374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7

Analysis

max time kernel
42s
max time network
76s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe
Size

331KB
MD5

079a73d20e88e53505eb15c948efed38
SHA1

32d5c01ffe1e5e4acf6a11336980b704c0bccb9a
SHA256

374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7
SHA512

4e24d618d218fdff90bf24193ee5593b535de496538ff3dd60fda81228047c1482e7bb7acdff1f7516065794a6764cebfcc9fd75fbe483d2e643bde6de8cc2ca
SSDEEP

6144:1EUXFyeH+qIrfLJWUELKFY4n6+E9g3xp4S7gpPM0bO2nS:1EyyeelrfLJHEuFYQw4iggpF9nS

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nso22C0.tmp\execDos.dll	acprotect
behavioral1/memory/1720-62-0x0000000074BE0000-0x0000000074BE8000-memory.dmp	acprotect

Executes dropped EXE 2 IoCs

Processes:

7za.exemax.exe

pid process

2012 7za.exe
808 max.exe

pid	process
2012	7za.exe
808	max.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nso22C0.tmp\execDos.dll	upx
\Users\Admin\AppData\Local\Temp\7za.exe	upx
\Users\Admin\AppData\Local\Temp\7za.exe	upx
C:\Users\Admin\AppData\Local\Temp\7za.exe	upx
behavioral1/memory/2012-61-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral1/memory/1720-62-0x0000000074BE0000-0x0000000074BE8000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe

pid	process
1720	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe
1720	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe
1720	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe
1720	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe
1720	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

max.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main max.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

max.exe

pid process

808 max.exe
808 max.exe
808 max.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	max.exe

pid	process
808	max.exe
808	max.exe
808	max.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe

description	pid	process	target process
PID 1720 wrote to memory of 2012	1720	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe	7za.exe
PID 1720 wrote to memory of 2012	1720	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe	7za.exe
PID 1720 wrote to memory of 2012	1720	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe	7za.exe
PID 1720 wrote to memory of 2012	1720	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe	7za.exe
PID 1720 wrote to memory of 808	1720	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe	max.exe
PID 1720 wrote to memory of 808	1720	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe	max.exe
PID 1720 wrote to memory of 808	1720	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe	max.exe
PID 1720 wrote to memory of 808	1720	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe	max.exe

C:\Users\Admin\AppData\Local\Temp\374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe
"C:\Users\Admin\AppData\Local\Temp\374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\44mFaD.7z" -p9c9cO4234%$ -o"C:\Users\Admin\AppData\Local\Temp\49\2445\" -aoa
2⤵
- Executes dropped EXE
PID:2012

C:\Users\Admin\AppData\Local\Temp\49\2445\max.exe
C:\Users\Admin\AppData\Local\Temp\49\2445\max.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44mFaD.7z

Filesize
7KB

MD5
b1232c84418d0059d8ee54e0d1ec4277

SHA1
377f27787cacd346b0b32ea6736890d5824cd677

SHA256
2e14ccdb8e1bef360a41b2b32412c5127c23ba26b4f8a52f4fc75f99ea25b906

SHA512
dfab43226f02cf5e107ee4c836c664ee6220e2ae7888dc90ef1590627ff566ddc5a89db85a3f10939532cc765741a440bcf6ac892a833afe614c9cadbc22d90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\49\2445\max.exe

Filesize
28KB

MD5
2d87ecd6331f638fcdd8a8ba97de1b28

SHA1
64a7633a3226a67f255c2947741092822c34739e

SHA256
ac9c795ba19a2d5c25a05b126ce789f0814fa6165765dfc5759e24d7332b65ba

SHA512
4b12a63df7d71c1be951ade63e0c78102d010268922864633799d5a513d44db55cb712fb82e7353adeaa681c192603c8f505c9baf01f98a8b867d4552416140d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49\2445\max.exe

Filesize
28KB

MD5
2d87ecd6331f638fcdd8a8ba97de1b28

SHA1
64a7633a3226a67f255c2947741092822c34739e

SHA256
ac9c795ba19a2d5c25a05b126ce789f0814fa6165765dfc5759e24d7332b65ba

SHA512
4b12a63df7d71c1be951ade63e0c78102d010268922864633799d5a513d44db55cb712fb82e7353adeaa681c192603c8f505c9baf01f98a8b867d4552416140d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
260KB

MD5
7cedc7913647fac697bfe03349a062be

SHA1
9b2f0ec76dea38f10290a8c7b5f7bfaa39751ee9

SHA256
97b278d4d1598cf70afb41ade5c9db538f3670be34b3c4c41fc472aa32e6a3fa

SHA512
c3cbfe5a02c4e324828b207d28bea5d70ae88dbfcaafc40a18938e45c4ec3ca2a3fed8a72cd4f98527e73625c1fb1d7d5133494d3200b35f658b636ddac8d435

Download Submit
\Users\Admin\AppData\Local\Temp\49\2445\max.exe

Filesize
28KB

MD5
2d87ecd6331f638fcdd8a8ba97de1b28

SHA1
64a7633a3226a67f255c2947741092822c34739e

SHA256
ac9c795ba19a2d5c25a05b126ce789f0814fa6165765dfc5759e24d7332b65ba

SHA512
4b12a63df7d71c1be951ade63e0c78102d010268922864633799d5a513d44db55cb712fb82e7353adeaa681c192603c8f505c9baf01f98a8b867d4552416140d

Download Submit
\Users\Admin\AppData\Local\Temp\49\2445\max.exe

Filesize
28KB

MD5
2d87ecd6331f638fcdd8a8ba97de1b28

SHA1
64a7633a3226a67f255c2947741092822c34739e

SHA256
ac9c795ba19a2d5c25a05b126ce789f0814fa6165765dfc5759e24d7332b65ba

SHA512
4b12a63df7d71c1be951ade63e0c78102d010268922864633799d5a513d44db55cb712fb82e7353adeaa681c192603c8f505c9baf01f98a8b867d4552416140d

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
260KB

MD5
7cedc7913647fac697bfe03349a062be

SHA1
9b2f0ec76dea38f10290a8c7b5f7bfaa39751ee9

SHA256
97b278d4d1598cf70afb41ade5c9db538f3670be34b3c4c41fc472aa32e6a3fa

SHA512
c3cbfe5a02c4e324828b207d28bea5d70ae88dbfcaafc40a18938e45c4ec3ca2a3fed8a72cd4f98527e73625c1fb1d7d5133494d3200b35f658b636ddac8d435

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
260KB

MD5
7cedc7913647fac697bfe03349a062be

SHA1
9b2f0ec76dea38f10290a8c7b5f7bfaa39751ee9

SHA256
97b278d4d1598cf70afb41ade5c9db538f3670be34b3c4c41fc472aa32e6a3fa

SHA512
c3cbfe5a02c4e324828b207d28bea5d70ae88dbfcaafc40a18938e45c4ec3ca2a3fed8a72cd4f98527e73625c1fb1d7d5133494d3200b35f658b636ddac8d435

Download Submit
\Users\Admin\AppData\Local\Temp\nso22C0.tmp\execDos.dll

Filesize
4KB

MD5
8b91ead6b80a430bef361ea6949a5bb0

SHA1
e12b5e36f4ede12aecc65a75ccc2e5cedc25f7b2

SHA256
f270c0d6c3a29fcf8f3ae779a61edce7e985e41feaafffd5afa422de56522d72

SHA512
77934a6684d7482fed1376a349391b2731d1714b92cfc46e109b3c19601535a085514d0b7b80bd1f6ffbd7d5b16cc8cbeab89810439d29962d4da29020022a66

Download Submit
memory/808-72-0x0000000003DF1000-0x000000000411C000-memory.dmp

Filesize
3.2MB

Download
memory/808-67-0x0000000000000000-mapping.dmp

Download
memory/1720-62-0x0000000074BE0000-0x0000000074BE8000-memory.dmp

Filesize
32KB

Download
memory/1720-63-0x0000000002430000-0x00000000024CD000-memory.dmp

Filesize
628KB

Download
memory/1720-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/2012-61-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2012-58-0x0000000000000000-mapping.dmp

Download