a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5

Analysis

max time kernel
121s
max time network
170s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe
Size

885KB
MD5

0cb7e62db7dc88256abb26b8d9180bf7
SHA1

d341e9a6a9b23b6dd33c7a270fc58c9f40595b42
SHA256

a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5
SHA512

bd8720518f4373ae133894316fd4e4707b574d4919e569f3a04f1000b8df2472cb582aece8d7edbfe4cf554e14941065d620cc7e9b3220774a2276bec56adfa0
SSDEEP

12288:xW/GVmEDX/pmbuFdM6j+JOxWlB/y50d0U3c6jSKCIlnFkAM02dGJ/8O44pXE5Y50:WB/dukn6GF/+CvDLM

Score

9^/10

spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000139f7-70.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1436	updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1436-56-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1436-58-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1436-59-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1436-63-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1436-64-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1436-69-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/files/0x00080000000139f7-70.dat	upx
behavioral1/memory/1436-71-0x0000000010000000-0x000000001005A000-memory.dmp	upx
behavioral1/memory/1436-73-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1436-74-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1436-75-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1436	updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1756 set thread context of 1436	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	28
PID 1436 set thread context of 1892	1436	updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe	30

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe
File opened for modification	C:\Windows\updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6183FE21-73C1-11ED-BF3D-D6AAFEFD221A} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000035a243d8e3675740b9194dc186d2fd49000000000200000000001066000000010000200000001cd37209d767d8e542be79013a48dd03827d70a1ddd21ae649e91ab5cf2d4c61000000000e8000000002000020000000e6ceb843764a5c8e396cf5caa13d4cf17c70f12d1a13a78a56cd5833098f945390000000ee72df6339c08ea004a00ad88d6cbe74fabdce2a6499ba6b1a3100076ce28544c89fe6c69162dd24919812107f36698aaeee5f681ec3ef508e37f1e398564f7732a4934f4a6ef06eaf50d8a54947c740cb617001a0275d31b3b1c82c70b87af5967732701f5c7f793fc1c3aa7e324354ca010bb4707a7ae92f6839647dcd64cadf88184ea8581e7c8eb4ebca6294fada400000002eaeca5de74fab178438dba0504f2d83d0976a5af609ffe32bc4c58382f592f7065b22c2280304526b732c8646e53b7a8c67953caeb6005a938f53ae04fa3a07	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376915975"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90f5e948ce07d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000035a243d8e3675740b9194dc186d2fd4900000000020000000000106600000001000020000000110979deacd98167b1b23101a9d538d96fc6d8a4d5f78419deeab2588de42f33000000000e8000000002000020000000371153690796c6ee1fc5165f6d5a29c630b58d10ae911fbe6d10cfda643b3a4820000000619d4c31770ac1053da463a96a162f2b0047ebb4aac9c2a87bba26736290199c40000000b984bbc3e17df2d9383b0869438386250d2953780a54a909e754481b32dfbcf25d80b64eb07244c285dc7029b07f99aea9625522fef5b24f5ce0e08911b7282b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1436	updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1892	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1436	updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe
1892	iexplore.exe
1892	iexplore.exe
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1396	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	27
PID 1756 wrote to memory of 1396	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	27
PID 1756 wrote to memory of 1396	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	27
PID 1756 wrote to memory of 1396	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	27
PID 1756 wrote to memory of 1396	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	27
PID 1756 wrote to memory of 1396	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	27
PID 1756 wrote to memory of 1396	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	27
PID 1756 wrote to memory of 1436	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	28
PID 1756 wrote to memory of 1436	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	28
PID 1756 wrote to memory of 1436	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	28
PID 1756 wrote to memory of 1436	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	28
PID 1756 wrote to memory of 1436	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	28
PID 1756 wrote to memory of 1436	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	28
PID 1756 wrote to memory of 1436	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	28
PID 1756 wrote to memory of 1436	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	28
PID 1756 wrote to memory of 1436	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	28
PID 1756 wrote to memory of 1436	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	28
PID 1756 wrote to memory of 1436	1756	a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe	28
PID 1436 wrote to memory of 1892	1436	updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe	30
PID 1436 wrote to memory of 1892	1436	updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe	30
PID 1436 wrote to memory of 1892	1436	updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe	30
PID 1436 wrote to memory of 1892	1436	updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe	30
PID 1436 wrote to memory of 1892	1436	updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe	30
PID 1436 wrote to memory of 1892	1436	updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe	30
PID 1436 wrote to memory of 1892	1436	updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe	30
PID 1436 wrote to memory of 1892	1436	updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe	30
PID 1892 wrote to memory of 1716	1892	iexplore.exe	31
PID 1892 wrote to memory of 1716	1892	iexplore.exe	31
PID 1892 wrote to memory of 1716	1892	iexplore.exe	31
PID 1892 wrote to memory of 1716	1892	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe
"C:\Users\Admin\AppData\Local\Temp\a246a4e7302d3fb1d2f691309294c7a73181b3afbec45a1195fc9eaa8997d8e5.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe
  C:\Windows\updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe
  2⤵
  PID:1396
- C:\Windows\updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe
  C:\Windows\updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Program Files\Internet Explorer\iexplore.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1892 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\02NHXYRX.txt

Filesize
608B

MD5
4fc313dc24630023ae4e7cb3ad1edcc8

SHA1
73d5ba90f6d58bf6cb8b8fb0324850149f1f6c2b

SHA256
0fc11695b53d70f96e7aed194642341e43fcb9e2bd03b93935ca662bf7604afb

SHA512
86770d80b941eb8b3fe28707eb4ff46adc73dc7e6ec6c2c772f938f478602f2c58ae29a9832c16a528d99f1163ee7fbd2a19147bab988f280111d4f7adc7130b

Download Submit
C:\Windows\updaterNOXvcGVCIbjZFzByEohoTtfvzCtTv.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
171KB

MD5
744dcc4cbbfbb18fe3878c4e769ec48f

SHA1
c1f2c56ee2d91203a01d3465f185295477a1217d

SHA256
33eb31a2a576e663474a895ff0190316c64a93d9ce05a55df0d53f9beeb61163

SHA512
706630be2ca09e574a7794e32e515a0a3f993643d034647b8cb976c1e7045e87e30362757cc65fcdb95f4a4327f0dcda3edc82ba84e5ed9115870a037e13af21

Download Submit
memory/1436-64-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1436-69-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1436-59-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1436-58-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1436-63-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1436-55-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1436-75-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1436-56-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1436-71-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1436-74-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1436-73-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1756-72-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-65-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download