Analysis

  • max time kernel
    152s
  • max time network
    190s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 08:40

General

  • Target

    15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe

  • Size

    224KB

  • MD5

    7009c6ab0cfad4098b7aa34bd290d780

  • SHA1

    ac376f7970755415748df042fac17578a840f6fe

  • SHA256

    15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc

  • SHA512

    b2dbb1f7bb0dbe64452a08db0b0e7ea4b0f9f89fc2eb7475557454eac465e714daedf78ef4dfad6c58647ac1f3a864fde0491458844418d31420406dfb620ad5

  • SSDEEP

    6144:TzsTjPybOwj6Vt1Ab6wjeKY44cUAvldXpj7MKCDlNULAAOT:tkt1Abu42UlLEDsAT

Score
9/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:480
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:472
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
          2⤵
            PID:736
          • C:\Windows\System32\spoolsv.exe
            C:\Windows\System32\spoolsv.exe
            2⤵
              PID:328
            • C:\Windows\system32\sppsvc.exe
              C:\Windows\system32\sppsvc.exe
              2⤵
                PID:304
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                2⤵
                  PID:1016
                • C:\Windows\system32\taskhost.exe
                  "taskhost.exe"
                  2⤵
                    PID:1112
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                    2⤵
                      PID:1032
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k NetworkService
                      2⤵
                        PID:276
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        2⤵
                          PID:864
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          2⤵
                            PID:836
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                            2⤵
                              PID:800
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k RPCSS
                              2⤵
                                PID:656
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k DcomLaunch
                                2⤵
                                  PID:576
                                • C:\Windows\SysWOW64\gaycwq.exe
                                  C:\Windows\SysWOW64\gaycwq.exe
                                  2⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Checks processor information in registry
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious behavior: MapViewOfSection
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of SetWindowsHookEx
                                  PID:1128
                              • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                wmiadap.exe /F /T /R
                                1⤵
                                  PID:1716
                                • C:\Windows\system32\wbem\wmiprvse.exe
                                  C:\Windows\system32\wbem\wmiprvse.exe
                                  1⤵
                                    PID:1976
                                  • C:\Windows\Explorer.EXE
                                    C:\Windows\Explorer.EXE
                                    1⤵
                                      PID:1248
                                      • C:\Users\Admin\AppData\Local\Temp\15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
                                        "C:\Users\Admin\AppData\Local\Temp\15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe"
                                        2⤵
                                        • Loads dropped DLL
                                        • Drops file in System32 directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious behavior: MapViewOfSection
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of SetWindowsHookEx
                                        • Suspicious use of WriteProcessMemory
                                        PID:2020
                                    • C:\Windows\system32\Dwm.exe
                                      "C:\Windows\system32\Dwm.exe"
                                      1⤵
                                        PID:1200
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        1⤵
                                          PID:488
                                        • C:\Windows\system32\winlogon.exe
                                          winlogon.exe
                                          1⤵
                                            PID:420
                                          • C:\Windows\system32\csrss.exe
                                            %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                            1⤵
                                              PID:384
                                            • C:\Windows\system32\wininit.exe
                                              wininit.exe
                                              1⤵
                                                PID:368

                                              Network

                                              MITRE ATT&CK Enterprise v6

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Windows\SysWOW64\gaycwq.exe

                                                Filesize

                                                224KB

                                                MD5

                                                7009c6ab0cfad4098b7aa34bd290d780

                                                SHA1

                                                ac376f7970755415748df042fac17578a840f6fe

                                                SHA256

                                                15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc

                                                SHA512

                                                b2dbb1f7bb0dbe64452a08db0b0e7ea4b0f9f89fc2eb7475557454eac465e714daedf78ef4dfad6c58647ac1f3a864fde0491458844418d31420406dfb620ad5

                                              • C:\Windows\SysWOW64\gaycwq.exe

                                                Filesize

                                                224KB

                                                MD5

                                                7009c6ab0cfad4098b7aa34bd290d780

                                                SHA1

                                                ac376f7970755415748df042fac17578a840f6fe

                                                SHA256

                                                15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc

                                                SHA512

                                                b2dbb1f7bb0dbe64452a08db0b0e7ea4b0f9f89fc2eb7475557454eac465e714daedf78ef4dfad6c58647ac1f3a864fde0491458844418d31420406dfb620ad5

                                              • \Users\Admin\AppData\Local\Temp\ipk9751.tmp

                                                Filesize

                                                172KB

                                                MD5

                                                fe763c2d71419352141c77c310e600d2

                                                SHA1

                                                6bb51ebcbde9fe5556a74319b49bea37d5542d5e

                                                SHA256

                                                7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

                                                SHA512

                                                147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

                                              • \Windows\Temp\ypk9AF9.tmp

                                                Filesize

                                                172KB

                                                MD5

                                                fe763c2d71419352141c77c310e600d2

                                                SHA1

                                                6bb51ebcbde9fe5556a74319b49bea37d5542d5e

                                                SHA256

                                                7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

                                                SHA512

                                                147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

                                              • memory/1128-61-0x0000000000400000-0x0000000000410000-memory.dmp

                                                Filesize

                                                64KB

                                              • memory/1128-62-0x0000000000410000-0x0000000000483000-memory.dmp

                                                Filesize

                                                460KB

                                              • memory/2020-55-0x0000000000400000-0x0000000000410000-memory.dmp

                                                Filesize

                                                64KB

                                              • memory/2020-56-0x0000000001B80000-0x0000000001BF3000-memory.dmp

                                                Filesize

                                                460KB

                                              • memory/2020-60-0x000000007EF90000-0x000000007EF9C000-memory.dmp

                                                Filesize

                                                48KB