59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Size

21KB
MD5

428adfafe1a9e26985937585d1665700
SHA1

07a5f87402b16f329fbfd19b56a9116e849d2ecc
SHA256

59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834
SHA512

f0544ab7e40edf6432841b9bd34c14878fde626e13091b0c5ce4ac6654df56a4a5cb685798fd026315307b3bd32c7606e82d80f3c0a99cb584ed5d5fac1e8722
SSDEEP

384:5rBs9M5DG0jwQ7mYrkzvs6x6sp1+qyr/6Zq9xT6B9K8GpBG1:BBrDGYZD6Jtyj6hB9gq

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a000000012324-55.dat	acprotect

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012324-55.dat	upx
behavioral1/memory/1184-56-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1184-57-0x0000000010000000-0x0000000010010000-memory.dmp	upx
behavioral1/memory/1184-59-0x0000000010000000-0x0000000010010000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1720	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\YywxhF7TSnkktrJw.ttf	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
File opened for modification	C:\Windows\fonts\bQgc5yHMSD4yd.fon	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1055CA44-51F8-486B-8CBD-DC7AD4213F1E}\InprocServer32\ThreadingModel = "Apartment"	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{1055CA44-51F8-486B-8CBD-DC7AD4213F1E}\InprocServer32	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1055CA44-51F8-486B-8CBD-DC7AD4213F1E}	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1055CA44-51F8-486B-8CBD-DC7AD4213F1E}\InprocServer32	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1055CA44-51F8-486B-8CBD-DC7AD4213F1E}\InprocServer32\ = "C:\\Windows\\fonts\\bQgc5yHMSD4yd.fon"	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
Token: SeDebugPrivilege	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1720	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe	27
PID 1184 wrote to memory of 1720	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe	27
PID 1184 wrote to memory of 1720	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe	27
PID 1184 wrote to memory of 1720	1184	59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe	27

C:\Users\Admin\AppData\Local\Temp\59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe
"C:\Users\Admin\AppData\Local\Temp\59e231fa6efad7994de09dff96ba18924990a579e27cf23b09737d5263cf1834.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\59E231~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Fonts\bQgc5yHMSD4yd.fon

Filesize
15KB

MD5
c6b733a3f807da59142bd6696eb70fcc

SHA1
676f27993e0d11f4ad64fca8960372448e033b72

SHA256
d3ec1858890e8a1dcdb4fa4a98bb31e7ea13506e5ede746ed3068d122863acae

SHA512
b63d6fcebd47111990b2488b7290a0f75f8c245168940a38dcc3098d67f0d278d2f41ebe91f20ef9a419580cf4347abbc2eefd926906b4f6a08e098c8b651f30

Download Submit
memory/1184-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1184-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1184-57-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1184-59-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download