Analysis
-
max time kernel
251s -
max time network
332s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 21:22
Static task
static1
Behavioral task
behavioral1
Sample
adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe
Resource
win10v2004-20220812-en
General
-
Target
adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe
-
Size
6.8MB
-
MD5
5a8f1e9337bed342e2c72b1c51622d5e
-
SHA1
f4f1b8865cc2432ed1ce733efa0f51b5e1739e63
-
SHA256
adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01
-
SHA512
a7dde64b9c0acd366b4e799be50111a8a778e47f824bf3e339f0801c37b6cf23d333bc5ec81a725b10d865311faf5720c36fa720760211980e9c9927e3539014
-
SSDEEP
196608:YUe2Emd1J0++xUFqZ4a0QeZY0Xx7WnsJ5F6EmO9IUWpmEiQ5:YUlE60hUq2AYY0UsX0fzZp15
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\gtlC340.tmp acprotect \Users\Admin\AppData\Local\Temp\gtlC340.tmp acprotect C:\Users\Admin\AppData\Local\Temp\gtlC340.tmp acprotect -
Executes dropped EXE 1 IoCs
Processes:
install.exepid process 544 install.exe -
Loads dropped DLL 5 IoCs
Processes:
adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exeinstall.exepid process 756 adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe 756 adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe 544 install.exe 544 install.exe 544 install.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
install.exepid process 544 install.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exepid process 756 adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exedescription pid process target process PID 756 wrote to memory of 544 756 adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe install.exe PID 756 wrote to memory of 544 756 adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe install.exe PID 756 wrote to memory of 544 756 adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe install.exe PID 756 wrote to memory of 544 756 adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe install.exe PID 756 wrote to memory of 544 756 adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe install.exe PID 756 wrote to memory of 544 756 adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe install.exe PID 756 wrote to memory of 544 756 adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe install.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe"C:\Users\Admin\AppData\Local\Temp\adbf8b75bd682628eecc920eb41ce3ae335c127d0db025e0208f977e720e9d01.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\0ed11014084a85a017044219b9c273\install.exec:\0ed11014084a85a017044219b9c273\install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:544
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\0ed11014084a85a017044219b9c273\install.exeFilesize
217KB
MD52f0b99f7b9b85abc82e4f26eb2ed95d5
SHA10a156c5da81c9a7ec35da1e441c016f8c01cefd0
SHA256493586eed708fe42a72a3c13c3a8adcf01ef9f50fe85d34282c62745c9287b1c
SHA51247838d0178e6da8021bcbad74d2be47d04f3cd853ba2b695efca655ce6d4365f987b0cd914691d39a88fd6acbdeb7379b24d880abb9d7c391b5eb731feef7823
-
C:\Users\Admin\AppData\Local\Temp\gtlC340.tmpFilesize
172KB
MD54f407b29d53e9eb54e22d096fce82aa7
SHA1a4ee25b066cac19ff679dd491f5791652bb71185
SHA256cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc
SHA512325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183
-
\0ed11014084a85a017044219b9c273\install.exeFilesize
217KB
MD52f0b99f7b9b85abc82e4f26eb2ed95d5
SHA10a156c5da81c9a7ec35da1e441c016f8c01cefd0
SHA256493586eed708fe42a72a3c13c3a8adcf01ef9f50fe85d34282c62745c9287b1c
SHA51247838d0178e6da8021bcbad74d2be47d04f3cd853ba2b695efca655ce6d4365f987b0cd914691d39a88fd6acbdeb7379b24d880abb9d7c391b5eb731feef7823
-
\0ed11014084a85a017044219b9c273\install.exeFilesize
217KB
MD52f0b99f7b9b85abc82e4f26eb2ed95d5
SHA10a156c5da81c9a7ec35da1e441c016f8c01cefd0
SHA256493586eed708fe42a72a3c13c3a8adcf01ef9f50fe85d34282c62745c9287b1c
SHA51247838d0178e6da8021bcbad74d2be47d04f3cd853ba2b695efca655ce6d4365f987b0cd914691d39a88fd6acbdeb7379b24d880abb9d7c391b5eb731feef7823
-
\0ed11014084a85a017044219b9c273\install.res.dllFilesize
387KB
MD58beb73adaa52565534908846ad09ef02
SHA1f56cb94248057fa4513aef07f07cf581ec5ce938
SHA2563a8d0e162af7ee98e89a1df547e7582fe310bddbd0f7b68aab3102bf17fdf66f
SHA512f788d085fe92851542f4a5f6fb93a28a273d6f682764de585fea6715ad50959ac6686e7931cda56c48a5fce3cf8228340d09d42614f823f854f67721bb5cfa35
-
\??\c:\0ed11014084a85a017044219b9c273\install.exeFilesize
217KB
MD52f0b99f7b9b85abc82e4f26eb2ed95d5
SHA10a156c5da81c9a7ec35da1e441c016f8c01cefd0
SHA256493586eed708fe42a72a3c13c3a8adcf01ef9f50fe85d34282c62745c9287b1c
SHA51247838d0178e6da8021bcbad74d2be47d04f3cd853ba2b695efca655ce6d4365f987b0cd914691d39a88fd6acbdeb7379b24d880abb9d7c391b5eb731feef7823
-
\??\c:\0ed11014084a85a017044219b9c273\install.res.dllFilesize
387KB
MD58beb73adaa52565534908846ad09ef02
SHA1f56cb94248057fa4513aef07f07cf581ec5ce938
SHA2563a8d0e162af7ee98e89a1df547e7582fe310bddbd0f7b68aab3102bf17fdf66f
SHA512f788d085fe92851542f4a5f6fb93a28a273d6f682764de585fea6715ad50959ac6686e7931cda56c48a5fce3cf8228340d09d42614f823f854f67721bb5cfa35
-
\Users\Admin\AppData\Local\Temp\gtlC340.tmpFilesize
172KB
MD54f407b29d53e9eb54e22d096fce82aa7
SHA1a4ee25b066cac19ff679dd491f5791652bb71185
SHA256cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc
SHA512325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183
-
\Users\Admin\AppData\Local\Temp\gtlC340.tmpFilesize
172KB
MD54f407b29d53e9eb54e22d096fce82aa7
SHA1a4ee25b066cac19ff679dd491f5791652bb71185
SHA256cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc
SHA512325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183
-
memory/544-58-0x0000000000000000-mapping.dmp
-
memory/544-69-0x0000000000760000-0x00000000007D4000-memory.dmpFilesize
464KB
-
memory/756-54-0x0000000001000000-0x0000000001020000-memory.dmpFilesize
128KB
-
memory/756-55-0x00000000753F1000-0x00000000753F3000-memory.dmpFilesize
8KB
-
memory/756-67-0x0000000000020000-0x0000000000040000-memory.dmpFilesize
128KB
-
memory/756-68-0x00000000007C0000-0x0000000000834000-memory.dmpFilesize
464KB
-
memory/756-70-0x0000000001000000-0x0000000001020000-memory.dmpFilesize
128KB
-
memory/756-71-0x0000000000020000-0x0000000000040000-memory.dmpFilesize
128KB