91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face

General

Target

91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe
Size

965KB
MD5

9407a68c5f76a026ed079975fb5700e5
SHA1

29666ce8d0c9849b841dd9dca15e599349c1bdac
SHA256

91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face
SHA512

aa62216aea993920751ea328283dbeb9b3a3712d845913abae5e6ea5f46fb38e9f83fd69268288acad0cf10495ad22d035f7bfe27b045018f156d6586e5a1f00
SSDEEP

24576:ZEOo7h3etPHM82CD9A2OGJtvu8AhoITzL9Srhf1U:ZEO8gt2CeOBuPho8LkV1U

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022e37-133.dat	acprotect
behavioral2/files/0x0006000000022e37-134.dat	acprotect
behavioral2/files/0x0006000000022e37-140.dat	acprotect
behavioral2/files/0x0006000000022e37-142.dat	acprotect
behavioral2/files/0x0006000000022e37-141.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
400	is-NUMIQ.tmp

Loads dropped DLL 4 IoCs

pid	Process
3708	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe
3708	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe
400	is-NUMIQ.tmp
400	is-NUMIQ.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3708	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 400	3708	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe	80
PID 3708 wrote to memory of 400	3708	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe	80
PID 3708 wrote to memory of 400	3708	91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe	80

C:\Users\Admin\AppData\Local\Temp\91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe
"C:\Users\Admin\AppData\Local\Temp\91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Users\Admin\AppData\Local\Temp\is-GN9QU.tmp\is-NUMIQ.tmp
  C:\Users\Admin\AppData\Local\Temp\is-GN9QU.tmp\is-NUMIQ.tmp /SL4 $3005C C:\Users\Admin\AppData\Local\Temp\91f6ae21b89932d010d347950142f08346c875a0a0cf3f03c1d57f99d0d8face.exe 803783 68096
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-GN9QU.tmp\is-NUMIQ.tmp

Filesize
542KB

MD5
b9a25ddbc177eced2ad1fbeb8c872139

SHA1
7b8875001f6f31481ecde299249fc29b4fea0bdb

SHA256
5310f793c2b95bbf8ad002eab6218e35488ae46b18d49e167ecf14d58570d47e

SHA512
46f2c5a453ebcfdfd4623b1278125d24507cf7ad0c4a271ef343c87ce2cc61c7bc0e1d64ab83c45d9bad4e8ff72b1930501ec09872e7d4b08a4f14614a90c476

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GN9QU.tmp\is-NUMIQ.tmp

Filesize
542KB

MD5
b9a25ddbc177eced2ad1fbeb8c872139

SHA1
7b8875001f6f31481ecde299249fc29b4fea0bdb

SHA256
5310f793c2b95bbf8ad002eab6218e35488ae46b18d49e167ecf14d58570d47e

SHA512
46f2c5a453ebcfdfd4623b1278125d24507cf7ad0c4a271ef343c87ce2cc61c7bc0e1d64ab83c45d9bad4e8ff72b1930501ec09872e7d4b08a4f14614a90c476

Download Submit
C:\Users\Admin\AppData\Local\Temp\opi97A1.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\opi97A1.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\opi97A1.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\opi97A1.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\opi97A1.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
memory/400-145-0x00000000021F0000-0x0000000002263000-memory.dmp

Filesize
460KB

Download
memory/400-146-0x00000000021F0000-0x0000000002263000-memory.dmp

Filesize
460KB

Download
memory/3708-135-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3708-132-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3708-143-0x0000000002180000-0x00000000021F3000-memory.dmp

Filesize
460KB

Download
memory/3708-144-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing