754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206

General

Target

754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe
Size

9.0MB
MD5

41d5c6102cccfc9cba0b720356740306
SHA1

95a22b78a1f88b03835eb141f58205776dc5f6c2
SHA256

754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206
SHA512

9e9c07a351addcbfefa56e7b5e002594073dd6162f1ca22c756f356aec99829cd6f8abddc875be70435408e20ff338baf5ce550ef3e3d110168da848b6c9ed96
SSDEEP

196608:eRocF0HMnSx5SFMxgqo9KlgL/ZXtmsJN7WCDB1LJ6tTwuY:eGIeBXSAmU4t/7WC3QhY

Score

9^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\bskB710.tmp	acprotect

Executes dropped EXE 1 IoCs

Processes:

setup_wm.exe

pid process

1640 setup_wm.exe

pid	process
1640	setup_wm.exe

Loads dropped DLL 2 IoCs

Processes:

754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe

pid	process
916	754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe
916	754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe

pid process

916 754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exesetup_wm.exe

description	pid	process	target process
PID 916 wrote to memory of 1640	916	754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe	setup_wm.exe
PID 916 wrote to memory of 1640	916	754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe	setup_wm.exe
PID 916 wrote to memory of 1640	916	754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe	setup_wm.exe
PID 916 wrote to memory of 1640	916	754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe	setup_wm.exe
PID 916 wrote to memory of 1640	916	754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe	setup_wm.exe
PID 916 wrote to memory of 1640	916	754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe	setup_wm.exe
PID 916 wrote to memory of 1640	916	754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe	setup_wm.exe
PID 1640 wrote to memory of 1164	1640	setup_wm.exe	pcaui.exe
PID 1640 wrote to memory of 1164	1640	setup_wm.exe	pcaui.exe
PID 1640 wrote to memory of 1164	1640	setup_wm.exe	pcaui.exe
PID 1640 wrote to memory of 1164	1640	setup_wm.exe	pcaui.exe
PID 1640 wrote to memory of 1164	1640	setup_wm.exe	pcaui.exe
PID 1640 wrote to memory of 1164	1640	setup_wm.exe	pcaui.exe
PID 1640 wrote to memory of 1164	1640	setup_wm.exe	pcaui.exe

C:\Users\Admin\AppData\Local\Temp\754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe
"C:\Users\Admin\AppData\Local\Temp\754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exe /P:C:\Users\Admin\AppData\Local\Temp\754d605005ccecc6c497e8dda81cc2948ef9994f881cc665872eb3634c9e0206.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System32\pcaui.exe
"C:\Windows\System32\pcaui.exe" /g {11111111-1111-1111-1111-111111111111} /x {fbafd16d-4f1b-4c5f-a888-a1875556711e} /a "Windows Media Technologies" /v "Microsoft" /s "This version of Windows Media Technologies is incompatible with or has been superseded by this version of Windows. For more information, view the information at the Microsoft web site." /b 2 /e "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exe"
3⤵
PID:1164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exe
Filesize
732KB

MD5
d56f7199c989d2aac3294494a47cb0bf

SHA1
92527280c90b4cfc27bbb66e2286ecd0a7b16868

SHA256
627ba2a882c7aceaadfe87bfff6e844a1b837037937a1ee47e415d2c894b0181

SHA512
6c52eceb6a6be0846edcc486a2cbc0b459870655edb9bd0b34e7c7df9d8a6ac8629953cac996f66687b8827873e94fe0cf1f81c987755fa7d657d0d9a8fd85a2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exe
Filesize
732KB

MD5
d56f7199c989d2aac3294494a47cb0bf

SHA1
92527280c90b4cfc27bbb66e2286ecd0a7b16868

SHA256
627ba2a882c7aceaadfe87bfff6e844a1b837037937a1ee47e415d2c894b0181

SHA512
6c52eceb6a6be0846edcc486a2cbc0b459870655edb9bd0b34e7c7df9d8a6ac8629953cac996f66687b8827873e94fe0cf1f81c987755fa7d657d0d9a8fd85a2

Download Submit
\Users\Admin\AppData\Local\Temp\bskB710.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/916-57-0x00000000018E0000-0x00000000021B5000-memory.dmp

Filesize
8.8MB

Download
memory/916-58-0x00000000018E0000-0x00000000021B5000-memory.dmp

Filesize
8.8MB

Download
memory/916-59-0x00000000018E0000-0x00000000021B5000-memory.dmp

Filesize
8.8MB

Download
memory/916-60-0x00000000008E0000-0x0000000000953000-memory.dmp

Filesize
460KB

Download
memory/916-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/916-56-0x0000000001000000-0x00000000018D5000-memory.dmp

Filesize
8.8MB

Download
memory/916-66-0x0000000001000000-0x00000000018D5000-memory.dmp

Filesize
8.8MB

Download
memory/916-67-0x00000000018E0000-0x00000000021B5000-memory.dmp

Filesize
8.8MB

Download
memory/916-68-0x00000000008E0000-0x0000000000953000-memory.dmp

Filesize
460KB

Download
memory/1164-65-0x0000000000000000-mapping.dmp

Download
memory/1640-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads