e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b

General

Target

e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
Size

334KB
MD5

84d5f05716bb0757445d5de1d3234d56
SHA1

dbd3391b489e08d61619fa4411bf692e9b7bcc2b
SHA256

e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b
SHA512

1062ebb72d73e66d5c8e4dbf19a25f922bcee908aa79734cae0991adac66538b902632041a08300d82f5f179f05ffcf1363d1356c28b2a6b6ed5f188c7f1d42b
SSDEEP

6144:5sQs/vBMOPmur84AXl/eWcsGtMYRCiDm7BUWUgEG6b0yRrOp5C2+zq4zuFE:5sQs2Amur8l90sGe4CiDm7B5INbN5K5S

Score

9^/10

evasion persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000800000001232e-58.dat	acprotect
behavioral1/files/0x000800000001232e-59.dat	acprotect
behavioral1/files/0x000800000001232e-60.dat	acprotect

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001232e-58.dat	upx
behavioral1/files/0x000800000001232e-59.dat	upx
behavioral1/files/0x000800000001232e-60.dat	upx

Loads dropped DLL 8 IoCs

pid	Process
1968	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
1968	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
1968	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
1968	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
1968	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
1968	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
1968	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
1968	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\DNS = "C:\\Program Files (x86)\\Common Files\\e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe"	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File created	C:\Program Files (x86)\DNS\x.bmp	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File created	C:\Program Files (x86)\DNS\version.txt	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File opened for modification	C:\Program Files (x86)\DNS\cwebpage.dll	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File opened for modification	C:\Program Files (x86)\Common Files\e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File opened for modification	C:\Program Files (x86)\DNS\urls.dat	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File opened for modification	C:\Program Files (x86)\DNS\x.bmp	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File created	C:\Program Files (x86)\DNS\urls.dat	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File created	C:\Program Files (x86)\DNS\cwebpage.dll	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File created	C:\Program Files (x86)\DNS\affid.dat	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File opened for modification	C:\Program Files (x86)\Common Files\services.exe	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File created	C:\Program Files (x86)\Common Files\services.exe	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File opened for modification	C:\Program Files (x86)\DNS\version.txt	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File opened for modification	C:\Program Files (x86)\DNS\Catcher.dll	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File created	C:\Program Files (x86)\DNS\Catcher.dll	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
File created	C:\Program Files (x86)\DNS\uid.dat	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Download	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1968	e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe

C:\Users\Admin\AppData\Local\Temp\e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe
"C:\Users\Admin\AppData\Local\Temp\e109c39092f1fa1ee1f912e2724fa147eab7ea646a161398cd4dca39f083381b.exe"
1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\DNS\Catcher.dll

Filesize
516KB

MD5
a6de7da83c695be6cbddc533e1240d39

SHA1
ae2b622569def5ee0d5ee1903cd138b8a7dcae9b

SHA256
cb39e38434374d3b669b821f1b2a72ae838f6c1086e5c26cdce08fafb2f00236

SHA512
17f236691ab35bedc07be2f24c503fa0563a44172e8886a9ae313279b9f1e9b60f99b37558da4109c58e9d32a517df8f1f49816c6e50c91661afdc526b333d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1142.tmp\System.dll

Filesize
10KB

MD5
d4d09da0218ba046a66a294f0cca9dfe

SHA1
417b1acdeb0a4de6ac752a93080ca5b9164eb44b

SHA256
9090e47d239aa1da9598a483861165e0153c01ad9ff9d65cb6c0f4497a1da5b3

SHA512
3bc9a65842301dab56c139cc5a3457158d37ef294583728c93da1e11ae457df9551b0f8fbd03d5ea3058f3bc794d0ede57ea3efd5d663b45d25647a39cd955bf

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1142.tmp\System.dll

Filesize
10KB

MD5
d4d09da0218ba046a66a294f0cca9dfe

SHA1
417b1acdeb0a4de6ac752a93080ca5b9164eb44b

SHA256
9090e47d239aa1da9598a483861165e0153c01ad9ff9d65cb6c0f4497a1da5b3

SHA512
3bc9a65842301dab56c139cc5a3457158d37ef294583728c93da1e11ae457df9551b0f8fbd03d5ea3058f3bc794d0ede57ea3efd5d663b45d25647a39cd955bf

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1142.tmp\System.dll

Filesize
10KB

MD5
d4d09da0218ba046a66a294f0cca9dfe

SHA1
417b1acdeb0a4de6ac752a93080ca5b9164eb44b

SHA256
9090e47d239aa1da9598a483861165e0153c01ad9ff9d65cb6c0f4497a1da5b3

SHA512
3bc9a65842301dab56c139cc5a3457158d37ef294583728c93da1e11ae457df9551b0f8fbd03d5ea3058f3bc794d0ede57ea3efd5d663b45d25647a39cd955bf

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1142.tmp\nsRandom.dll

Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1142.tmp\nsRandom.dll

Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1142.tmp\nsRandom.dll

Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1142.tmp\nsisdt.dll

Filesize
5KB

MD5
df4795dfabe3bc9278a73d496cc4b40d

SHA1
2648ded47e29ecf3e1a1cc20c631e83caf566897

SHA256
2261027077f23c8dba6b72af28862832aaa059740d0f5634b46cabb14326dd10

SHA512
013d9712c3d699a7f41ab3e55931c9abb421fb2eda3542da5a4831ad2f073a1b0643120cc78147db0bfcd01df98ade3045ecb2f1e252fff1dc40be845e5ae303

Download Submit
memory/1968-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1968-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-64-0x00000000004A0000-0x0000000000505000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads