ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b

General

Target

ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe
Size

3.1MB
MD5

d4a4e898bb7ea3053e38f7ff73617add
SHA1

cef425d7ac96cc25b6742cfd36f92e3502beb542
SHA256

ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b
SHA512

8499e6afe20ff11a819c9c6f34376fcf681abd453b7abdb7a67e5da5b9598ff4b2a5f9b2c913d1620b60daf7f86279ef444721403579b9cd5f988e9829d6607a
SSDEEP

49152:TEOpMnjxxgo7/OndCI4RdqcxO2I30CyxlOA99rJqLqPeObCqN68/w2EnWGRYBsub:LpgB7mJ/3o/yqPo8GYBsRAs8h

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\tfk34C7.tmp	acprotect
\Users\Admin\AppData\Local\Temp\tfk34C7.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\tfk34C7.tmp	acprotect

Executes dropped EXE 1 IoCs

Processes:

is-JV3LP.tmp

pid process

1144 is-JV3LP.tmp

pid	process
1144	is-JV3LP.tmp

Loads dropped DLL 5 IoCs

Processes:

ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exeis-JV3LP.tmp

pid	process
1720	ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe
1720	ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe
1144	is-JV3LP.tmp
1144	is-JV3LP.tmp
1144	is-JV3LP.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

is-JV3LP.tmp

pid process

1144 is-JV3LP.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe

pid process

1720 ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe

pid	process
1144	is-JV3LP.tmp

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe

description	pid	process	target process
PID 1720 wrote to memory of 1144	1720	ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe	is-JV3LP.tmp
PID 1720 wrote to memory of 1144	1720	ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe	is-JV3LP.tmp
PID 1720 wrote to memory of 1144	1720	ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe	is-JV3LP.tmp
PID 1720 wrote to memory of 1144	1720	ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe	is-JV3LP.tmp
PID 1720 wrote to memory of 1144	1720	ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe	is-JV3LP.tmp
PID 1720 wrote to memory of 1144	1720	ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe	is-JV3LP.tmp
PID 1720 wrote to memory of 1144	1720	ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe	is-JV3LP.tmp

C:\Users\Admin\AppData\Local\Temp\ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe
"C:\Users\Admin\AppData\Local\Temp\ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\is-VQ6OA.tmp\is-JV3LP.tmp
C:\Users\Admin\AppData\Local\Temp\is-VQ6OA.tmp\is-JV3LP.tmp /SL4 $70122 C:\Users\Admin\AppData\Local\Temp\ad75d725b944673f4c4bd57d96256f0960c405183e74a4ec778bc672c9a6ca1b.exe 3041337 68096
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-VQ6OA.tmp\is-JV3LP.tmp

Filesize
550KB

MD5
48253758692b9ae0f764a6e8308b27d3

SHA1
a83c98ad6c06be7ee4f9a2c94e16eb3d26cad548

SHA256
f05568b083000781cac228c0e5b4de779a3b502d7a9517acf821e2ca47afbe05

SHA512
92e5f3bd2c4c91e139a209066a3deb0dbffa9df0f093b8988845dc0b2fbe0bb6ce59bf14b1e9d8e3eb2e8ac3a6df976f17e02db9dce9b2e580be3ace74f90ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VQ6OA.tmp\is-JV3LP.tmp

Filesize
550KB

MD5
48253758692b9ae0f764a6e8308b27d3

SHA1
a83c98ad6c06be7ee4f9a2c94e16eb3d26cad548

SHA256
f05568b083000781cac228c0e5b4de779a3b502d7a9517acf821e2ca47afbe05

SHA512
92e5f3bd2c4c91e139a209066a3deb0dbffa9df0f093b8988845dc0b2fbe0bb6ce59bf14b1e9d8e3eb2e8ac3a6df976f17e02db9dce9b2e580be3ace74f90ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfk34C7.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
\Users\Admin\AppData\Local\Temp\is-6I7A3.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-6I7A3.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VQ6OA.tmp\is-JV3LP.tmp

Filesize
550KB

MD5
48253758692b9ae0f764a6e8308b27d3

SHA1
a83c98ad6c06be7ee4f9a2c94e16eb3d26cad548

SHA256
f05568b083000781cac228c0e5b4de779a3b502d7a9517acf821e2ca47afbe05

SHA512
92e5f3bd2c4c91e139a209066a3deb0dbffa9df0f093b8988845dc0b2fbe0bb6ce59bf14b1e9d8e3eb2e8ac3a6df976f17e02db9dce9b2e580be3ace74f90ed0

Download Submit
\Users\Admin\AppData\Local\Temp\tfk34C7.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
\Users\Admin\AppData\Local\Temp\tfk34C7.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
memory/1144-77-0x0000000000310000-0x0000000000383000-memory.dmp

Filesize
460KB

Download
memory/1144-72-0x0000000000310000-0x0000000000383000-memory.dmp

Filesize
460KB

Download
memory/1144-63-0x0000000000000000-mapping.dmp

Download
memory/1720-59-0x0000000000320000-0x0000000000393000-memory.dmp

Filesize
460KB

Download
memory/1720-60-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1720-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1720-58-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/1720-71-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1720-57-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/1720-73-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/1720-74-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/1720-75-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/1720-76-0x0000000000320000-0x0000000000393000-memory.dmp

Filesize
460KB

Download
memory/1720-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads