91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face

General

Target

91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe
Size

965KB
MD5

9407a68c5f76a026ed079975fb5700e5
SHA1

29666ce8d0c9849b841dd9dca15e599349c1bdac
SHA256

91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face
SHA512

aa62216aea993920751ea328283dbeb9b3a3712d845913abae5e6ea5f46fb38e9f83fd69268288acad0cf10495ad22d035f7bfe27b045018f156d6586e5a1f00
SSDEEP

24576:ZEOo7h3etPHM82CD9A2OGJtvu8AhoITzL9Srhf1U:ZEO8gt2CeOBuPho8LkV1U

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000000b2d2-55.dat	acprotect
behavioral1/files/0x000500000000b2d2-64.dat	acprotect
behavioral1/files/0x000500000000b2d2-63.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1288	is-PM44Q.tmp

Loads dropped DLL 5 IoCs

pid	Process
620	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe
620	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe
1288	is-PM44Q.tmp
1288	is-PM44Q.tmp
1288	is-PM44Q.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
620	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1288	620	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe	27
PID 620 wrote to memory of 1288	620	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe	27
PID 620 wrote to memory of 1288	620	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe	27
PID 620 wrote to memory of 1288	620	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe	27
PID 620 wrote to memory of 1288	620	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe	27
PID 620 wrote to memory of 1288	620	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe	27
PID 620 wrote to memory of 1288	620	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe	27

C:\Users\Admin\AppData\Local\Temp\91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe
"C:\Users\Admin\AppData\Local\Temp\91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\is-QFR8E.tmp\is-PM44Q.tmp
  C:\Users\Admin\AppData\Local\Temp\is-QFR8E.tmp\is-PM44Q.tmp /SL4 $A011C C:\Users\Admin\AppData\Local\Temp\91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe 803783 68096
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-QFR8E.tmp\is-PM44Q.tmp

Filesize
542KB

MD5
b9a25ddbc177eced2ad1fbeb8c872139

SHA1
7b8875001f6f31481ecde299249fc29b4fea0bdb

SHA256
5310f793c2b95bbf8ad002eab6218e35488ae46b18d49e167ecf14d58570d47e

SHA512
46f2c5a453ebcfdfd4623b1278125d24507cf7ad0c4a271ef343c87ce2cc61c7bc0e1d64ab83c45d9bad4e8ff72b1930501ec09872e7d4b08a4f14614a90c476

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QFR8E.tmp\is-PM44Q.tmp

Filesize
542KB

MD5
b9a25ddbc177eced2ad1fbeb8c872139

SHA1
7b8875001f6f31481ecde299249fc29b4fea0bdb

SHA256
5310f793c2b95bbf8ad002eab6218e35488ae46b18d49e167ecf14d58570d47e

SHA512
46f2c5a453ebcfdfd4623b1278125d24507cf7ad0c4a271ef343c87ce2cc61c7bc0e1d64ab83c45d9bad4e8ff72b1930501ec09872e7d4b08a4f14614a90c476

Download Submit
C:\Users\Admin\AppData\Local\Temp\yak4F1.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
\Users\Admin\AppData\Local\Temp\is-KPFV2.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KPFV2.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-QFR8E.tmp\is-PM44Q.tmp

Filesize
542KB

MD5
b9a25ddbc177eced2ad1fbeb8c872139

SHA1
7b8875001f6f31481ecde299249fc29b4fea0bdb

SHA256
5310f793c2b95bbf8ad002eab6218e35488ae46b18d49e167ecf14d58570d47e

SHA512
46f2c5a453ebcfdfd4623b1278125d24507cf7ad0c4a271ef343c87ce2cc61c7bc0e1d64ab83c45d9bad4e8ff72b1930501ec09872e7d4b08a4f14614a90c476

Download Submit
\Users\Admin\AppData\Local\Temp\yak4F1.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
\Users\Admin\AppData\Local\Temp\yak4F1.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
memory/620-68-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/620-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/620-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/620-67-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/620-69-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/620-70-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/620-71-0x0000000000320000-0x0000000000393000-memory.dmp

Filesize
460KB

Download
memory/620-73-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/620-74-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/1288-72-0x00000000004A0000-0x0000000000513000-memory.dmp

Filesize
460KB

Download
memory/1288-75-0x00000000004A0000-0x0000000000513000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing