15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc

Analysis

max time kernel
152s
max time network
190s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
Size

224KB
MD5

7009c6ab0cfad4098b7aa34bd290d780
SHA1

ac376f7970755415748df042fac17578a840f6fe
SHA256

15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc
SHA512

b2dbb1f7bb0dbe64452a08db0b0e7ea4b0f9f89fc2eb7475557454eac465e714daedf78ef4dfad6c58647ac1f3a864fde0491458844418d31420406dfb620ad5
SSDEEP

6144:TzsTjPybOwj6Vt1Ab6wjeKY44cUAvldXpj7MKCDlNULAAOT:tkt1Abu42UlLEDsAT

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b00000001232f-54.dat	acprotect
behavioral1/files/0x0007000000012738-59.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1128	gaycwq.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
1128	gaycwq.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gaycwq.exe	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
File opened for modification	C:\Windows\SysWOW64\gaycwq.exe	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	gaycwq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	gaycwq.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
1128	gaycwq.exe

Suspicious behavior: MapViewOfSection 45 IoCs

pid	Process
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe
1128	gaycwq.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
Token: SeDebugPrivilege	1128	gaycwq.exe
Token: SeIncBasePriorityPrivilege	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
1128	gaycwq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 368	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	25
PID 2020 wrote to memory of 368	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	25
PID 2020 wrote to memory of 368	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	25
PID 2020 wrote to memory of 368	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	25
PID 2020 wrote to memory of 368	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	25
PID 2020 wrote to memory of 368	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	25
PID 2020 wrote to memory of 368	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	25
PID 2020 wrote to memory of 384	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	24
PID 2020 wrote to memory of 384	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	24
PID 2020 wrote to memory of 384	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	24
PID 2020 wrote to memory of 384	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	24
PID 2020 wrote to memory of 384	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	24
PID 2020 wrote to memory of 384	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	24
PID 2020 wrote to memory of 384	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	24
PID 2020 wrote to memory of 420	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	23
PID 2020 wrote to memory of 420	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	23
PID 2020 wrote to memory of 420	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	23
PID 2020 wrote to memory of 420	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	23
PID 2020 wrote to memory of 420	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	23
PID 2020 wrote to memory of 420	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	23
PID 2020 wrote to memory of 420	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	23
PID 2020 wrote to memory of 472	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	2
PID 2020 wrote to memory of 472	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	2
PID 2020 wrote to memory of 472	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	2
PID 2020 wrote to memory of 472	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	2
PID 2020 wrote to memory of 472	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	2
PID 2020 wrote to memory of 472	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	2
PID 2020 wrote to memory of 472	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	2
PID 2020 wrote to memory of 480	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	1
PID 2020 wrote to memory of 480	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	1
PID 2020 wrote to memory of 480	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	1
PID 2020 wrote to memory of 480	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	1
PID 2020 wrote to memory of 480	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	1
PID 2020 wrote to memory of 480	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	1
PID 2020 wrote to memory of 480	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	1
PID 2020 wrote to memory of 488	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	22
PID 2020 wrote to memory of 488	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	22
PID 2020 wrote to memory of 488	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	22
PID 2020 wrote to memory of 488	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	22
PID 2020 wrote to memory of 488	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	22
PID 2020 wrote to memory of 488	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	22
PID 2020 wrote to memory of 488	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	22
PID 2020 wrote to memory of 576	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	21
PID 2020 wrote to memory of 576	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	21
PID 2020 wrote to memory of 576	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	21
PID 2020 wrote to memory of 576	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	21
PID 2020 wrote to memory of 576	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	21
PID 2020 wrote to memory of 576	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	21
PID 2020 wrote to memory of 576	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	21
PID 2020 wrote to memory of 656	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	20
PID 2020 wrote to memory of 656	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	20
PID 2020 wrote to memory of 656	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	20
PID 2020 wrote to memory of 656	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	20
PID 2020 wrote to memory of 656	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	20
PID 2020 wrote to memory of 656	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	20
PID 2020 wrote to memory of 656	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	20
PID 2020 wrote to memory of 736	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	3
PID 2020 wrote to memory of 736	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	3
PID 2020 wrote to memory of 736	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	3
PID 2020 wrote to memory of 736	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	3
PID 2020 wrote to memory of 736	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	3
PID 2020 wrote to memory of 736	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	3
PID 2020 wrote to memory of 736	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	3
PID 2020 wrote to memory of 800	2020	15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe	19

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:472
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:736
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:328
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:304
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1016
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1112
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1032
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:276
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:864
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:836
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:800
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:656
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:576
- C:\Windows\SysWOW64\gaycwq.exe
  C:\Windows\SysWOW64\gaycwq.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1128

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1716

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1976

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe
  "C:\Users\Admin\AppData\Local\Temp\15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2020

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1200

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\gaycwq.exe

Filesize
224KB

MD5
7009c6ab0cfad4098b7aa34bd290d780

SHA1
ac376f7970755415748df042fac17578a840f6fe

SHA256
15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc

SHA512
b2dbb1f7bb0dbe64452a08db0b0e7ea4b0f9f89fc2eb7475557454eac465e714daedf78ef4dfad6c58647ac1f3a864fde0491458844418d31420406dfb620ad5

Download Submit
C:\Windows\SysWOW64\gaycwq.exe

Filesize
224KB

MD5
7009c6ab0cfad4098b7aa34bd290d780

SHA1
ac376f7970755415748df042fac17578a840f6fe

SHA256
15da34442650004fecf7d059c9ad06ca884cf9f0d1432cf549b25345b911addc

SHA512
b2dbb1f7bb0dbe64452a08db0b0e7ea4b0f9f89fc2eb7475557454eac465e714daedf78ef4dfad6c58647ac1f3a864fde0491458844418d31420406dfb620ad5

Download Submit
\Users\Admin\AppData\Local\Temp\ipk9751.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
\Windows\Temp\ypk9AF9.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
memory/1128-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1128-62-0x0000000000410000-0x0000000000483000-memory.dmp

Filesize
460KB

Download
memory/2020-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2020-56-0x0000000001B80000-0x0000000001BF3000-memory.dmp

Filesize
460KB

Download
memory/2020-60-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download