3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6

General

Target

3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe
Size

2.5MB
MD5

dc4cc742f38cf9ecb34aa1f57c079fc2
SHA1

7b22e4f433412dee5535b4d21a218fa2805902b3
SHA256

3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6
SHA512

28edb59b5e232e39af18d39c448b902d1bf4d76db1cd34010e80e8cd8254b77b4e0aecafe886e53bb355049d2a31dc5fc2e7fa4f03716debe9c5f70c9e858a6a
SSDEEP

49152:s51Lquog33FIqkpMT9v6VPsXpjQtpfQRuwymsfMDcOUvLKhYApMqNru1:aLqu5EMx/ofGymsecOGehYApMqI1

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000134e5-57.dat	acprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000134e5-57.dat	upx

Deletes itself 1 IoCs

pid	Process
1920	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
2024	3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe
2024	3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe
2024	3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe
2024	3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe
2024	3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe
2024	3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1920	2024	3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe	29
PID 2024 wrote to memory of 1920	2024	3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe	29
PID 2024 wrote to memory of 1920	2024	3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe	29
PID 2024 wrote to memory of 1920	2024	3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe	29

C:\Users\Admin\AppData\Local\Temp\3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe
"C:\Users\Admin\AppData\Local\Temp\3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe25022.bat" "C:\Users\Admin\AppData\Local\Temp\3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe""
  2⤵
  - Deletes itself
  PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3d13f4943631adcc4d1628028901f24adc56342e2107d97fe5f99cac00efacc6.exe25022.bat

Filesize
201B

MD5
27a0a82076b47c150a3c80b051cdec49

SHA1
1d2f8b279bd0137098f7c7a4d8e078dbed99be74

SHA256
0dfd8812663874028c08f51298318ff8b6ee1539ccd087bcfabe9129fda503ba

SHA512
8e4bc60bd6803bd14da183432c04c0a5931a334e6ba5ed04b7b4c05327040f802c56008e850937af254f87a3f5a2281d77b867f35a59ac72d8baba5030b099bb

Download Submit
\Users\Admin\AppData\Local\Temp\nstEBF7.tmp\InstallerUtils.dll

Filesize
754KB

MD5
de2d8595d24f3302665988bd68394052

SHA1
eb62552578a4f7c1d41a8db001a3c821278aae70

SHA256
fb15e0118d553ce0c1f0ed649e52fd9d2c5099be565e3dcb26f91c18c064830a

SHA512
6c155ad3cd962f91e96a28f6ce2344265c03969019bf1252a544a43e388d4038a62fc74a83d055bd64391709c0251471aea1cbc4ea7dc0ffc79f71bc40e22e7c

Download Submit
\Users\Admin\AppData\Local\Temp\nstEBF7.tmp\InstallerUtils.dll

Filesize
754KB

MD5
de2d8595d24f3302665988bd68394052

SHA1
eb62552578a4f7c1d41a8db001a3c821278aae70

SHA256
fb15e0118d553ce0c1f0ed649e52fd9d2c5099be565e3dcb26f91c18c064830a

SHA512
6c155ad3cd962f91e96a28f6ce2344265c03969019bf1252a544a43e388d4038a62fc74a83d055bd64391709c0251471aea1cbc4ea7dc0ffc79f71bc40e22e7c

Download Submit
\Users\Admin\AppData\Local\Temp\nstEBF7.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
\Users\Admin\AppData\Local\Temp\nstEBF7.tmp\UpdaterUtils.dll

Filesize
702KB

MD5
abf9da96bb9b82150c37f88f4ea336fe

SHA1
db2620740d91e9ecdbf3bc759b960b493ebf01fc

SHA256
3b09c316ec18bdaf7d7d7aa947849a273378b14d9df8bff69668004e0f9025c1

SHA512
023be3251b418cf87e2ed64702507ed6c904db71ecb62447ff8f71ce9d42ce7bc1bb69dc7cbdadd834d10f406c1d84d6bb52db7d606efbc18fc074bc0dbddf6d

Download Submit
\Users\Admin\AppData\Local\Temp\nstEBF7.tmp\UpdaterUtils.dll

Filesize
702KB

MD5
abf9da96bb9b82150c37f88f4ea336fe

SHA1
db2620740d91e9ecdbf3bc759b960b493ebf01fc

SHA256
3b09c316ec18bdaf7d7d7aa947849a273378b14d9df8bff69668004e0f9025c1

SHA512
023be3251b418cf87e2ed64702507ed6c904db71ecb62447ff8f71ce9d42ce7bc1bb69dc7cbdadd834d10f406c1d84d6bb52db7d606efbc18fc074bc0dbddf6d

Download Submit
\Users\Admin\AppData\Local\Temp\nstEBF7.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
memory/2024-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/2024-60-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing