374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7

General

Target

374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe
Size

331KB
MD5

079a73d20e88e53505eb15c948efed38
SHA1

32d5c01ffe1e5e4acf6a11336980b704c0bccb9a
SHA256

374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7
SHA512

4e24d618d218fdff90bf24193ee5593b535de496538ff3dd60fda81228047c1482e7bb7acdff1f7516065794a6764cebfcc9fd75fbe483d2e643bde6de8cc2ca
SSDEEP

6144:1EUXFyeH+qIrfLJWUELKFY4n6+E9g3xp4S7gpPM0bO2nS:1EyyeelrfLJHEuFYQw4iggpF9nS

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsrB847.tmp\execDos.dll	acprotect
behavioral2/memory/4528-133-0x0000000074CC0000-0x0000000074CC8000-memory.dmp	acprotect

Executes dropped EXE 2 IoCs

Processes:

7za.exemax.exe

pid process

2592 7za.exe
4516 max.exe

pid	process
2592	7za.exe
4516	max.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsrB847.tmp\execDos.dll	upx
behavioral2/memory/4528-133-0x0000000074CC0000-0x0000000074CC8000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\7za.exe	upx
C:\Users\Admin\AppData\Local\Temp\7za.exe	upx
behavioral2/memory/2592-137-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/memory/2592-139-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/memory/2592-140-0x0000000000400000-0x000000000049D000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe

pid process

4528 374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

max.exe

pid process

4516 max.exe
4516 max.exe
4516 max.exe

pid	process
4528	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe

pid	process
4516	max.exe
4516	max.exe
4516	max.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe

description	pid	process	target process
PID 4528 wrote to memory of 2592	4528	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe	7za.exe
PID 4528 wrote to memory of 2592	4528	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe	7za.exe
PID 4528 wrote to memory of 2592	4528	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe	7za.exe
PID 4528 wrote to memory of 4516	4528	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe	max.exe
PID 4528 wrote to memory of 4516	4528	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe	max.exe
PID 4528 wrote to memory of 4516	4528	374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe	max.exe

C:\Users\Admin\AppData\Local\Temp\374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe
"C:\Users\Admin\AppData\Local\Temp\374e7d62f52162a40291dd7b425b75fa27ba5773ff0ef519767461201770d3d7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4528

C:\Users\Admin\AppData\Local\Temp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\44mFaD.7z" -p9c9cO4234%$ -o"C:\Users\Admin\AppData\Local\Temp\49\2445\" -aoa
2⤵
- Executes dropped EXE
PID:2592

C:\Users\Admin\AppData\Local\Temp\49\2445\max.exe
C:\Users\Admin\AppData\Local\Temp\49\2445\max.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44mFaD.7z
Filesize
7KB

MD5
b1232c84418d0059d8ee54e0d1ec4277

SHA1
377f27787cacd346b0b32ea6736890d5824cd677

SHA256
2e14ccdb8e1bef360a41b2b32412c5127c23ba26b4f8a52f4fc75f99ea25b906

SHA512
dfab43226f02cf5e107ee4c836c664ee6220e2ae7888dc90ef1590627ff566ddc5a89db85a3f10939532cc765741a440bcf6ac892a833afe614c9cadbc22d90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\49\2445\max.exe
Filesize
28KB

MD5
2d87ecd6331f638fcdd8a8ba97de1b28

SHA1
64a7633a3226a67f255c2947741092822c34739e

SHA256
ac9c795ba19a2d5c25a05b126ce789f0814fa6165765dfc5759e24d7332b65ba

SHA512
4b12a63df7d71c1be951ade63e0c78102d010268922864633799d5a513d44db55cb712fb82e7353adeaa681c192603c8f505c9baf01f98a8b867d4552416140d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49\2445\max.exe
Filesize
28KB

MD5
2d87ecd6331f638fcdd8a8ba97de1b28

SHA1
64a7633a3226a67f255c2947741092822c34739e

SHA256
ac9c795ba19a2d5c25a05b126ce789f0814fa6165765dfc5759e24d7332b65ba

SHA512
4b12a63df7d71c1be951ade63e0c78102d010268922864633799d5a513d44db55cb712fb82e7353adeaa681c192603c8f505c9baf01f98a8b867d4552416140d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7za.exe
Filesize
260KB

MD5
7cedc7913647fac697bfe03349a062be

SHA1
9b2f0ec76dea38f10290a8c7b5f7bfaa39751ee9

SHA256
97b278d4d1598cf70afb41ade5c9db538f3670be34b3c4c41fc472aa32e6a3fa

SHA512
c3cbfe5a02c4e324828b207d28bea5d70ae88dbfcaafc40a18938e45c4ec3ca2a3fed8a72cd4f98527e73625c1fb1d7d5133494d3200b35f658b636ddac8d435

Download Submit
C:\Users\Admin\AppData\Local\Temp\7za.exe
Filesize
260KB

MD5
7cedc7913647fac697bfe03349a062be

SHA1
9b2f0ec76dea38f10290a8c7b5f7bfaa39751ee9

SHA256
97b278d4d1598cf70afb41ade5c9db538f3670be34b3c4c41fc472aa32e6a3fa

SHA512
c3cbfe5a02c4e324828b207d28bea5d70ae88dbfcaafc40a18938e45c4ec3ca2a3fed8a72cd4f98527e73625c1fb1d7d5133494d3200b35f658b636ddac8d435

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB847.tmp\execDos.dll
Filesize
4KB

MD5
8b91ead6b80a430bef361ea6949a5bb0

SHA1
e12b5e36f4ede12aecc65a75ccc2e5cedc25f7b2

SHA256
f270c0d6c3a29fcf8f3ae779a61edce7e985e41feaafffd5afa422de56522d72

SHA512
77934a6684d7482fed1376a349391b2731d1714b92cfc46e109b3c19601535a085514d0b7b80bd1f6ffbd7d5b16cc8cbeab89810439d29962d4da29020022a66

Download Submit
memory/2592-134-0x0000000000000000-mapping.dmp

Download
memory/2592-137-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2592-139-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2592-140-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4516-141-0x0000000000000000-mapping.dmp

Download
memory/4528-133-0x0000000074CC0000-0x0000000074CC8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads