fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948

Analysis

max time kernel
114s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
Size

2.0MB
MD5

fae1e005bf4b95107d652c4c8b34dbbd
SHA1

b10d2aad4d7068209ce353fe61e993ad71787308
SHA256

fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948
SHA512

8a9bc3dd8de09912bdaf9e5e46be03996c1420982532b07ca41ea0c603b70af412a4200f49f56b7282c81586325e540e3631b80ba2e6cdbd11b257ff59d3422c
SSDEEP

49152:pRsT5JcjsX8ui2Xq/QnBOMWbq8+ZAB+DMBx/WskAxLo6no5PO/Fz:HsT5Jcjss92ZOMWbtCAB+4BuHWZ

Score

9^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000800000001230a-58.dat	acprotect
behavioral1/files/0x0008000000012333-61.dat	acprotect
behavioral1/files/0x0008000000012333-62.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
608	OLBPre.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001230a-58.dat	upx
behavioral1/files/0x0008000000012333-61.dat	upx
behavioral1/files/0x0008000000012333-62.dat	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe

Loads dropped DLL 8 IoCs

pid	Process
1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\OLBPre\OLBPre.exe	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
File created	C:\Program Files (x86)\OLBPre\OLBPre.exe.config	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
File created	C:\Program Files (x86)\OLBPre\LinqBridge.dll	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
File created	C:\Program Files (x86)\OLBPre\brand.jdat	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
File created	C:\Program Files (x86)\OLBPre\de_DE.mo	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
File created	C:\Program Files (x86)\OLBPre\fr_FR.mo	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
File created	C:\Program Files (x86)\OLBPre\it_IT.mo	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
File created	C:\Program Files (x86)\OLBPre\pt_PT.mo	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
File created	C:\Program Files (x86)\OLBPre\uninst.exe	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
File created	C:\Program Files (x86)\OLBPre\es_ES.mo	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
File created	C:\Program Files (x86)\OLBPre\state.jdat	OLBPre.exe
File opened for modification	C:\Program Files (x86)\OLBPre\state.jdat	OLBPre.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1176	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1176	1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe	28
PID 1764 wrote to memory of 1176	1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe	28
PID 1764 wrote to memory of 1176	1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe	28
PID 1764 wrote to memory of 1176	1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe	28
PID 1764 wrote to memory of 608	1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe	31
PID 1764 wrote to memory of 608	1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe	31
PID 1764 wrote to memory of 608	1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe	31
PID 1764 wrote to memory of 608	1764	fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe	31

C:\Users\Admin\AppData\Local\Temp\fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe
"C:\Users\Admin\AppData\Local\Temp\fc096c622d386fdd4226bfb3b0f7c3b63198767d6acbc47db515597f09860948.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /f /T /IM "OLBPre.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Program Files (x86)\OLBPre\OLBPre.exe
  "C:\Program Files (x86)\OLBPre\OLBPre.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\OLBPre\LinqBridge.dll

Filesize
59KB

MD5
e5cc3997457cd365e43c19f0f9110148

SHA1
c2bb699ffc6f2da5828605b857adba92a403e697

SHA256
8732de712460d9dd3ee45a25421b31156b4d75eec291cd1deeae63e8a252504c

SHA512
4854108a26f6e72f788a01452a192fda64232668bf5560993be6d1172bf6e5e0a33dd498a2c84270692d71068d7d231a35dea08d5a455a92b617eb0cb3938ec8

Download Submit
C:\Program Files (x86)\OLBPre\OLBPre.exe

Filesize
2.4MB

MD5
5efc8ac9dc130ffdbe199c6bcfa24677

SHA1
7cba746ecb2ab57c5f6af9a5c6415670fd964a8a

SHA256
cbc3437e19674e499817ef07b88aeda61401400edcff47cf7811e6ee8cfe30f2

SHA512
4fbdf2985f0ebeaf9e01d6f96203211abb4577043f0fa5c1fd114472e2389a8ed3627d60ea03f44a4225ef1de3c798e12c959546110a313d2e8c98c6483e6c8b

Download Submit
C:\Program Files (x86)\OLBPre\OLBPre.exe.config

Filesize
203B

MD5
099ad51472095ee0914c661bc21f18d8

SHA1
52243c5db306b6ba032d6dd08c5ceeade4a12c43

SHA256
1935d2d6a82b18c211a2344390293a831a425dff08d1cd92efb244d043db925a

SHA512
3aac5d3f7f0db78c38a14a434c2671e4e09e00ee4afd9792f8ab937ea5da59e9172cb336c9cad05741f4402ad2195cceb1ab8c6d2bf317ecfef4497531c9c9cd

Download Submit
C:\Program Files (x86)\OLBPre\brand.jdat

Filesize
507KB

MD5
526199d0c4a83a02cca8c931a99f6a65

SHA1
a758a6c386d3f233e960d605858cde4f050d0e82

SHA256
e33ec639f7dfcb452f6373b84b12213f769e941a8325258d7247cd658a3e61ac

SHA512
efe564966b2e97ed5eebdf4a1c6554a82975844ea8bb487cecf002eac660b39efd09e01a041056443218215e6c92da9722ed9e8f433cdf24c84155ddf848783a

Download Submit
\Program Files (x86)\OLBPre\OLBPre.exe

Filesize
2.4MB

MD5
5efc8ac9dc130ffdbe199c6bcfa24677

SHA1
7cba746ecb2ab57c5f6af9a5c6415670fd964a8a

SHA256
cbc3437e19674e499817ef07b88aeda61401400edcff47cf7811e6ee8cfe30f2

SHA512
4fbdf2985f0ebeaf9e01d6f96203211abb4577043f0fa5c1fd114472e2389a8ed3627d60ea03f44a4225ef1de3c798e12c959546110a313d2e8c98c6483e6c8b

Download Submit
\Program Files (x86)\OLBPre\OLBPre.exe

Filesize
2.4MB

MD5
5efc8ac9dc130ffdbe199c6bcfa24677

SHA1
7cba746ecb2ab57c5f6af9a5c6415670fd964a8a

SHA256
cbc3437e19674e499817ef07b88aeda61401400edcff47cf7811e6ee8cfe30f2

SHA512
4fbdf2985f0ebeaf9e01d6f96203211abb4577043f0fa5c1fd114472e2389a8ed3627d60ea03f44a4225ef1de3c798e12c959546110a313d2e8c98c6483e6c8b

Download Submit
\Program Files (x86)\OLBPre\OLBPre.exe

Filesize
2.4MB

MD5
5efc8ac9dc130ffdbe199c6bcfa24677

SHA1
7cba746ecb2ab57c5f6af9a5c6415670fd964a8a

SHA256
cbc3437e19674e499817ef07b88aeda61401400edcff47cf7811e6ee8cfe30f2

SHA512
4fbdf2985f0ebeaf9e01d6f96203211abb4577043f0fa5c1fd114472e2389a8ed3627d60ea03f44a4225ef1de3c798e12c959546110a313d2e8c98c6483e6c8b

Download Submit
\Users\Admin\AppData\Local\Temp\nsnC19D.tmp\AccessControl.dll

Filesize
8KB

MD5
9f1a88b953fd2a2c23b09703b253186c

SHA1
29d5a5a24e7f782a07e9f5d2ec1d1a6218fec737

SHA256
8a8f5bafc105186c85f14e017ab6da33ae8f88a9635e51756f90b6d95381d80d

SHA512
10b3a812c92b7324bddcd23adf923fcaec2532f31bdd9fbf17494fc33f99aa0a0a48b94f1fdd6599fa0189567626a90b324a1d132bf9cb8b00a6afc547e64018

Download Submit
\Users\Admin\AppData\Local\Temp\nsnC19D.tmp\AccessControl.dll

Filesize
8KB

MD5
9f1a88b953fd2a2c23b09703b253186c

SHA1
29d5a5a24e7f782a07e9f5d2ec1d1a6218fec737

SHA256
8a8f5bafc105186c85f14e017ab6da33ae8f88a9635e51756f90b6d95381d80d

SHA512
10b3a812c92b7324bddcd23adf923fcaec2532f31bdd9fbf17494fc33f99aa0a0a48b94f1fdd6599fa0189567626a90b324a1d132bf9cb8b00a6afc547e64018

Download Submit
\Users\Admin\AppData\Local\Temp\nsnC19D.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsnC19D.tmp\nsRandom.dll

Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsnC19D.tmp\nsSCM.dll

Filesize
5KB

MD5
62efa7b730eb0523a026ea4325403b77

SHA1
806ed3bd677ccf5d9817c9b464015e347f2c8f3c

SHA256
0b96456e8cf6b3e582388d3e530c73ce9121974381d51e5a21cd945c75fd2a38

SHA512
748237582e1c25655cf512ec6b1a2f9ad59b3a0da2c3cada535f202dcc66e068ab3bb3be34016f944a4a4fae71a16aea12f9725fe9f679b3fd1073639e31033b

Download Submit
memory/608-69-0x000007FEF3D10000-0x000007FEF4733000-memory.dmp

Filesize
10.1MB

Download
memory/608-70-0x000007FEF2A30000-0x000007FEF3AC6000-memory.dmp

Filesize
16.6MB

Download
memory/608-71-0x000000001C8C0000-0x000000001CBBF000-memory.dmp

Filesize
3.0MB

Download
memory/608-72-0x0000000000D26000-0x0000000000D45000-memory.dmp

Filesize
124KB

Download
memory/608-74-0x0000000000D26000-0x0000000000D45000-memory.dmp

Filesize
124KB

Download
memory/1764-68-0x0000000074DF0000-0x0000000074DFA000-memory.dmp

Filesize
40KB

Download
memory/1764-67-0x0000000074E30000-0x0000000074E38000-memory.dmp

Filesize
32KB

Download
memory/1764-73-0x0000000074DF0000-0x0000000074DFA000-memory.dmp

Filesize
40KB

Download
memory/1764-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download