3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0 | Triage

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:54

Sharing

Report Analysis Logs

General

Target

3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Size

26KB
MD5

71e287f0c0aa4899d7739e509c08f30c
SHA1

d56e1b5b055059c6524ae20776e5d8888247ef5e
SHA256

3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0
SHA512

a120fb59e8d0f9fb9c47ae6ed2ca617424381beb6e1912e432b6092540f14b82537745b0b264e31b84ab35dcddf43f051dc28b46a43d2d09e1fc75f38b14a83d
SSDEEP

384:qdYCMG4nYUEaeH9lKv6wEPjxoW8mfHWb/Lhx0AkDRS+vI9xgrr1FLUOADu+G3EE:IMPnYU4k6w2jxoWCbFMvIv6rLUOADu+g

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\704C3595.dll	acprotect

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/2536-132-0x0000000000400000-0x0000000000409000-memory.dmp	upx
C:\Windows\SysWOW64\704C3595.dll	upx
behavioral2/memory/2536-134-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral2/memory/2536-135-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2536-137-0x0000000010000000-0x0000000010012000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

Loads dropped DLL 1 IoCs

Processes:

3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

pid process

2536 3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

Drops file in System32 directory 1 IoCs

Processes:

3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\704C3595.dll	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

Drops file in Windows directory 1 IoCs

Processes:

3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

description	ioc	process
File opened for modification	C:\Windows\fOnts\S8a8cnEuaydPJGg8.Ttf	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

Processes:

3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{704C3595-DB85-40F6-A601-8D6F346907BD}	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{704C3595-DB85-40F6-A601-8D6F346907BD}\InprocServer32	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{704C3595-DB85-40F6-A601-8D6F346907BD}\InprocServer32\ = "C:\\Windows\\SysWow64\\704C3595.dll"	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{704C3595-DB85-40F6-A601-8D6F346907BD}\InprocServer32\ThreadingModel = "Apartment"	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID\{704C3595-DB85-40F6-A601-8D6F346907BD}\InprocServer32	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

pid	process
2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

description	pid	process
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
Token: SeDebugPrivilege	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

pid process

2536 3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe

description	pid	process	target process
PID 2536 wrote to memory of 3700	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe	cmd.exe
PID 2536 wrote to memory of 3700	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe	cmd.exe
PID 2536 wrote to memory of 3700	2536	3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe
"C:\Users\Admin\AppData\Local\Temp\3f7ade8cf24e89cbfb394a2d70b3a2400a725a155fb4e59dd9f8ae4e781f88e0.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3F7ADE~1.EXE >> NUL
2⤵
PID:3700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\704C3595.dll
Filesize
20KB

MD5
5f0b0c5ff05c1eea3a8e8e3ce90d03e3

SHA1
6dad84eee76bd4929c6ea12ea06e13425ba90083

SHA256
0ab641575ca1594fd1253c68222b5dfafa3b88570a54915b84704fb3e6f08248

SHA512
680ca20a9f8c4a7092d2e9325ba9ae6b8fe2c894541b013881d4776098ec7537131a934aaf525a177aa6de2639f981d12e5c0cfcf4553ab8364df543279f0b9c

Download Submit
memory/2536-132-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2536-134-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2536-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2536-137-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/3700-136-0x0000000000000000-mapping.dmp

Download