Analysis
-
max time kernel
44s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe
Resource
win7-20220901-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe
-
Size
748KB
-
MD5
c6f237f5dc01f8799976986285f64a6f
-
SHA1
b05d6cdd25bb4878b947096a43342c564ec5cd98
-
SHA256
0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c
-
SHA512
82558951013b0561d557a4102ee21cd3e3fbadea3fbc7b6c0c74b4e1c75ce306f7679477dc682f50f365fef33e8ffcc80d5c74d42127b87e592f99b9e789f3b4
-
SSDEEP
12288:QK4SzOnd/1KReU744mkKIGldg8q3tQKdAAMwAG68hZyl+DjmLsz6KTfNoVS+EVGf:Mm4QLjv0dgTdQFAMwX68hZ8+DjmLg6iS
Score
9/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0008000000005c51-54.dat acprotect behavioral1/files/0x0008000000005c51-58.dat acprotect behavioral1/files/0x0008000000005c51-62.dat acprotect -
Loads dropped DLL 3 IoCs
pid Process 1352 0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe 1692 rundll32.exe 624 0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 PID 1692 set thread context of 624 1692 rundll32.exe 27 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 624 0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 624 0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 1352 wrote to memory of 1692 1352 0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe 26 PID 1352 wrote to memory of 1692 1352 0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe 26 PID 1352 wrote to memory of 1692 1352 0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe 26 PID 1352 wrote to memory of 1692 1352 0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe 26 PID 1352 wrote to memory of 1692 1352 0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe 26 PID 1352 wrote to memory of 1692 1352 0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe 26 PID 1352 wrote to memory of 1692 1352 0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe 26 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27 PID 1692 wrote to memory of 624 1692 rundll32.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe"C:\Users\Admin\AppData\Local\Temp\0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\V22007~1.EPE,EncryptPE_Init22⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exeC:\Users\Admin\AppData\Local\Temp\0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe3⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
489KB
MD5b53f01dd944cd2a25eeee3cb8bc22355
SHA15489b92bab9c50d62f6042fbc50b25700a3c8137
SHA2562e8d7ac98b4abaaddbe6bd3a66916e4ea8a87f5ce5615a6d13ee4f5c0c4cc3e8
SHA512f4f9c5459e54c073a6042e4bab5a3c9e3d098989203c3021591f30f5a37f80eb77929b7881c18f1a69608500b3cab0822c79ddc6f77b1b16301131c3e41bb894
-
Filesize
489KB
MD5b53f01dd944cd2a25eeee3cb8bc22355
SHA15489b92bab9c50d62f6042fbc50b25700a3c8137
SHA2562e8d7ac98b4abaaddbe6bd3a66916e4ea8a87f5ce5615a6d13ee4f5c0c4cc3e8
SHA512f4f9c5459e54c073a6042e4bab5a3c9e3d098989203c3021591f30f5a37f80eb77929b7881c18f1a69608500b3cab0822c79ddc6f77b1b16301131c3e41bb894
-
Filesize
489KB
MD5b53f01dd944cd2a25eeee3cb8bc22355
SHA15489b92bab9c50d62f6042fbc50b25700a3c8137
SHA2562e8d7ac98b4abaaddbe6bd3a66916e4ea8a87f5ce5615a6d13ee4f5c0c4cc3e8
SHA512f4f9c5459e54c073a6042e4bab5a3c9e3d098989203c3021591f30f5a37f80eb77929b7881c18f1a69608500b3cab0822c79ddc6f77b1b16301131c3e41bb894