61b1d07a44be8b30800b6dbe5706def212435463280136d43b2ee9a27204d1e3

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61b1d07a44be8b30800b6dbe5706def212435463280136d43b2ee9a27204d1e3.exe
Size

2.6MB
MD5

b56b85075d2958e11a0e8c3bcb5121b8
SHA1

af47151ad975a465250f6df9e291b22328011f3e
SHA256

61b1d07a44be8b30800b6dbe5706def212435463280136d43b2ee9a27204d1e3
SHA512

32d6f71ce2323bae774a2dcc7c11426473054daf6a4dcadb1eb74a3c702965dfb340eec69ee24cca23824f022f011a1963beba781131747b16322ed582bd3703
SSDEEP

49152:X7QllUbHvSf+gmI/W/aC3gqHEDRUwK//izAqFE5nUXKoPTf0B28xaw89aWQXsnT3:X74cPs+gmICnpkU3TqlX9CrEw8VXlMS

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000022e2e-133.dat	acprotect
behavioral2/files/0x0007000000022e2e-134.dat	acprotect

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022e2e-133.dat	upx
behavioral2/files/0x0007000000022e2e-134.dat	upx
behavioral2/memory/528-137-0x0000000010000000-0x000000001002A000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
528	rundll32.exe
4656	61b1d07a44be8b30800b6dbe5706def212435463280136d43b2ee9a27204d1e3.exe
4656	61b1d07a44be8b30800b6dbe5706def212435463280136d43b2ee9a27204d1e3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1664	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1664	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 528	4656	61b1d07a44be8b30800b6dbe5706def212435463280136d43b2ee9a27204d1e3.exe	80
PID 4656 wrote to memory of 528	4656	61b1d07a44be8b30800b6dbe5706def212435463280136d43b2ee9a27204d1e3.exe	80
PID 4656 wrote to memory of 528	4656	61b1d07a44be8b30800b6dbe5706def212435463280136d43b2ee9a27204d1e3.exe	80

C:\Users\Admin\AppData\Local\Temp\61b1d07a44be8b30800b6dbe5706def212435463280136d43b2ee9a27204d1e3.exe
"C:\Users\Admin\AppData\Local\Temp\61b1d07a44be8b30800b6dbe5706def212435463280136d43b2ee9a27204d1e3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe autostarter.dll,ShowSplash C:\Users\Admin\AppData\Local\Temp\nsx818B.tmp\splash,0xfefefe
  2⤵
  - Loads dropped DLL
  PID:528

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsx818B.tmp\InstallOptions.dll

Filesize
12KB

MD5
07f3b3445f66e1089567796bf3c8be78

SHA1
851eb574c1067b23a654f8aa47b17ef599b24d1c

SHA256
a505e6c537a5ce0166227dda9f7671605395592ac9f1a3764e8a01b713939db1

SHA512
8c56308fff3a947b26fd0d98dbdd96c406ddf967f5d7abee8cba082b6c46a4e575094bb0bb981551ac5160bb5089cf6fb125dd17a659c427e28c07402adab1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx818B.tmp\LangDLL.dll

Filesize
5KB

MD5
2c3c8976d729d28478a789217a882291

SHA1
10c18b23fac957419547ef0f8ec3bc1b10e91e79

SHA256
799f91bdd59f2133bf195c5b4ca685ee91666d981a6bcd8a6c45b7c8ecc96eef

SHA512
749c650974f94cc5009124d3fa3d9bb1ee5824a3fa0a76b81733e08379678a2a1b7c54b77d1709fb6de24c81c68c03c0ec3e9ec5ccad0d30d9237300794f1213

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx818B.tmp\autostarter.dll

Filesize
39KB

MD5
75428508f0a961d7cf150599ba19d364

SHA1
6920b8ddd3241eb8762a4e3bf0b5fb78e2d0b8eb

SHA256
cedccf1a11e9fc56832330eab8e6f3cdab97616216b488ad918e564f06e54a87

SHA512
7f656a6e94f0da59e10077ae1432d06a89a4560a5f1f3801fd78279657d56bbcc0e1c29fd97621a2ea9aab448f69c98947e24045a36404e376f8df5c5d1b0c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx818B.tmp\autostarter.dll

Filesize
39KB

MD5
75428508f0a961d7cf150599ba19d364

SHA1
6920b8ddd3241eb8762a4e3bf0b5fb78e2d0b8eb

SHA256
cedccf1a11e9fc56832330eab8e6f3cdab97616216b488ad918e564f06e54a87

SHA512
7f656a6e94f0da59e10077ae1432d06a89a4560a5f1f3801fd78279657d56bbcc0e1c29fd97621a2ea9aab448f69c98947e24045a36404e376f8df5c5d1b0c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx818B.tmp\splash.bmp

Filesize
162KB

MD5
20f4e8ce8a5086a365edff858bb08513

SHA1
e35ed6133e26ad84ab56bf27f1df1359a328de73

SHA256
4de409e876cf08ed77a2497b6293afe82af322624e1193977ff0136cd3f24ac3

SHA512
6d510e381799251c16d84b7aafabd706d3b0bde205d81032d0b19d3a101c4a1dd1eb4988bf4d7372f110b27996ee8d6f5fe08da3959a6b86064aa994773560b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx818B.tmp\splash.wav

Filesize
312KB

MD5
e1a3a4483f6d74a16296971e4f69b7b9

SHA1
63eb54ba90fc09d376cef6e41ed6b5f6322cdc4f

SHA256
993c2c7c00779a52040b37b6b4026389fe6375a604a18c9c88bd014949889146

SHA512
64cf0973af082d5fc71492be8e86edb6960457926a5fbb27963803f055b2eddad36cc063340c142795fc9d3b88fd00b55e5503fcd2baf948cb98dd39dd4c2803

Download Submit
memory/528-137-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download