2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e

General

Target

2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
Size

2.3MB
MD5

3f2033278fc85e929cdc6cb918ec5f0d
SHA1

28ceb3f58b40a3679291ce7254159a606ffee7fc
SHA256

2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e
SHA512

96c51bf7ffdae4b57b23c40b97347df4c8b71d10eae9f7bcd3b6161961017285f6f51cd81177442ad5c288006b29daa828a11ecf8b5355e0972bf4dc178a6694
SSDEEP

49152:/h/051wXEqdwk0cQHGiYYSzSY5voVU7zQY:pM51wXEqdwkLQHHhsSYt8

Score

9^/10

upx vmprotect

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll	upx
behavioral2/memory/2496-136-0x0000000010000000-0x000000001003D000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2496-132-0x0000000000400000-0x0000000000682000-memory.dmp	vmprotect
behavioral2/memory/2496-133-0x0000000000400000-0x0000000000682000-memory.dmp	vmprotect
behavioral2/memory/2496-137-0x0000000000400000-0x0000000000682000-memory.dmp	vmprotect
behavioral2/memory/2496-138-0x0000000000400000-0x0000000000682000-memory.dmp	vmprotect

Loads dropped DLL 2 IoCs

Processes:

2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe

pid	process
2496	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
2496	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe

description	ioc	process
File opened (read-only)	\??\B:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\F:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\H:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\K:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\L:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\N:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\T:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\A:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\Y:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\O:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\P:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\W:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\X:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\J:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\I:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\Q:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\R:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\U:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\V:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\Z:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\E:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\M:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\S:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
File opened (read-only)	\??\G:	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe

pid process

2496 2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
3668	2496	WerFault.exe	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
4984	2496	WerFault.exe	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe

pid	process
2496	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
2496	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
2496	2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe

C:\Users\Admin\AppData\Local\Temp\2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe
"C:\Users\Admin\AppData\Local\Temp\2b8200c0696b9bc85bb34978bc298af2c11d15a53962a77de5a6a648c96d960e.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1968
2⤵
- Program crash
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1968
2⤵
- Program crash
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2496 -ip 2496
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2496 -ip 2496
1⤵
PID:4668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll
Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxwl_bh.dll
Filesize
62KB

MD5
9435c644ce28db438c050ebe544a0f0b

SHA1
882aa056c8dfb724b34037c95f7fd9f4ea59ecbd

SHA256
ca34dad6b2d447010c4436fb16a6ded53e9ee8111d0f6dad6359fc8717f5a24e

SHA512
222e5a7bb20965188962638b7ca1022a0fb0752ce181025615fcdec1e7447dde51d4cd946d0d68bcd270e8f21dacfea49b605c47b9b5b67bdcae1560219ea0d7

Download Submit
memory/2496-132-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/2496-133-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/2496-136-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2496-137-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/2496-138-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads