Analysis
-
max time kernel
33s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 21:19
Static task
static1
Behavioral task
behavioral1
Sample
e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe
Resource
win10v2004-20221111-en
General
-
Target
e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe
-
Size
2.5MB
-
MD5
1b8b276db0383d316589ccf81d39d0f7
-
SHA1
5c5b9969423bfd003ef81aec2a5bbbacdace2890
-
SHA256
e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad
-
SHA512
08eb57503cfc64f540dd82f0c53794660798449d8aff0b896ee80424d8a40130fa8a3c439b3e9197f9dfe1341ecff27014916142d54a82da514fc3c6c5b9ffef
-
SSDEEP
49152:wajg7DRg+d0TvVaLjwVW5GtJ/ws1OY1dBpna+pT5ZvFEbWVSwummsQ:wagm+dGat0t9Rj1Fas7ddwmY
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\vik58DB.tmp acprotect C:\Users\Admin\AppData\Local\Temp\vik58DB.tmp acprotect \Users\Admin\AppData\Local\Temp\vik58DB.tmp acprotect -
Executes dropped EXE 1 IoCs
Processes:
INS871D.tmppid process 584 INS871D.tmp -
Loads dropped DLL 4 IoCs
Processes:
e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exeINS871D.tmppid process 1624 e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe 1624 e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe 1624 e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe 584 INS871D.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exepid process 1624 e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exedescription pid process target process PID 1624 wrote to memory of 584 1624 e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe INS871D.tmp PID 1624 wrote to memory of 584 1624 e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe INS871D.tmp PID 1624 wrote to memory of 584 1624 e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe INS871D.tmp PID 1624 wrote to memory of 584 1624 e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe INS871D.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe"C:\Users\Admin\AppData\Local\Temp\e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\INS871D.tmpC:\Users\Admin\AppData\Local\Temp\INS871D.tmp /SL C:\Users\Admin\AppData\Local\Temp\e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe 2412316 680962⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
364KB
MD5d8352d45f5f66014779e0b75689885d2
SHA1bd7222c0d543c8972bdf6208eaf3a61304b70f4c
SHA256544351f6d2db30695b69be12f96c44df605ddbf39778198b60af4a6ee4b45f64
SHA5120277957666ddbcc93f537e61b70b27cec48e80f052e944783c0aaa3e88bb83a081d26d9131b53c200a5f5f22fbd8a8dc509a77c26a5b9815044fbfe632465574
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
Filesize
364KB
MD5d8352d45f5f66014779e0b75689885d2
SHA1bd7222c0d543c8972bdf6208eaf3a61304b70f4c
SHA256544351f6d2db30695b69be12f96c44df605ddbf39778198b60af4a6ee4b45f64
SHA5120277957666ddbcc93f537e61b70b27cec48e80f052e944783c0aaa3e88bb83a081d26d9131b53c200a5f5f22fbd8a8dc509a77c26a5b9815044fbfe632465574
-
Filesize
364KB
MD5d8352d45f5f66014779e0b75689885d2
SHA1bd7222c0d543c8972bdf6208eaf3a61304b70f4c
SHA256544351f6d2db30695b69be12f96c44df605ddbf39778198b60af4a6ee4b45f64
SHA5120277957666ddbcc93f537e61b70b27cec48e80f052e944783c0aaa3e88bb83a081d26d9131b53c200a5f5f22fbd8a8dc509a77c26a5b9815044fbfe632465574
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9