538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81

General

Target

538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Size

1.7MB
MD5

0e193c4ec2d0e9b3937b40cd85506fc3
SHA1

798d8c99b4c184bc382d18ed12dcb3ca5eb633db
SHA256

538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81
SHA512

5202678cdaf0cc676ac1010478bcd1f5eeb71e885014043a7e0dfb08ab47b7bd784d55c34a1268ad9079b37701f119b46c15b0d42ba1600848c05468879f2cc4
SSDEEP

49152:DVHFXSFEmqiDqCbS1gickVsFTzuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuTuuuh:DVHFXSCmqsSgfkVsZuuuuuuuuuuuuuuR

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000012322-55.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
1228	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashVideo.FlashVideo\DefaultIcon	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.flv	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.flv\ = "FlashVideo.FlashVideo"	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell\open\command	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashVideo.FlashVideo	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashVideo.FlashVideo\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe\" %1"	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\DefaultIcon	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash"	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashVideo.FlashVideo\shell\open\command	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashVideo.FlashVideo\shell	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashVideo.FlashVideo\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe,-202"	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell\open	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe\" %1"	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe,-608"	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash"	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashVideo.FlashVideo\shell\open	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1228	538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe

C:\Users\Admin\AppData\Local\Temp\538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe
"C:\Users\Admin\AppData\Local\Temp\538d10c29b45f1a1a831924d332304feb103cf39e0241d8333bdfea63ca3bf81.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1228

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x558
1⤵
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\smk78B9.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/1228-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/1228-56-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1228-57-0x00000000002B0000-0x0000000000323000-memory.dmp

Filesize
460KB

Download
memory/1228-58-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1228-59-0x00000000002B0000-0x0000000000323000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing