5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b

Analysis

max time kernel
148s
max time network
88s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe
Size

5.4MB
MD5

c5ca3792f3c010337eb5f79df637d68b
SHA1

cfd0e532c63a492d7b52760a206b9a3ca6d0527d
SHA256

5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b
SHA512

dec4aea7874d063ba6d6b12bae9ab1ddca66137e9f926b6b3bc9b937e3ff16cf71829b94bdb30bb2517bb8aa297516a9344bccc2d6361ac77b96adfbdd68053d
SSDEEP

98304:U1k8VO82XHfzqEKn7QSNak6VyhDLYnWO2XJ4tpx69BIMYMqjO97vbNnLlt:G2XHfOEKsniMn92Xitpx6DzYMSCvbNh

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000013152-67.dat	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000013152-67.dat	upx
behavioral1/memory/940-68-0x0000000073EF0000-0x0000000073EFA000-memory.dmp	upx

Loads dropped DLL 9 IoCs

pid	Process
940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe
940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe
900	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
652	RunDll32.exe
940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe
940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe
940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
900	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe
900	RunDll32.exe
652	RunDll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 900	940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe	28
PID 940 wrote to memory of 900	940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe	28
PID 940 wrote to memory of 900	940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe	28
PID 940 wrote to memory of 900	940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe	28
PID 940 wrote to memory of 900	940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe	28
PID 940 wrote to memory of 900	940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe	28
PID 940 wrote to memory of 900	940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe	28
PID 940 wrote to memory of 652	940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe	29
PID 940 wrote to memory of 652	940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe	29
PID 940 wrote to memory of 652	940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe	29
PID 940 wrote to memory of 652	940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe	29
PID 940 wrote to memory of 652	940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe	29
PID 940 wrote to memory of 652	940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe	29
PID 940 wrote to memory of 652	940	5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe	29

C:\Users\Admin\AppData\Local\Temp\5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe
"C:\Users\Admin\AppData\Local\Temp\5b73a5c0592d77a96df766c4e216a08a3cd5d8f1ae54c42c2b2a8b6c4271e75b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsoE8CB.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 940,85845B1F185E46A9B51F8201C7EEAC4B,ED9DACBF036C4061B18504637BEB9FF7,29DCA40EF51348C692F907D9817F39FA
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:900
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsoE8CB.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 940,2467774E32FF4ABA9876EA26B302B77F,3A70E2D92A5D4E0D8ADAF42DA899DE04,29DCA40EF51348C692F907D9817F39FA
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoE8CB.tmp\OCSetupHlp.dll

Filesize
848KB

MD5
9e4e850e12f2f4f869b2491dbbb17ceb

SHA1
bd89581a89604b601c817ea680c2a224b46737f8

SHA256
4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6

SHA512
9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE8CB.tmp\InstallerStuff.dll

Filesize
115KB

MD5
bcbacda49fb2c44fee595cbc82036242

SHA1
a33356996c7b3e032693bb373bbde2acf72cc469

SHA256
77ecf5896f33bbc002f00dd4742c00a20981bbc618563e49f34ea8f740da890d

SHA512
18c44cedb9b0fbd301ad9cbe5ebafe66d16380090baa41697f3224a5086313c61420730e8a5050fa7de31e2f47dbd21259d6758cf84557e0c34b901a93c4ddc0

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE8CB.tmp\OCSetupHlp.dll

Filesize
848KB

MD5
9e4e850e12f2f4f869b2491dbbb17ceb

SHA1
bd89581a89604b601c817ea680c2a224b46737f8

SHA256
4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6

SHA512
9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE8CB.tmp\OCSetupHlp.dll

Filesize
848KB

MD5
9e4e850e12f2f4f869b2491dbbb17ceb

SHA1
bd89581a89604b601c817ea680c2a224b46737f8

SHA256
4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6

SHA512
9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE8CB.tmp\OCSetupHlp.dll

Filesize
848KB

MD5
9e4e850e12f2f4f869b2491dbbb17ceb

SHA1
bd89581a89604b601c817ea680c2a224b46737f8

SHA256
4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6

SHA512
9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE8CB.tmp\OCSetupHlp.dll

Filesize
848KB

MD5
9e4e850e12f2f4f869b2491dbbb17ceb

SHA1
bd89581a89604b601c817ea680c2a224b46737f8

SHA256
4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6

SHA512
9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE8CB.tmp\OCSetupHlp.dll

Filesize
848KB

MD5
9e4e850e12f2f4f869b2491dbbb17ceb

SHA1
bd89581a89604b601c817ea680c2a224b46737f8

SHA256
4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6

SHA512
9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE8CB.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE8CB.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE8CB.tmp\nsJSON.dll

Filesize
6KB

MD5
292aa9f95a7f081625056c497078159a

SHA1
72076f3eb146ab7ea2b3dd0ef6a63c06f86d64f1

SHA256
18f2b2f20c65a022a1c8aaf776b4c9be6c193b73c2079d9d65d56b802fcadfb5

SHA512
87f83c3bbcfedd98364b5d0209f912e66c72d43eb887438ad9735c078e6d1f6ea12566a75f0b652602bbd9f0608ce7148dc1703821f2ab6b366f061b8a58d910

Download Submit
memory/940-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/940-68-0x0000000073EF0000-0x0000000073EFA000-memory.dmp

Filesize
40KB

Download