be4156838a935465a58598b081a22f82a31714f8f2bf8836888df78158944f4e

General

Target

be4156838a935465a58598b081a22f82a31714f8f2bf8836888df78158944f4e.exe
Size

884KB
MD5

3c16654303a97ce23f67aafd0d80a344
SHA1

90858bef0e3b65e244bbdefa34d2c35b13a755fa
SHA256

be4156838a935465a58598b081a22f82a31714f8f2bf8836888df78158944f4e
SHA512

c1f4d2577a34c8fef453ea91cf60c5c88a07f33360311f2ec8af8ccd29c176fdc3d084490dff52db67158bffa0058efc0d076ada619893d41cb1e4197dbcf8fe
SSDEEP

24576:Xv4vMb7TsWKdeORfAoMJoyzkKFTQihQnA1:AkjlEMmygUT/b1

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0003000000022de1-134.dat	acprotect
behavioral2/files/0x0003000000022de1-133.dat	acprotect
behavioral2/files/0x0003000000022de1-142.dat	acprotect
behavioral2/files/0x0003000000022de1-140.dat	acprotect
behavioral2/files/0x0003000000022de1-141.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
5016	is-IGH5E.tmp

Loads dropped DLL 4 IoCs

pid	Process
2376	be4156838a935465a58598b081a22f82a31714f8f2bf8836888df78158944f4e.exe
2376	be4156838a935465a58598b081a22f82a31714f8f2bf8836888df78158944f4e.exe
5016	is-IGH5E.tmp
5016	is-IGH5E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2376	be4156838a935465a58598b081a22f82a31714f8f2bf8836888df78158944f4e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 5016	2376	be4156838a935465a58598b081a22f82a31714f8f2bf8836888df78158944f4e.exe	80
PID 2376 wrote to memory of 5016	2376	be4156838a935465a58598b081a22f82a31714f8f2bf8836888df78158944f4e.exe	80
PID 2376 wrote to memory of 5016	2376	be4156838a935465a58598b081a22f82a31714f8f2bf8836888df78158944f4e.exe	80

C:\Users\Admin\AppData\Local\Temp\be4156838a935465a58598b081a22f82a31714f8f2bf8836888df78158944f4e.exe
"C:\Users\Admin\AppData\Local\Temp\be4156838a935465a58598b081a22f82a31714f8f2bf8836888df78158944f4e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\is-LCLML.tmp\is-IGH5E.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LCLML.tmp\is-IGH5E.tmp" /SL4 $801D0 C:\Users\Admin\AppData\Local\Temp\be4156838a935465a58598b081a22f82a31714f8f2bf8836888df78158944f4e.exe 515286 50688
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-LCLML.tmp\is-IGH5E.tmp

Filesize
572KB

MD5
6c771e6862cef3b18328bf5b6241c991

SHA1
655632265be57089137ed53960800e8089e3ceb9

SHA256
701b05147a5f39aba879e3fe136f10ff1399dc4ca8d9f4bc23b4d05fa8065804

SHA512
aa9b52717127d2a6ea41d20cbb0952fd25ed5c65cdd9d6881f496b41cf0b7b1688034a9352a544a89987630e9324ed3bb351527aeddaad622031c84603556aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LCLML.tmp\is-IGH5E.tmp

Filesize
572KB

MD5
6c771e6862cef3b18328bf5b6241c991

SHA1
655632265be57089137ed53960800e8089e3ceb9

SHA256
701b05147a5f39aba879e3fe136f10ff1399dc4ca8d9f4bc23b4d05fa8065804

SHA512
aa9b52717127d2a6ea41d20cbb0952fd25ed5c65cdd9d6881f496b41cf0b7b1688034a9352a544a89987630e9324ed3bb351527aeddaad622031c84603556aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qriB1A1.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qriB1A1.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qriB1A1.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qriB1A1.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qriB1A1.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
memory/2376-135-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2376-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2376-143-0x0000000002180000-0x00000000021F3000-memory.dmp

Filesize
460KB

Download
memory/2376-144-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5016-137-0x0000000000000000-mapping.dmp

Download
memory/5016-145-0x0000000002320000-0x0000000002393000-memory.dmp

Filesize
460KB

Download
memory/5016-146-0x0000000002320000-0x0000000002393000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing