory of 1744	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	31
PID 1520 wrote to memory of 1744	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	31
PID 1520 wrote to memory of 2036	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	32
PID 1520 wrote to memory of 2036	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	32
PID 1520 wrote to memory of 2036	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	32
PID 1520 wrote to memory of 2036	1520	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	32

C:\Users\Admin\AppData\Local\Temp\ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
"C:\Users\Admin\AppData\Local\Temp\ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s wuaueng.dll
  2⤵
  - Loads dropped DLL
  PID:856
- C:\Windows\SysWOW64\regedit.exe
  regedit /s c:\ie8\okok.reg
  2⤵
  - Runs .reg file with regedit
  PID:1856
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /u /s remotepg.dll
  2⤵
  - Loads dropped DLL
  PID:2044
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /u /s wuaueng.dll
  2⤵
  - Loads dropped DLL
  PID:1744
- C:\Windows\SysWOW64\shutdown.exe
  shutdown.exe -c 祝贺您：IE8安装完毕！重启后生效. -r
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2036

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1680

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hxkED4C.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\hxkED4C.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\hxkED4C.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\hxkED4C.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\hxkED4C.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/856-60-0x00000000002E0000-0x0000000000353000-memory.dmp

Filesize
460KB

Download
memory/1520-72-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1520-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1520-73-0x0000000000150000-0x00000000001C3000-memory.dmp

Filesize
460KB

Download
memory/1680-74-0x000007FEFB801000-0x000007FEFB803000-memory.dmp

Filesize
8KB

Download
memory/1744-70-0x00000000001E0000-0x0000000000253000-memory.dmp

Filesize
460KB

Download
memory/2044-66-0x0000000000210000-0x0000000000283000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

Errors