3a660a74377db75d0efb31ba6fbd4a2358d97a2aca1cf89c5246016ec0cf17f5

Analysis

max time kernel
186s
max time network
195s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a660a74377db75d0efb31ba6fbd4a2358d97a2aca1cf89c5246016ec0cf17f5.exe
Size

1.1MB
MD5

1515f3b2a03f7951f69214718a8d6850
SHA1

762c8b873293e5c846c85a6b124c695dead5c17d
SHA256

3a660a74377db75d0efb31ba6fbd4a2358d97a2aca1cf89c5246016ec0cf17f5
SHA512

da63c3a8c9e7fe623aaaf29879f64697972c171e444bd34387871be046b6a0966ed489409488ce0c176b05a90d2c8f1949e883f2c0c023e572e85d936abab055
SSDEEP

24576:9SxsbO7VQn+LFtRsnv3ecllNZD4HMoIw/BN:9Sxws6+LNI3vzNglN

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a00000001331d-56.dat	acprotect
behavioral1/files/0x000a00000001331d-61.dat	acprotect
behavioral1/files/0x000a00000001331d-60.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
1216	3a660a74377db75d0efb31ba6fbd4a2358d97a2aca1cf89c5246016ec0cf17f5.exe
668	msiexec.exe
672	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\msxml6-KB973686-chs-x86.LOG	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
668	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	668	msiexec.exe
Token: SeIncreaseQuotaPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeSecurityPrivilege	1584	msiexec.exe
Token: SeCreateTokenPrivilege	668	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	668	msiexec.exe
Token: SeLockMemoryPrivilege	668	msiexec.exe
Token: SeIncreaseQuotaPrivilege	668	msiexec.exe
Token: SeMachineAccountPrivilege	668	msiexec.exe
Token: SeTcbPrivilege	668	msiexec.exe
Token: SeSecurityPrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeLoadDriverPrivilege	668	msiexec.exe
Token: SeSystemProfilePrivilege	668	msiexec.exe
Token: SeSystemtimePrivilege	668	msiexec.exe
Token: SeProfSingleProcessPrivilege	668	msiexec.exe
Token: SeIncBasePriorityPrivilege	668	msiexec.exe
Token: SeCreatePagefilePrivilege	668	msiexec.exe
Token: SeCreatePermanentPrivilege	668	msiexec.exe
Token: SeBackupPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeShutdownPrivilege	668	msiexec.exe
Token: SeDebugPrivilege	668	msiexec.exe
Token: SeAuditPrivilege	668	msiexec.exe
Token: SeSystemEnvironmentPrivilege	668	msiexec.exe
Token: SeChangeNotifyPrivilege	668	msiexec.exe
Token: SeRemoteShutdownPrivilege	668	msiexec.exe
Token: SeUndockPrivilege	668	msiexec.exe
Token: SeSyncAgentPrivilege	668	msiexec.exe
Token: SeEnableDelegationPrivilege	668	msiexec.exe
Token: SeManageVolumePrivilege	668	msiexec.exe
Token: SeImpersonatePrivilege	668	msiexec.exe
Token: SeCreateGlobalPrivilege	668	msiexec.exe
Token: SeCreateTokenPrivilege	668	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	668	msiexec.exe
Token: SeLockMemoryPrivilege	668	msiexec.exe
Token: SeIncreaseQuotaPrivilege	668	msiexec.exe
Token: SeMachineAccountPrivilege	668	msiexec.exe
Token: SeTcbPrivilege	668	msiexec.exe
Token: SeSecurityPrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeLoadDriverPrivilege	668	msiexec.exe
Token: SeSystemProfilePrivilege	668	msiexec.exe
Token: SeSystemtimePrivilege	668	msiexec.exe
Token: SeProfSingleProcessPrivilege	668	msiexec.exe
Token: SeIncBasePriorityPrivilege	668	msiexec.exe
Token: SeCreatePagefilePrivilege	668	msiexec.exe
Token: SeCreatePermanentPrivilege	668	msiexec.exe
Token: SeBackupPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeShutdownPrivilege	668	msiexec.exe
Token: SeDebugPrivilege	668	msiexec.exe
Token: SeAuditPrivilege	668	msiexec.exe
Token: SeSystemEnvironmentPrivilege	668	msiexec.exe
Token: SeChangeNotifyPrivilege	668	msiexec.exe
Token: SeRemoteShutdownPrivilege	668	msiexec.exe
Token: SeUndockPrivilege	668	msiexec.exe
Token: SeSyncAgentPrivilege	668	msiexec.exe
Token: SeEnableDelegationPrivilege	668	msiexec.exe
Token: SeManageVolumePrivilege	668	msiexec.exe
Token: SeImpersonatePrivilege	668	msiexec.exe
Token: SeCreateGlobalPrivilege	668	msiexec.exe
Token: SeCreateTokenPrivilege	668	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
668	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1216	3a660a74377db75d0efb31ba6fbd4a2358d97a2aca1cf89c5246016ec0cf17f5.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 668	1216	3a660a74377db75d0efb31ba6fbd4a2358d97a2aca1cf89c5246016ec0cf17f5.exe	28
PID 1216 wrote to memory of 668	1216	3a660a74377db75d0efb31ba6fbd4a2358d97a2aca1cf89c5246016ec0cf17f5.exe	28
PID 1216 wrote to memory of 668	1216	3a660a74377db75d0efb31ba6fbd4a2358d97a2aca1cf89c5246016ec0cf17f5.exe	28
PID 1216 wrote to memory of 668	1216	3a660a74377db75d0efb31ba6fbd4a2358d97a2aca1cf89c5246016ec0cf17f5.exe	28
PID 1216 wrote to memory of 668	1216	3a660a74377db75d0efb31ba6fbd4a2358d97a2aca1cf89c5246016ec0cf17f5.exe	28
PID 1216 wrote to memory of 668	1216	3a660a74377db75d0efb31ba6fbd4a2358d97a2aca1cf89c5246016ec0cf17f5.exe	28
PID 1216 wrote to memory of 668	1216	3a660a74377db75d0efb31ba6fbd4a2358d97a2aca1cf89c5246016ec0cf17f5.exe	28
PID 1584 wrote to memory of 672	1584	msiexec.exe	30
PID 1584 wrote to memory of 672	1584	msiexec.exe	30
PID 1584 wrote to memory of 672	1584	msiexec.exe	30
PID 1584 wrote to memory of 672	1584	msiexec.exe	30
PID 1584 wrote to memory of 672	1584	msiexec.exe	30
PID 1584 wrote to memory of 672	1584	msiexec.exe	30
PID 1584 wrote to memory of 672	1584	msiexec.exe	30

C:\Users\Admin\AppData\Local\Temp\3a660a74377db75d0efb31ba6fbd4a2358d97a2aca1cf89c5246016ec0cf17f5.exe
"C:\Users\Admin\AppData\Local\Temp\3a660a74377db75d0efb31ba6fbd4a2358d97a2aca1cf89c5246016ec0cf17f5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\msiexec.exe
  C:\Windows\system32\msiexec /i c:\08b4c7df0c78b650c7\msxml6.msi /l*v C:\Windows\msxml6-KB973686-chs-x86.LOG
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:668

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F131FC3247D0B77D524E24A3DF206327 C
  2⤵
  - Loads dropped DLL
  PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI9F9C.tmp

Filesize
68KB

MD5
1bcb6c6f7bd8898c2c111a8ce16bfab6

SHA1
85cf5d31a8ceb36f635fa4e40941cb1e1c7e9c13

SHA256
3924d4c5c1e80f86774e4db38dd8c3fad59d24411a0eb3280d2e11dbb1b7096b

SHA512
ad17644d413ad3126e2be8df068d037e7ff7bf5f90b83a73290db2512547873e29c5f03cc37e928907975305f32b2efe50a1a4d00e5a45a764e8e5b4cbd715f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnk8289.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\??\c:\08b4c7df0c78b650c7\msxml6.msi

Filesize
1.5MB

MD5
1c665d122209c53daeae1ee138256fa3

SHA1
16974569bb996638662317d8cd97c740483e27a7

SHA256
cce1645294873d9c51f641ce904d78233be39a14bebf9ac9c97eea15ba17e30e

SHA512
e0d20db187ef51743fa748ebfbd002aebe4adbbc9af3d79c7eddd83808ae85e2ce29d40c41d35f8948c02e17b5de3d5dabfb63da12faf89c823029d872f9e0fa

Download Submit
\Users\Admin\AppData\Local\Temp\MSI9F9C.tmp

Filesize
68KB

MD5
1bcb6c6f7bd8898c2c111a8ce16bfab6

SHA1
85cf5d31a8ceb36f635fa4e40941cb1e1c7e9c13

SHA256
3924d4c5c1e80f86774e4db38dd8c3fad59d24411a0eb3280d2e11dbb1b7096b

SHA512
ad17644d413ad3126e2be8df068d037e7ff7bf5f90b83a73290db2512547873e29c5f03cc37e928907975305f32b2efe50a1a4d00e5a45a764e8e5b4cbd715f6

Download Submit
\Users\Admin\AppData\Local\Temp\nnk8289.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\nnk8289.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/668-72-0x00000000001A0000-0x0000000000213000-memory.dmp

Filesize
460KB

Download
memory/668-62-0x00000000001A0000-0x0000000000213000-memory.dmp

Filesize
460KB

Download
memory/1216-55-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1216-54-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/1216-69-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/1216-70-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1216-71-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1216-57-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1584-64-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

Filesize
8KB

Download