Analysis
-
max time kernel
112s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
23-11-2022 20:45
General
-
Target
dc8abab8b4ac78e63c9412d44f02f3dfbe055d4de4d2e2060451a649125673ba.exe
-
Size
275KB
-
MD5
5555f3e8200401987138db18aee5e61e
-
SHA1
b5cfd44d1bcd437aa7dd0fc75cda1b5eadd19e46
-
SHA256
dc8abab8b4ac78e63c9412d44f02f3dfbe055d4de4d2e2060451a649125673ba
-
SHA512
39701c9547075accec9d6930f5a30fca6c9501b46a7dfc9042754dfe8e55bb48c11b6b3ec2e3568920ba0332c8e570e490249c7409175df87c7026be8c97bfa5
-
SSDEEP
6144:RBKHYmz6mq2pmHmFV2YjnWuwqzeRhva/cfAO9EJgO:G4m5bpnL2KnEqCRhvaU4j
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc8abab8b4ac78e63c9412d44f02f3dfbe055d4de4d2e2060451a649125673ba.exe"C:\Users\Admin\AppData\Local\Temp\dc8abab8b4ac78e63c9412d44f02f3dfbe055d4de4d2e2060451a649125673ba.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\QQPCDownload60116.exeC:\Users\Admin\AppData\Local\Temp\QQPCDownload60116.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQPCDownload.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQPCDownload.exe" ##cmd=1;supplyid=601162⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQDownload.dllFilesize
636KB
MD5e2401fa2c7096c83a26153135c389b5c
SHA17f453599197034ec36716577d4525e4961444af8
SHA256a9a5456d3878664a0f689d25401de1328a56972a697d38b0798a32de05f42c61
SHA512a42d0f5e127e3c36e03518eac6da4f953bff912f4515591b8a857c6a525ebc7352769edb5bb389d156babf187bc84bd0981db7a9e50d10fb35b9aa8c10372b1d
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQPCDownload.exeFilesize
449KB
MD577f662ee28f3965a4d8f3fc0cf55e5d9
SHA1c78e1e0846bc5a5be770dd1159266c995b4b6fcb
SHA2563e1a024853a85fab452e078d8014a3ec12c20fe8e836acfcde45ab5d636069c2
SHA5124fda8167f82c47ba732718aafe5ad544c292e9776ff3a8520d641dc66acaeb5b6d2c9b43de37634080f1e01d52ba95df7896bddccf8abd8ea624cb3171d41c3a
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQPCDownload.exeFilesize
449KB
MD577f662ee28f3965a4d8f3fc0cf55e5d9
SHA1c78e1e0846bc5a5be770dd1159266c995b4b6fcb
SHA2563e1a024853a85fab452e078d8014a3ec12c20fe8e836acfcde45ab5d636069c2
SHA5124fda8167f82c47ba732718aafe5ad544c292e9776ff3a8520d641dc66acaeb5b6d2c9b43de37634080f1e01d52ba95df7896bddccf8abd8ea624cb3171d41c3a
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\qqdownload.dllFilesize
636KB
MD5e2401fa2c7096c83a26153135c389b5c
SHA17f453599197034ec36716577d4525e4961444af8
SHA256a9a5456d3878664a0f689d25401de1328a56972a697d38b0798a32de05f42c61
SHA512a42d0f5e127e3c36e03518eac6da4f953bff912f4515591b8a857c6a525ebc7352769edb5bb389d156babf187bc84bd0981db7a9e50d10fb35b9aa8c10372b1d
-
C:\Users\Admin\AppData\Local\Temp\QQPCDownload60116.exeFilesize
889KB
MD5d7df8b258c882fe7ac2229ab26efa83d
SHA1dc099e6be8e77900f34728d46f331ff6e14dae75
SHA2569c7cc6693aad43de46ea3a5900e81ecc32b601cf3e2a2b428b6d1aef6f0d22c0
SHA512cdedabe7d359ce30e9b268093cb6fa547fbd9cab8c5bfb96398bd92fd4008d7ed4a942053dcf3add8f30217ca53ae064f223de5bb9f616a15afea29bd8601638
-
C:\Users\Admin\AppData\Local\Temp\QQPCDownload60116.exeFilesize
889KB
MD5d7df8b258c882fe7ac2229ab26efa83d
SHA1dc099e6be8e77900f34728d46f331ff6e14dae75
SHA2569c7cc6693aad43de46ea3a5900e81ecc32b601cf3e2a2b428b6d1aef6f0d22c0
SHA512cdedabe7d359ce30e9b268093cb6fa547fbd9cab8c5bfb96398bd92fd4008d7ed4a942053dcf3add8f30217ca53ae064f223de5bb9f616a15afea29bd8601638
-
memory/4228-135-0x0000000000000000-mapping.dmp
-
memory/4228-140-0x0000000010000000-0x00000000101DA000-memory.dmpFilesize
1.9MB
-
memory/4284-132-0x0000000000400000-0x00000000004D6000-memory.dmpFilesize
856KB
-
memory/4284-141-0x0000000000400000-0x00000000004D6000-memory.dmpFilesize
856KB