c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16

Analysis

max time kernel
62s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe
Size

1.3MB
MD5

640a457de71b1c7b27103371728d2877
SHA1

3047a1f852a77394ad098d1f923f78e33159388f
SHA256

c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16
SHA512

d33ec0ead82bd895567ec00eca5881c5b3705b78d5d53e04870adc6ec91bce4c49dacde847e8679f46c4821bedce48b037dcd3480b6dfe16e704301741dc4379
SSDEEP

24576:2GkveWENzeMhReJj/cOzo/pDuSR5wsXwzMPJz/51oR3:woNeQ+/tzouSR5/hP5LW

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000022de8-134.dat	acprotect
behavioral2/files/0x0007000000022de8-133.dat	acprotect

Loads dropped DLL 9 IoCs

pid	Process
1612	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe
1612	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe
1612	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe
1612	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe
1612	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe
1612	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe
1612	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe
1612	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe
1612	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\NSISLog	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe
File created	C:\Program Files (x86)\Common Files\NSISLog\Lang2052.DAT	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe
File opened for modification	C:\Program Files (x86)\Common Files\NSISLog\Lang2052.DAT	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1612	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe
1612	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1612	c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe

C:\Users\Admin\AppData\Local\Temp\c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe
"C:\Users\Admin\AppData\Local\Temp\c41b999771e5520c02dda8c4a8f93e959268e464b8401eb27a9bf3c3c4e3bd16.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aai203.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aai203.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso39D.tmp\installoptions.dll

Filesize
12KB

MD5
83304a78d2b6ea45ea8404f4cd78721f

SHA1
d5c5d19653c751c08579dd094bcc9fef1841af00

SHA256
92344973083c0a5d8f5732814c1315124e8e0a2f1ed912583a081f95f7549414

SHA512
94076cc935927925641d668c19b389d007ff7e8623f2afe706fc73d1ecb97210577a828a727404b200d9870e14b23d6bd047de9201d629e7443a929c0740c67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso39D.tmp\killprocdll.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso39D.tmp\system.dll

Filesize
10KB

MD5
d4d09da0218ba046a66a294f0cca9dfe

SHA1
417b1acdeb0a4de6ac752a93080ca5b9164eb44b

SHA256
9090e47d239aa1da9598a483861165e0153c01ad9ff9d65cb6c0f4497a1da5b3

SHA512
3bc9a65842301dab56c139cc5a3457158d37ef294583728c93da1e11ae457df9551b0f8fbd03d5ea3058f3bc794d0ede57ea3efd5d663b45d25647a39cd955bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso39D.tmp\system.dll

Filesize
10KB

MD5
d4d09da0218ba046a66a294f0cca9dfe

SHA1
417b1acdeb0a4de6ac752a93080ca5b9164eb44b

SHA256
9090e47d239aa1da9598a483861165e0153c01ad9ff9d65cb6c0f4497a1da5b3

SHA512
3bc9a65842301dab56c139cc5a3457158d37ef294583728c93da1e11ae457df9551b0f8fbd03d5ea3058f3bc794d0ede57ea3efd5d663b45d25647a39cd955bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso39D.tmp\system.dll

Filesize
10KB

MD5
d4d09da0218ba046a66a294f0cca9dfe

SHA1
417b1acdeb0a4de6ac752a93080ca5b9164eb44b

SHA256
9090e47d239aa1da9598a483861165e0153c01ad9ff9d65cb6c0f4497a1da5b3

SHA512
3bc9a65842301dab56c139cc5a3457158d37ef294583728c93da1e11ae457df9551b0f8fbd03d5ea3058f3bc794d0ede57ea3efd5d663b45d25647a39cd955bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso39D.tmp\system.dll

Filesize
10KB

MD5
d4d09da0218ba046a66a294f0cca9dfe

SHA1
417b1acdeb0a4de6ac752a93080ca5b9164eb44b

SHA256
9090e47d239aa1da9598a483861165e0153c01ad9ff9d65cb6c0f4497a1da5b3

SHA512
3bc9a65842301dab56c139cc5a3457158d37ef294583728c93da1e11ae457df9551b0f8fbd03d5ea3058f3bc794d0ede57ea3efd5d663b45d25647a39cd955bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso39D.tmp\system.dll

Filesize
10KB

MD5
d4d09da0218ba046a66a294f0cca9dfe

SHA1
417b1acdeb0a4de6ac752a93080ca5b9164eb44b

SHA256
9090e47d239aa1da9598a483861165e0153c01ad9ff9d65cb6c0f4497a1da5b3

SHA512
3bc9a65842301dab56c139cc5a3457158d37ef294583728c93da1e11ae457df9551b0f8fbd03d5ea3058f3bc794d0ede57ea3efd5d663b45d25647a39cd955bf

Download Submit
memory/1612-132-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1612-141-0x00000000022A0000-0x0000000002313000-memory.dmp

Filesize
460KB

Download
memory/1612-143-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download