Analysis
-
max time kernel
112s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
04-12-2022 05:29
General
-
Target
bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
-
Size
3.1MB
-
MD5
ad796cddffda8d111ba71bafc09473e6
-
SHA1
48069f57d229ede3d4999591bfa0204a56815a74
-
SHA256
bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e
-
SHA512
b27831fee3250a92aa4be4b7c65aae91cb239803e3045e8027fd9e0c5b1e6813e9e71dc92013f98bf8dfd8ba74c929af4586fad8c0a628ce5e89b0efa25e2134
-
SSDEEP
49152:3LBT/nj3GHEvytnxr+QFpf2w8btDJtZ/1yYorfS6AT9yLEBCxGPJ2Tpohpu:3FjWQQFp3EJJtZ/cr1BATcGy
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe"C:\Users\Admin\AppData\Local\Temp\bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hh123.exe"C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hh123.exe" killprocess svchosb.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\svchosb.exe"C:\Windows\system32\svchosb.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x41c 0x2401⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD5aac005d1197cba6c0f9a725c889d489d
SHA1b31f7126dd1aea03d58cd33a6b9a49685471a5e2
SHA256a584007ac2173048bb8f6e94022b661dc955105d39fcb206d7df339abfee661d
SHA512b88331674f869221724361afcb687d4104ce9381f074b67816af13110365e2ff055d5e31638e868c1d5ca0c871d87da69fb6eba3daca097b104ed9ccf0a89e8f
-
Filesize
160KB
MD5aac005d1197cba6c0f9a725c889d489d
SHA1b31f7126dd1aea03d58cd33a6b9a49685471a5e2
SHA256a584007ac2173048bb8f6e94022b661dc955105d39fcb206d7df339abfee661d
SHA512b88331674f869221724361afcb687d4104ce9381f074b67816af13110365e2ff055d5e31638e868c1d5ca0c871d87da69fb6eba3daca097b104ed9ccf0a89e8f
-
Filesize
32KB
MD5bb6c6f99dfa35d705592909772f1e261
SHA12ed55e5210b4e662c8bddc0dfdce06ab781f58b3
SHA25666f63fabc82ffa2d4a3821cb21243dce42e279bb5d795b45ff50ddec700826e1
SHA51296244d07c4788f7b743e682073de3840fbec39d54f3996157aba405bab2deac2625af1962dc86e6c968c064c3698b45adfa47e9b4e6074bf2014b4f79ff1004c
-
Filesize
32KB
MD5bb6c6f99dfa35d705592909772f1e261
SHA12ed55e5210b4e662c8bddc0dfdce06ab781f58b3
SHA25666f63fabc82ffa2d4a3821cb21243dce42e279bb5d795b45ff50ddec700826e1
SHA51296244d07c4788f7b743e682073de3840fbec39d54f3996157aba405bab2deac2625af1962dc86e6c968c064c3698b45adfa47e9b4e6074bf2014b4f79ff1004c
-
Filesize
187KB
MD529fd6bf2fc8522976b419cc535bd6414
SHA170e73681cd6e1e654211990fec65839a7bfa6931
SHA25685002cb7166742c73ca55d93d2c0b1542b82f00968e3e22decff6acb7bd66841
SHA512ed546285c40c804248b9735cad1903cc494d62f32bed51b0ace2c2c4956620fce0c32e322db87ee246ba2a6e3b7cffb748cd8d2dd06bd84da37dfa6aef5f200a
-
Filesize
187KB
MD529fd6bf2fc8522976b419cc535bd6414
SHA170e73681cd6e1e654211990fec65839a7bfa6931
SHA25685002cb7166742c73ca55d93d2c0b1542b82f00968e3e22decff6acb7bd66841
SHA512ed546285c40c804248b9735cad1903cc494d62f32bed51b0ace2c2c4956620fce0c32e322db87ee246ba2a6e3b7cffb748cd8d2dd06bd84da37dfa6aef5f200a
-
Filesize
650KB
-
Filesize
650KB
-
Filesize
424KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
105KB