Analysis
-
max time kernel
41s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 01:28
Static task
static1
Behavioral task
behavioral1
Sample
87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe
Resource
win7-20220812-en
General
-
Target
87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe
-
Size
194KB
-
MD5
e4ff3c97e90a3854a7d66e0474ac1bf8
-
SHA1
6131c4a787c91f9b17a5a48f557e6b567cedb0b0
-
SHA256
87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405
-
SHA512
b6134904001c8d4d4267534d46d790f7a0b8433c1ac73da2da11ccb4ff51859596b578fd4b1aa6d4dfc44e20b96579de7e398d544957be565abae21a78eef868
-
SSDEEP
3072:hn1/uEAgDPdkBlyFZ+ScjaiKWbETBquAEXlqsUUypbXZc410uGg+QUWSR:h1OgDPdkBAFZWjadD4s5OJcWviR
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0006000000016474-68.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 908 50df0da6e8490.exe -
resource yara_rule behavioral1/files/0x0006000000016474-68.dat upx behavioral1/memory/908-69-0x00000000743E0000-0x00000000743EA000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 868 87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe 908 50df0da6e8490.exe 908 50df0da6e8490.exe 908 50df0da6e8490.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
resource yara_rule behavioral1/files/0x0006000000015c9c-55.dat nsis_installer_1 behavioral1/files/0x0006000000015c9c-55.dat nsis_installer_2 behavioral1/files/0x0006000000015c9c-57.dat nsis_installer_1 behavioral1/files/0x0006000000015c9c-57.dat nsis_installer_2 behavioral1/files/0x0006000000015c9c-59.dat nsis_installer_1 behavioral1/files/0x0006000000015c9c-59.dat nsis_installer_2 behavioral1/files/0x0006000000016671-70.dat nsis_installer_1 behavioral1/files/0x0006000000016671-70.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 868 wrote to memory of 908 868 87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe 27 PID 868 wrote to memory of 908 868 87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe 27 PID 868 wrote to memory of 908 868 87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe 27 PID 868 wrote to memory of 908 868 87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe 27 PID 868 wrote to memory of 908 868 87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe 27 PID 868 wrote to memory of 908 868 87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe 27 PID 868 wrote to memory of 908 868 87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe"C:\Users\Admin\AppData\Local\Temp\87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\50df0da6e8490.exe.\50df0da6e8490.exe /s2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\[email protected]\bootstrap.js
Filesize2KB
MD5fa8f412695cef076870397420a39f6f6
SHA17d9031bef94d310328e802cc0822ae5d73c9c7df
SHA256b5630df366bd6b1e655c3431650e92ef74be5489ef741661bb47afccf9ff4df1
SHA512bd067ae925342c40fda821f93aa5a19fed4be9c74bf3e01f9dd7602a5fc1e2b54bd63491c1fc466c4b660da1eee4c9762361140f22f311f9ee52edf2b96fe9f9
-
C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\[email protected]\chrome.manifest
Filesize116B
MD5f36f87e4375857894574a3ac0ab47248
SHA159aaf1a5ca6afa73eb862b9cfd48a93fd9246a68
SHA256b0190769fabc91d2e87c34489dda30fda176be465935fda8f61393ea85440d52
SHA5128437f270963de0134dffa60a9eff1c50a40296a158bdac1ffbbc09497c21a25c1b577188f4d76bc1d9c21c48b1c090e4efe2e1dd29dfc9112ee5a38c2f609e93
-
C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\[email protected]\content\bg.js
Filesize8KB
MD5caa870d8dc647eb3d2f84d68a7b74768
SHA110ab317e1695addd4269e15b398d7c7e1a4e9988
SHA256e6d244b12786b7060707e50858aae88852dfa3d8b356cc6724230e13a7f5bf8b
SHA5126663f8fcb97ed55b7a7eca6d2376e05b8258a5abdd973c5051cd50456585f6084ce4fbd256150307e87322453570dd3c6670194a150e4f7bc21246a374410f1f
-
C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\[email protected]\content\zy.xul
Filesize225B
MD51247a4e57e7ee41a5b408d68d78267b3
SHA1c84b7ac6f1331d70382224428e57e2269d220bc5
SHA25619f3a3be0e9bf961d725a4cf814dfb7b91680701adf5bf11d754036ab793c53c
SHA51213e8b57165ecdc288c4495edf7534ab2ea00a1b21ebe1fb1f18db0e8a73d60de86c133632ea1b68b6bcece082b223255fb39c7bdd0062b37746ad1b29fdd9b76
-
C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\[email protected]\install.rdf
Filesize700B
MD5d1283958fae5735f95e1aea6aec619ac
SHA14d91fa4132df7b34d5f52d2f8a3ca6c378b6bedd
SHA256965cd6aae1db934ed1d81f463c963aea510688ee144fbf1f0263c98631d27b6a
SHA51254dbfd9b10420df1b667b39d051a5e27ff3c42e3418e47ed55bb7f4d34a054fc3e3821368e41751996f08705cdce026aa3dc2d3b1f30d5e29a6fbdb60e60dbf6
-
Filesize
70KB
MD5ebcc3eb1a7021aaead55fb677465a717
SHA13c8347f0fd520ee423a4aafea1112a0b06f4b6c8
SHA2565e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c
SHA5120f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995
-
Filesize
70KB
MD5ebcc3eb1a7021aaead55fb677465a717
SHA13c8347f0fd520ee423a4aafea1112a0b06f4b6c8
SHA2565e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c
SHA5120f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995
-
Filesize
8KB
MD5b403e4d3b44d640c04a78a94ebd77431
SHA18d5fa967349086e71f9df6b25f5b7915aff46233
SHA25684c22f70fd373668b4850fa90969663a6cc5e50f38ce3a9818b8c112024b08c5
SHA512a948a5a64d44ccdff77c19f0760e4e1f01cb35e4561202f9ccb8c5f4562fe6f1fa589bb4443aae1eb2adfa5d4e25f8bb9b174ae18df552517f2af7b7e7800769
-
Filesize
615B
MD5ef08555933efca7b1918ec0ce6940702
SHA148ae1cd37dbf261eb4f3165fa4d2265984cdabad
SHA256aeffecf0e3e08a9f74b3d066847acae92e7047e71a23ac880836b039130fc4d2
SHA5122404c9057a5ae2f66bbd22aeb3392d7f35dbc3ebf6491b3ce2e200d304b48e61b6a570de85b03a533963ea31f32a68297676b6b638c1bdd7ec8b699631e7dd1b
-
Filesize
48KB
MD5e9c9582996a23b2a49a058dcaa3b5525
SHA1f527cc64e759f06c011e5eeffbd217d5249c04df
SHA25643c3e8d7aa00a299f084db17e384aa96de508565f82264ee88bd9c7647fa9fc9
SHA512665613fc7f20e2c4ea40b7a8f39b4c2ea2a24c5119ee86ef072bbe29f606cd78a43081aa0a89b678a46d34e470e1ed10e31d590d3cb5447e1231707fea8e490f
-
Filesize
70KB
MD5ebcc3eb1a7021aaead55fb677465a717
SHA13c8347f0fd520ee423a4aafea1112a0b06f4b6c8
SHA2565e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c
SHA5120f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
7KB
MD5b9cd1b0fd3af89892348e5cc3108dce7
SHA1f7bc59bf631303facfc970c0da67a73568e1dca6
SHA25649b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90