Analysis
-
max time kernel
91s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 07:41
Static task
static1
Behavioral task
behavioral1
Sample
8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe
Resource
win10v2004-20220901-en
General
-
Target
8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe
-
Size
1.4MB
-
MD5
c9ddc48f08e3678e2a4e65d4951dc261
-
SHA1
7b2e70ecdf86e9461f0cb4e6aeb37cae893bcfa5
-
SHA256
8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4
-
SHA512
cfa8b15fa6df43f47a63085382f18c8f2a9f170781c54c52f4ca584924c601f7664ea113ee2b103fd3e288179cc709b0fee1830c9cea868400c28c32fbb43825
-
SSDEEP
24576:jxdW2AUOoj6Rc4FoweN2vtUm5a4j06/b9y8lDbe+Eltpe3f:dZA4BEoZsh5ayFy8lU6f
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 5 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0002000000022e0a-142.dat acprotect behavioral2/files/0x0002000000022e08-141.dat acprotect behavioral2/files/0x0002000000022e08-143.dat acprotect behavioral2/files/0x0002000000022e0a-145.dat acprotect behavioral2/files/0x0002000000022e0a-144.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 5116 System32.exe -
resource yara_rule behavioral2/files/0x0002000000022e0d-138.dat upx behavioral2/files/0x0002000000022e0d-140.dat upx behavioral2/files/0x0002000000022e0a-142.dat upx behavioral2/files/0x0002000000022e08-141.dat upx behavioral2/files/0x0002000000022e08-143.dat upx behavioral2/files/0x0002000000022e0a-145.dat upx behavioral2/files/0x0002000000022e0a-144.dat upx behavioral2/memory/5116-146-0x0000000013900000-0x000000001394B000-memory.dmp upx behavioral2/memory/5116-147-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/5116-148-0x0000000011000000-0x00000000110F4000-memory.dmp upx -
Loads dropped DLL 3 IoCs
pid Process 5116 System32.exe 5116 System32.exe 5116 System32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe\"" 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1692 set thread context of 4364 1692 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 81 -
Program crash 1 IoCs
pid pid_target Process procid_target 1728 5116 WerFault.exe 82 -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1692 wrote to memory of 4364 1692 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 81 PID 1692 wrote to memory of 4364 1692 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 81 PID 1692 wrote to memory of 4364 1692 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 81 PID 1692 wrote to memory of 4364 1692 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 81 PID 1692 wrote to memory of 4364 1692 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 81 PID 1692 wrote to memory of 4364 1692 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 81 PID 1692 wrote to memory of 4364 1692 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 81 PID 1692 wrote to memory of 4364 1692 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 81 PID 1692 wrote to memory of 4364 1692 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 81 PID 1692 wrote to memory of 4364 1692 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 81 PID 1692 wrote to memory of 4364 1692 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 81 PID 1692 wrote to memory of 4364 1692 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 81 PID 4364 wrote to memory of 5116 4364 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 82 PID 4364 wrote to memory of 5116 4364 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 82 PID 4364 wrote to memory of 5116 4364 8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe"C:\Users\Admin\AppData\Local\Temp\8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe"C:\Users\Admin\AppData\Local\Temp\8219311bc99c105c1edc420fbcd2067ea839b499248e1c45b31596161a76c4c4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Roaming\Security\System32.exeC:\Users\Admin\AppData\Roaming\Security\System32.exe -o http://H4x0r_djred2:[email protected]:83443⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 4964⤵
- Program crash
PID:1728
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5116 -ip 51161⤵PID:1972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD59922477bc8d154d7c1d9528e03325d0b
SHA1ff4401fed76657a2325485eabccfbbae9156cb7f
SHA256a0b3de75033b8ede8661b316a0baf6ab5899afb9515a9d525e914be35c440d91
SHA51258266baa6bb223769f88eff1709abb0fef5911bfd6a58d09cac56952a5829a763616682e674f7c12a15d692f794ce89eb0e5174a33d1a9e5d4b6cf41a83098a5
-
Filesize
14KB
MD59922477bc8d154d7c1d9528e03325d0b
SHA1ff4401fed76657a2325485eabccfbbae9156cb7f
SHA256a0b3de75033b8ede8661b316a0baf6ab5899afb9515a9d525e914be35c440d91
SHA51258266baa6bb223769f88eff1709abb0fef5911bfd6a58d09cac56952a5829a763616682e674f7c12a15d692f794ce89eb0e5174a33d1a9e5d4b6cf41a83098a5
-
Filesize
74KB
MD593f6d0122c2b13a55ec467549429b5c8
SHA13f1e2101831d8b812c92bb03b7de0a2b47314c21
SHA256a11b09086205010e41ee0e938539b7fdbc132f73e85ed54df1016dee4f8793a0
SHA512aeef696afa62cf4c61372868f31f0706110de6f57faf5fa8990aa26b9f236405f7aee22511425009280ca861afeeda84a90a3c180a9e3eea3309a1830badd055
-
Filesize
74KB
MD593f6d0122c2b13a55ec467549429b5c8
SHA13f1e2101831d8b812c92bb03b7de0a2b47314c21
SHA256a11b09086205010e41ee0e938539b7fdbc132f73e85ed54df1016dee4f8793a0
SHA512aeef696afa62cf4c61372868f31f0706110de6f57faf5fa8990aa26b9f236405f7aee22511425009280ca861afeeda84a90a3c180a9e3eea3309a1830badd055
-
Filesize
328KB
MD55cce96ba11c1492b7ce00030d98021de
SHA194054638dea3711cf28de3ec9d9b8fe4a54aef80
SHA2564453e1939e32ea39c70b7b61265fa990dfc27e054838a0a559d4c86249af11b9
SHA51235dadeea5171e62b5b7cb6b0bff9b83ebb830f5d9453444513295b4e56f3d3e25abb15ef45015b000d0477754268e45e56230d15f417f12fc0f89002f3cb4652
-
Filesize
328KB
MD55cce96ba11c1492b7ce00030d98021de
SHA194054638dea3711cf28de3ec9d9b8fe4a54aef80
SHA2564453e1939e32ea39c70b7b61265fa990dfc27e054838a0a559d4c86249af11b9
SHA51235dadeea5171e62b5b7cb6b0bff9b83ebb830f5d9453444513295b4e56f3d3e25abb15ef45015b000d0477754268e45e56230d15f417f12fc0f89002f3cb4652
-
Filesize
328KB
MD55cce96ba11c1492b7ce00030d98021de
SHA194054638dea3711cf28de3ec9d9b8fe4a54aef80
SHA2564453e1939e32ea39c70b7b61265fa990dfc27e054838a0a559d4c86249af11b9
SHA51235dadeea5171e62b5b7cb6b0bff9b83ebb830f5d9453444513295b4e56f3d3e25abb15ef45015b000d0477754268e45e56230d15f417f12fc0f89002f3cb4652