Analysis
-
max time kernel
101s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:45
Behavioral task
behavioral1
Sample
bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe
Resource
win10v2004-20220812-en
General
-
Target
bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe
-
Size
52KB
-
MD5
232bb21a629f04db251f884ef37fb85e
-
SHA1
d21755ead7886518026cb4451a1bca19d3bfb982
-
SHA256
bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d
-
SHA512
12567185ac95bd1eae5f9320b33a6b0442ae51b205b5a7cb537c88e22548f20dddfaa09d1e5bef007390081ee09ce16f98bf2723847c61defbb4011b25a1d5d5
-
SSDEEP
1536:KnDaoljZu7TuHGHMtRS6B5Fwhy9Einouy8V:KJljMCHGHQ5Fyy9E6outV
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\sh.dll acprotect C:\Users\Admin\AppData\Local\Temp\sh.dll acprotect -
Processes:
resource yara_rule behavioral2/memory/4584-132-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/4584-133-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/4584-136-0x0000000000400000-0x000000000041A000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\sh.dll upx C:\Users\Admin\AppData\Local\Temp\sh.dll upx behavioral2/memory/2228-139-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2228 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exeregsvr32.exepid process 4584 bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe 4584 bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe 4584 bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe 4584 bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe 2228 regsvr32.exe 2228 regsvr32.exe 2228 regsvr32.exe 2228 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exedescription pid process Token: SeIncBasePriorityPrivilege 4584 bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exeregsvr32.exedescription pid process target process PID 4584 wrote to memory of 2228 4584 bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe regsvr32.exe PID 4584 wrote to memory of 2228 4584 bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe regsvr32.exe PID 4584 wrote to memory of 2228 4584 bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe regsvr32.exe PID 4584 wrote to memory of 4988 4584 bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe cmd.exe PID 4584 wrote to memory of 4988 4584 bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe cmd.exe PID 4584 wrote to memory of 4988 4584 bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe cmd.exe PID 2228 wrote to memory of 2824 2228 regsvr32.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe"C:\Users\Admin\AppData\Local\Temp\bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\sh.dll3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\bce12b0cefc9ee0b2fd70e78aae55de42f07bac70c0312e6e007b0d206e67d2d.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\sh.dllFilesize
35KB
MD54bc8c4adadf6c40d718a39e89b3eb038
SHA1c33f5ec7126d60db5fe2ad30b6b6664932bfc945
SHA256ef0986ac22d0853a9ed708de84d7384d91384c39fdc722f0e3ae7db8056dce38
SHA51275f368d24e9973c6200fdcda712b741eefe2acbd47be86c64b5f88c13681614fea65f87cdcbba9010021c599a1530fcd047ecce01755c547fd39da4d989e3bbd
-
C:\Users\Admin\AppData\Local\Temp\sh.dllFilesize
35KB
MD54bc8c4adadf6c40d718a39e89b3eb038
SHA1c33f5ec7126d60db5fe2ad30b6b6664932bfc945
SHA256ef0986ac22d0853a9ed708de84d7384d91384c39fdc722f0e3ae7db8056dce38
SHA51275f368d24e9973c6200fdcda712b741eefe2acbd47be86c64b5f88c13681614fea65f87cdcbba9010021c599a1530fcd047ecce01755c547fd39da4d989e3bbd
-
memory/2228-134-0x0000000000000000-mapping.dmp
-
memory/2228-139-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4584-132-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4584-133-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4584-136-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4988-135-0x0000000000000000-mapping.dmp