1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3

General

Target

1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
Size

1.1MB
MD5

b5d7dd21e9f5ee9f7d1f207db087c6c3
SHA1

0221211492b2bd994149691c17e2ac4ec1106899
SHA256

1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3
SHA512

b641f805bbe3783a284b663a32bd905f7abf6fef830b3105100ef8c5260fd973d93f85c5fa6816025250548b0513f75676c1b2827d0b4f409752bd66fded8718
SSDEEP

24576:0jXLnO34cqoQL27Ig2g++8olX7W/00Hh1vTM:QX634NLE++8m7u00HzTM

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000141f2-64.dat	acprotect

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000141f2-64.dat	upx
behavioral1/memory/2024-65-0x0000000003B30000-0x0000000003B73000-memory.dmp	upx
behavioral1/memory/2024-82-0x0000000003B30000-0x0000000003B73000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\superecm6eIH.sys	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
File created	C:\Windows\SysWOW64\superecsqx3x.sys	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
2024	1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe

C:\Users\Admin\AppData\Local\Temp\1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe
"C:\Users\Admin\AppData\Local\Temp\1e481293fa40d33023028b4f8e8c07d8be8c46f090b12a4b44e9d96989c6bff3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
4c9e8f81bf741a61915d0d4fc49d595e

SHA1
d033008b3a0e5d3fc8876e0423ee5509ecb3897c

SHA256
951d725f4a12cd4ff713ca147fa3be08a02367db6731283c3f1ba30445990129

SHA512
cf2c6f8f471c8a5aad563bc257035515860689b73ce343599c7713de8bc8338a031a722f366e005bc1907d6fc97b68b8b415e8ff05b7324fb1040c5dc02315d7

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\iext.fnr

Filesize
216KB

MD5
cba933625bfa502fc4a1d9f34e1e4473

SHA1
5319194388c0e53321f99f1541b97af191999a09

SHA256
25549c7781b3f1b92e73b0ea721d177207cce914a66f3229a71291f2eb160013

SHA512
f5fb4b97c4f68a20e0847e6528740ce659c4501726f3b2dff1ac83e88a3b7198099da03edb0f069cd4af7ed568a2373597b235cd239895addfa5226d3a444142

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
638e737b2293cf7b1f14c0b4fb1f3289

SHA1
f8e2223348433b992a8c42c4a7a9fb4b5c1158bc

SHA256
baad4798c3ab24dec8f0ac3cde48e2fee2e2dffa60d2b2497cd295cd6319fd5b

SHA512
4d714a0980238c49af10376ff26ec9e6415e7057925b32ec1c24780c3671047ac5b5670e46c1c6cf9f160519be8f37e1e57f05c30c6c4bda3b275b143aa0bf12

Download Submit
\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
98KB

MD5
4e70aa97f22995853da109a2a05b1335

SHA1
16d243efe827436907a65aeafcd02312960225a0

SHA256
ee59d2fd30511ce7611a4a229610584a52678d9423f41c23e2aaae56b211bd4f

SHA512
1aed4011fcbb0eabc14d236d0aea4b54e33d02365777196ceb22d84aaf4de7469bda0f5d124bd022c3c1c3748cd6467008cef0de1f0f025e7a324fbc7152854e

Download Submit
memory/2024-54-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2024-56-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/2024-57-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2024-59-0x0000000002090000-0x00000000020D4000-memory.dmp

Filesize
272KB

Download
memory/2024-62-0x00000000020E0000-0x0000000002118000-memory.dmp

Filesize
224KB

Download
memory/2024-65-0x0000000003B30000-0x0000000003B73000-memory.dmp

Filesize
268KB

Download
memory/2024-82-0x0000000003B30000-0x0000000003B73000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing