337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41

Analysis

max time kernel
35s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41.exe
Size

4.9MB
MD5

8dfedf44df24c6489457364c6aa2bce6
SHA1

783018248659a577764846df9f6e769c3c1d8d60
SHA256

337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41
SHA512

4c650d649867e7a37af5562b72a4c5875e2f759aced9eafd4442f0208e09735b59da2bb46e8e516fcd4f7a0a72606298336a2f0167dd6c747e3afdf8fe8ffda7
SSDEEP

98304:vvQFmKGFifzTyhP/yA+9casWl5MxxIM/OslccANWdLQkFjB:XQNGFcYy19casWl5q9cRqjB

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll	acprotect

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll	upx
\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll	upx
\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll	upx
\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll	upx
\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll	upx
behavioral1/memory/1072-62-0x0000000010000000-0x000000001002A000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

rundll32.exe337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41.exe

pid	process
1072	rundll32.exe
1072	rundll32.exe
1072	rundll32.exe
1072	rundll32.exe
1220	337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41.exe
1220	337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	840	AUDIODG.EXE
Token: 33	840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	840	AUDIODG.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41.exe

description	pid	process	target process
PID 1220 wrote to memory of 1072	1220	337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41.exe	rundll32.exe
PID 1220 wrote to memory of 1072	1220	337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41.exe	rundll32.exe
PID 1220 wrote to memory of 1072	1220	337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41.exe	rundll32.exe
PID 1220 wrote to memory of 1072	1220	337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41.exe	rundll32.exe
PID 1220 wrote to memory of 1072	1220	337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41.exe	rundll32.exe
PID 1220 wrote to memory of 1072	1220	337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41.exe	rundll32.exe
PID 1220 wrote to memory of 1072	1220	337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41.exe
"C:\Users\Admin\AppData\Local\Temp\337177ae44e48604c11aef35519094b0d21b9e25154566e840a40dacb1096c41.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe autostarter.dll,ShowSplash C:\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\splash,
2⤵
- Loads dropped DLL
PID:1072

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x464
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll

Filesize
39KB

MD5
75428508f0a961d7cf150599ba19d364

SHA1
6920b8ddd3241eb8762a4e3bf0b5fb78e2d0b8eb

SHA256
cedccf1a11e9fc56832330eab8e6f3cdab97616216b488ad918e564f06e54a87

SHA512
7f656a6e94f0da59e10077ae1432d06a89a4560a5f1f3801fd78279657d56bbcc0e1c29fd97621a2ea9aab448f69c98947e24045a36404e376f8df5c5d1b0c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\splash.bmp

Filesize
153KB

MD5
5187923d66d9b8c551ff9853e0df80bd

SHA1
2c74c8bd8bb7175164f2d6907fb3982691f53e71

SHA256
1c7177c6f211ed6be86cb2f40dae6f337d38dc4f539e13e901a967d46865158f

SHA512
e9dd5a82ba4533b1db4a15dc8f367797e90d18117f0e1a8e2a58c7d52013f3758a3a2729c18ca58f1e118451ee893c28965495b1ffbfc48ea38e772a05fa088f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\splash.wav

Filesize
512KB

MD5
1bacc2e80ac087fe2e00f8870e92cd65

SHA1
7e8598a9d1164687417ec2873d025f66b6086590

SHA256
198d44438af93b3ea5dc9602f94f188bf04491e4b0f15c6f9cd18089962812f3

SHA512
6294b2b026be87863b58c63e32d71c9f7d5bb2c3f1e648aec92bdcd82e8ad489de6e2459eaf0da3d86369e7cdab93433a8b04c4137b81081b3156f4cc46ba1c0

Download Submit
\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\InstallOptions.dll

Filesize
14KB

MD5
b18dfaded8f6d2380fdfd8f6b6969211

SHA1
969fa0e906240ab1123254feeb833c275626cf76

SHA256
747d0222b652dbfc85e0de4f8486473662d325a55e32c7eacb91e53e37ceba58

SHA512
25fb09b8657997d31e61c908f1cd08357c1a1b68bbb1ba377e87b6a3eb347a2ef96c1a771b6c4332853abb33728c55c83efa73df5da03f3dfc132f8a69a2886c

Download Submit
\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\LangDLL.dll

Filesize
5KB

MD5
9b17a13f814b137f88b961c087858063

SHA1
c290dd3139b79aa340aec3ed3d674160433035e1

SHA256
e54792a179a06acbb9b69c117ee804dce070505d1853d6e7d512f2a055a801b2

SHA512
3a625f5f13e344c24973c79c074d1ced4d9206f87f392dc7c8f0c116d0f2b878b60340e2377d0240c47f0e34e25e4e3af8b196bbca1c6a29a0f51d8408e8b0ec

Download Submit
\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll

Filesize
39KB

MD5
75428508f0a961d7cf150599ba19d364

SHA1
6920b8ddd3241eb8762a4e3bf0b5fb78e2d0b8eb

SHA256
cedccf1a11e9fc56832330eab8e6f3cdab97616216b488ad918e564f06e54a87

SHA512
7f656a6e94f0da59e10077ae1432d06a89a4560a5f1f3801fd78279657d56bbcc0e1c29fd97621a2ea9aab448f69c98947e24045a36404e376f8df5c5d1b0c5e

Download Submit
\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll

Filesize
39KB

MD5
75428508f0a961d7cf150599ba19d364

SHA1
6920b8ddd3241eb8762a4e3bf0b5fb78e2d0b8eb

SHA256
cedccf1a11e9fc56832330eab8e6f3cdab97616216b488ad918e564f06e54a87

SHA512
7f656a6e94f0da59e10077ae1432d06a89a4560a5f1f3801fd78279657d56bbcc0e1c29fd97621a2ea9aab448f69c98947e24045a36404e376f8df5c5d1b0c5e

Download Submit
\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll

Filesize
39KB

MD5
75428508f0a961d7cf150599ba19d364

SHA1
6920b8ddd3241eb8762a4e3bf0b5fb78e2d0b8eb

SHA256
cedccf1a11e9fc56832330eab8e6f3cdab97616216b488ad918e564f06e54a87

SHA512
7f656a6e94f0da59e10077ae1432d06a89a4560a5f1f3801fd78279657d56bbcc0e1c29fd97621a2ea9aab448f69c98947e24045a36404e376f8df5c5d1b0c5e

Download Submit
\Users\Admin\AppData\Local\Temp\nsj75CE.tmp\autostarter.dll

Filesize
39KB

MD5
75428508f0a961d7cf150599ba19d364

SHA1
6920b8ddd3241eb8762a4e3bf0b5fb78e2d0b8eb

SHA256
cedccf1a11e9fc56832330eab8e6f3cdab97616216b488ad918e564f06e54a87

SHA512
7f656a6e94f0da59e10077ae1432d06a89a4560a5f1f3801fd78279657d56bbcc0e1c29fd97621a2ea9aab448f69c98947e24045a36404e376f8df5c5d1b0c5e

Download Submit
memory/1072-55-0x0000000000000000-mapping.dmp

Download
memory/1072-62-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1220-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download