ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6

Analysis

max time kernel
62s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
Size

1.1MB
MD5

3cfa0fe00f1a1af8d5169901b2950814
SHA1

b5af2708350427f7f0f8ed1513578a044977112b
SHA256

ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6
SHA512

168e67d8ff5e2a9dfb4e8e1eeaf8e3bc6b3e334dea3beb4c50b854bc57586b1172ca0ba9985ecc6c31cba67fa9417ebdbe8d831fe1a55f48cef4dc9b05fc5fd3
SSDEEP

24576:Mfz6TDfxW/bdSmPvA+Cm1tKUa7cNJv9Zf0:MCDpW5SqZCmqv7cNJvTc

Score

9^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000015326-58.dat	acprotect
behavioral1/files/0x0006000000015c80-61.dat	acprotect
behavioral1/files/0x0006000000015c80-62.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
576	OLBPre.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015326-58.dat	upx
behavioral1/files/0x0006000000015c80-61.dat	upx
behavioral1/files/0x0006000000015c80-62.dat	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe

Loads dropped DLL 8 IoCs

pid	Process
852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\OLBPre\pt_PT.mo	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
File created	C:\Program Files (x86)\OLBPre\uninst.exe	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
File opened for modification	C:\Program Files (x86)\OLBPre\state.jdat	OLBPre.exe
File created	C:\Program Files (x86)\OLBPre\LinqBridge.dll	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
File created	C:\Program Files (x86)\OLBPre\brand.jdat	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
File created	C:\Program Files (x86)\OLBPre\de_DE.mo	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
File created	C:\Program Files (x86)\OLBPre\es_ES.mo	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
File created	C:\Program Files (x86)\OLBPre\state.jdat	OLBPre.exe
File created	C:\Program Files (x86)\OLBPre\OLBPre.exe	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
File created	C:\Program Files (x86)\OLBPre\OLBPre.exe.config	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
File created	C:\Program Files (x86)\OLBPre\fr_FR.mo	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
File created	C:\Program Files (x86)\OLBPre\it_IT.mo	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1280	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1280	852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe	27
PID 852 wrote to memory of 1280	852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe	27
PID 852 wrote to memory of 1280	852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe	27
PID 852 wrote to memory of 1280	852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe	27
PID 852 wrote to memory of 576	852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe	30
PID 852 wrote to memory of 576	852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe	30
PID 852 wrote to memory of 576	852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe	30
PID 852 wrote to memory of 576	852	ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe	30

C:\Users\Admin\AppData\Local\Temp\ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe
"C:\Users\Admin\AppData\Local\Temp\ce43c0ca5d5ec2b0e0c7041119cfa27dd1f665e3ce3c265fa34a41a805bf9ca6.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /f /T /IM "OLBPre.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Program Files (x86)\OLBPre\OLBPre.exe
  "C:\Program Files (x86)\OLBPre\OLBPre.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\OLBPre\LinqBridge.dll

Filesize
59KB

MD5
e5cc3997457cd365e43c19f0f9110148

SHA1
c2bb699ffc6f2da5828605b857adba92a403e697

SHA256
8732de712460d9dd3ee45a25421b31156b4d75eec291cd1deeae63e8a252504c

SHA512
4854108a26f6e72f788a01452a192fda64232668bf5560993be6d1172bf6e5e0a33dd498a2c84270692d71068d7d231a35dea08d5a455a92b617eb0cb3938ec8

Download Submit
C:\Program Files (x86)\OLBPre\OLBPre.exe

Filesize
1.3MB

MD5
e86c954c29fb756353bd6e9216a0b4f7

SHA1
bd95ce88e815dd0eecbd38d5a3e0523d216fa71d

SHA256
3182a42253f4ec1c62079faedf37b13d8daba11f8ca6fb2911b5a4c0eed7c7d1

SHA512
5798229953430d8aec6bcaa917479d927958dc740fd58a9fc3bd174ccc6f62517364489e859a46605eeb67630aae6c1ce57d6a238c61746fe6a1f04b4c6efe00

Download Submit
C:\Program Files (x86)\OLBPre\OLBPre.exe.config

Filesize
203B

MD5
099ad51472095ee0914c661bc21f18d8

SHA1
52243c5db306b6ba032d6dd08c5ceeade4a12c43

SHA256
1935d2d6a82b18c211a2344390293a831a425dff08d1cd92efb244d043db925a

SHA512
3aac5d3f7f0db78c38a14a434c2671e4e09e00ee4afd9792f8ab937ea5da59e9172cb336c9cad05741f4402ad2195cceb1ab8c6d2bf317ecfef4497531c9c9cd

Download Submit
C:\Program Files (x86)\OLBPre\brand.jdat

Filesize
507KB

MD5
526199d0c4a83a02cca8c931a99f6a65

SHA1
a758a6c386d3f233e960d605858cde4f050d0e82

SHA256
e33ec639f7dfcb452f6373b84b12213f769e941a8325258d7247cd658a3e61ac

SHA512
efe564966b2e97ed5eebdf4a1c6554a82975844ea8bb487cecf002eac660b39efd09e01a041056443218215e6c92da9722ed9e8f433cdf24c84155ddf848783a

Download Submit
\Program Files (x86)\OLBPre\OLBPre.exe

Filesize
1.3MB

MD5
e86c954c29fb756353bd6e9216a0b4f7

SHA1
bd95ce88e815dd0eecbd38d5a3e0523d216fa71d

SHA256
3182a42253f4ec1c62079faedf37b13d8daba11f8ca6fb2911b5a4c0eed7c7d1

SHA512
5798229953430d8aec6bcaa917479d927958dc740fd58a9fc3bd174ccc6f62517364489e859a46605eeb67630aae6c1ce57d6a238c61746fe6a1f04b4c6efe00

Download Submit
\Program Files (x86)\OLBPre\OLBPre.exe

Filesize
1.3MB

MD5
e86c954c29fb756353bd6e9216a0b4f7

SHA1
bd95ce88e815dd0eecbd38d5a3e0523d216fa71d

SHA256
3182a42253f4ec1c62079faedf37b13d8daba11f8ca6fb2911b5a4c0eed7c7d1

SHA512
5798229953430d8aec6bcaa917479d927958dc740fd58a9fc3bd174ccc6f62517364489e859a46605eeb67630aae6c1ce57d6a238c61746fe6a1f04b4c6efe00

Download Submit
\Program Files (x86)\OLBPre\OLBPre.exe

Filesize
1.3MB

MD5
e86c954c29fb756353bd6e9216a0b4f7

SHA1
bd95ce88e815dd0eecbd38d5a3e0523d216fa71d

SHA256
3182a42253f4ec1c62079faedf37b13d8daba11f8ca6fb2911b5a4c0eed7c7d1

SHA512
5798229953430d8aec6bcaa917479d927958dc740fd58a9fc3bd174ccc6f62517364489e859a46605eeb67630aae6c1ce57d6a238c61746fe6a1f04b4c6efe00

Download Submit
\Users\Admin\AppData\Local\Temp\nsj79C5.tmp\AccessControl.dll

Filesize
8KB

MD5
9f1a88b953fd2a2c23b09703b253186c

SHA1
29d5a5a24e7f782a07e9f5d2ec1d1a6218fec737

SHA256
8a8f5bafc105186c85f14e017ab6da33ae8f88a9635e51756f90b6d95381d80d

SHA512
10b3a812c92b7324bddcd23adf923fcaec2532f31bdd9fbf17494fc33f99aa0a0a48b94f1fdd6599fa0189567626a90b324a1d132bf9cb8b00a6afc547e64018

Download Submit
\Users\Admin\AppData\Local\Temp\nsj79C5.tmp\AccessControl.dll

Filesize
8KB

MD5
9f1a88b953fd2a2c23b09703b253186c

SHA1
29d5a5a24e7f782a07e9f5d2ec1d1a6218fec737

SHA256
8a8f5bafc105186c85f14e017ab6da33ae8f88a9635e51756f90b6d95381d80d

SHA512
10b3a812c92b7324bddcd23adf923fcaec2532f31bdd9fbf17494fc33f99aa0a0a48b94f1fdd6599fa0189567626a90b324a1d132bf9cb8b00a6afc547e64018

Download Submit
\Users\Admin\AppData\Local\Temp\nsj79C5.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsj79C5.tmp\nsRandom.dll

Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsj79C5.tmp\nsSCM.dll

Filesize
5KB

MD5
62efa7b730eb0523a026ea4325403b77

SHA1
806ed3bd677ccf5d9817c9b464015e347f2c8f3c

SHA256
0b96456e8cf6b3e582388d3e530c73ce9121974381d51e5a21cd945c75fd2a38

SHA512
748237582e1c25655cf512ec6b1a2f9ad59b3a0da2c3cada535f202dcc66e068ab3bb3be34016f944a4a4fae71a16aea12f9725fe9f679b3fd1073639e31033b

Download Submit
memory/576-69-0x000007FEF36C0000-0x000007FEF40E3000-memory.dmp

Filesize
10.1MB

Download
memory/576-70-0x000007FEF2620000-0x000007FEF36B6000-memory.dmp

Filesize
16.6MB

Download
memory/576-71-0x000000001C200000-0x000000001C4FF000-memory.dmp

Filesize
3.0MB

Download
memory/576-72-0x00000000023D6000-0x00000000023F5000-memory.dmp

Filesize
124KB

Download
memory/576-75-0x00000000023D6000-0x00000000023F5000-memory.dmp

Filesize
124KB

Download
memory/852-68-0x0000000074660000-0x0000000074664000-memory.dmp

Filesize
16KB

Download
memory/852-67-0x00000000746A0000-0x00000000746A8000-memory.dmp

Filesize
32KB

Download
memory/852-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download