bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d

General

Target

bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe
Size

52KB
MD5

232bb21a629f04db251f884ef37fb85e
SHA1

d21755ead7886518026cb4451a1bca19d3bfb982
SHA256

bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d
SHA512

12567185ac95bd1eae5f9320b33a6b0442ae51b205b5a7cb537c88e22548f20dddfaa09d1e5bef007390081ee09ce16f98bf2723847c61defbb4011b25a1d5d5
SSDEEP

1536:KnDaoljZu7TuHGHMtRS6B5Fwhy9Einouy8V:KJljMCHGHQ5Fyy9E6outV

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sh.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\sh.dll	acprotect

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4584-132-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4584-133-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4584-136-0x0000000000400000-0x000000000041A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\sh.dll	upx
C:\Users\Admin\AppData\Local\Temp\sh.dll	upx
behavioral2/memory/2228-139-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2228 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2228	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exeregsvr32.exe

pid	process
4584	bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe
4584	bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe
4584	bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe
4584	bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe
2228	regsvr32.exe
2228	regsvr32.exe
2228	regsvr32.exe
2228	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe

description pid process

Token: SeIncBasePriorityPrivilege 4584 bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4584	bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exeregsvr32.exe

description	pid	process	target process
PID 4584 wrote to memory of 2228	4584	bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe	regsvr32.exe
PID 4584 wrote to memory of 2228	4584	bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe	regsvr32.exe
PID 4584 wrote to memory of 2228	4584	bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe	regsvr32.exe
PID 4584 wrote to memory of 4988	4584	bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe	cmd.exe
PID 4584 wrote to memory of 4988	4584	bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe	cmd.exe
PID 4584 wrote to memory of 4988	4584	bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe	cmd.exe
PID 2228 wrote to memory of 2824	2228	regsvr32.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe
"C:\Users\Admin\AppData\Local\Temp\bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\sh.dll
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe
3⤵
PID:4988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sh.dll
Filesize
35KB

MD5
4bc8c4adadf6c40d718a39e89b3eb038

SHA1
c33f5ec7126d60db5fe2ad30b6b6664932bfc945

SHA256
ef0986ac22d0853a9ed708de84d7384d91384c39fdc722f0e3ae7db8056dce38

SHA512
75f368d24e9973c6200fdcda712b741eefe2acbd47be86c64b5f88c13681614fea65f87cdcbba9010021c599a1530fcd047ecce01755c547fd39da4d989e3bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sh.dll
Filesize
35KB

MD5
4bc8c4adadf6c40d718a39e89b3eb038

SHA1
c33f5ec7126d60db5fe2ad30b6b6664932bfc945

SHA256
ef0986ac22d0853a9ed708de84d7384d91384c39fdc722f0e3ae7db8056dce38

SHA512
75f368d24e9973c6200fdcda712b741eefe2acbd47be86c64b5f88c13681614fea65f87cdcbba9010021c599a1530fcd047ecce01755c547fd39da4d989e3bbd

Download Submit
memory/2228-134-0x0000000000000000-mapping.dmp

Download
memory/2228-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4584-132-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4584-133-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4584-136-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4988-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads