d6852bc8a49702bf20a180bc78fb924ca6957be04e27c8d06ccb3e502f866139

Analysis

max time kernel
187s
max time network
240s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 19:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d6852bc8a49702bf20a180bc78fb924ca6957be04e27c8d06ccb3e502f866139.exe
Size

2.8MB
MD5

0d29508eb32c8da127df45067b3528fc
SHA1

cb487ece6d178cbb9322084cc1aa718093a190c3
SHA256

d6852bc8a49702bf20a180bc78fb924ca6957be04e27c8d06ccb3e502f866139
SHA512

140abd755aced5b36cd9454eb0d2adcd977d8ed8964cf6eee75d0f8658574e335c17c1a7b407dbcdb1228abbf5a5dd534d8eaaaa7b3d71da16408da7aa6fd906
SSDEEP

49152:djNSVc8KcbWiN/Aer/3lBVqt0jAdow+D8jx4ovApzzkX+WdmHq:djNSVKZiNRr/3HA0j9xDy4oIpfa+E

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0009000000022e1f-149.dat	acprotect
behavioral2/files/0x0009000000022e1f-148.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
3532	Wupdate.exe
4048	AiR eLicenser Emulator Setup.exe
2300	AiR eLicenser Emulator Setup.tmp

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e17-133.dat	upx
behavioral2/files/0x0006000000022e17-134.dat	upx
behavioral2/memory/3532-135-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/3532-136-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
2300	AiR eLicenser Emulator Setup.tmp
2300	AiR eLicenser Emulator Setup.tmp
2300	AiR eLicenser Emulator Setup.tmp
2300	AiR eLicenser Emulator Setup.tmp
2300	AiR eLicenser Emulator Setup.tmp
2300	AiR eLicenser Emulator Setup.tmp

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3532-135-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral2/memory/3532-136-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2300	AiR eLicenser Emulator Setup.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	332	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	332	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2300	AiR eLicenser Emulator Setup.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 3532	4056	d6852bc8a49702bf20a180bc78fb924ca6957be04e27c8d06ccb3e502f866139.exe	82
PID 4056 wrote to memory of 3532	4056	d6852bc8a49702bf20a180bc78fb924ca6957be04e27c8d06ccb3e502f866139.exe	82
PID 4056 wrote to memory of 3532	4056	d6852bc8a49702bf20a180bc78fb924ca6957be04e27c8d06ccb3e502f866139.exe	82
PID 4056 wrote to memory of 4048	4056	d6852bc8a49702bf20a180bc78fb924ca6957be04e27c8d06ccb3e502f866139.exe	83
PID 4056 wrote to memory of 4048	4056	d6852bc8a49702bf20a180bc78fb924ca6957be04e27c8d06ccb3e502f866139.exe	83
PID 4056 wrote to memory of 4048	4056	d6852bc8a49702bf20a180bc78fb924ca6957be04e27c8d06ccb3e502f866139.exe	83
PID 4048 wrote to memory of 2300	4048	AiR eLicenser Emulator Setup.exe	84
PID 4048 wrote to memory of 2300	4048	AiR eLicenser Emulator Setup.exe	84
PID 4048 wrote to memory of 2300	4048	AiR eLicenser Emulator Setup.exe	84

C:\Users\Admin\AppData\Local\Temp\d6852bc8a49702bf20a180bc78fb924ca6957be04e27c8d06ccb3e502f866139.exe
"C:\Users\Admin\AppData\Local\Temp\d6852bc8a49702bf20a180bc78fb924ca6957be04e27c8d06ccb3e502f866139.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Local\Temp\Wupdate.exe
  "C:\Users\Admin\AppData\Local\Temp\Wupdate.exe"
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Users\Admin\AppData\Local\Temp\AiR eLicenser Emulator Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\AiR eLicenser Emulator Setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\is-8IO5R.tmp\AiR eLicenser Emulator Setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-8IO5R.tmp\AiR eLicenser Emulator Setup.tmp" /SL5="$E0066,1841672,318976,C:\Users\Admin\AppData\Local\Temp\AiR eLicenser Emulator Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2300

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f0 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AiR eLicenser Emulator Setup.exe

Filesize
2.2MB

MD5
d1a96902cd6c40e14944ab352925a435

SHA1
df8bec8cacb82d838c7a3ef49c6a81e4ca7aa68f

SHA256
02d941dc43d3dac8e4ce1afbd45ffa072ecfcd7d15198664e5018bd0a7d417e1

SHA512
98d5fa56ee50c945e9d598693c8e6c084c8408b00d3c6eb04e7ea4389ae53f58452895a6d9da1375a393967ab88ae8162a2577e64d8fee7b4f58bffa3e9d7662

Download Submit
C:\Users\Admin\AppData\Local\Temp\AiR eLicenser Emulator Setup.exe

Filesize
2.2MB

MD5
d1a96902cd6c40e14944ab352925a435

SHA1
df8bec8cacb82d838c7a3ef49c6a81e4ca7aa68f

SHA256
02d941dc43d3dac8e4ce1afbd45ffa072ecfcd7d15198664e5018bd0a7d417e1

SHA512
98d5fa56ee50c945e9d598693c8e6c084c8408b00d3c6eb04e7ea4389ae53f58452895a6d9da1375a393967ab88ae8162a2577e64d8fee7b4f58bffa3e9d7662

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wupdate.exe

Filesize
429KB

MD5
8823cba803209cd3adecb5fd35ffe8b4

SHA1
dafe2b701ef5edc4569097e2e9b4901f7c342d62

SHA256
cfba58aea33645f1d947077542430c15f615bf3879cad68614b400a5ffcc6ea1

SHA512
fb907a72f6bc068f905fc81bbcb4082b92e18fb3bf7fa6475e5f719b1f2836b877c8b5a029e0185d05dc260c942c1a31d0a27c16530364d749e599db0d673548

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wupdate.exe

Filesize
429KB

MD5
8823cba803209cd3adecb5fd35ffe8b4

SHA1
dafe2b701ef5edc4569097e2e9b4901f7c342d62

SHA256
cfba58aea33645f1d947077542430c15f615bf3879cad68614b400a5ffcc6ea1

SHA512
fb907a72f6bc068f905fc81bbcb4082b92e18fb3bf7fa6475e5f719b1f2836b877c8b5a029e0185d05dc260c942c1a31d0a27c16530364d749e599db0d673548

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8IO5R.tmp\AiR eLicenser Emulator Setup.tmp

Filesize
928KB

MD5
3dcf654fdbe60c9cf1d633ccd9d6f3d7

SHA1
51ee8a461a27fb9b1940b0296ad02219ddf72a13

SHA256
00001a2498d2a92e16579eff239175122d1c790a76b87804d4bbf51e4ce374af

SHA512
dd81a4787d13a6d997fb8a0390771b28efd337c9209d3b2f1cb16503f73721e36aa55e4a8e7a2746b7a3312a24ba699fa216b461de5e27f5cfae329c8ea82878

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8IO5R.tmp\AiR eLicenser Emulator Setup.tmp

Filesize
928KB

MD5
3dcf654fdbe60c9cf1d633ccd9d6f3d7

SHA1
51ee8a461a27fb9b1940b0296ad02219ddf72a13

SHA256
00001a2498d2a92e16579eff239175122d1c790a76b87804d4bbf51e4ce374af

SHA512
dd81a4787d13a6d997fb8a0390771b28efd337c9209d3b2f1cb16503f73721e36aa55e4a8e7a2746b7a3312a24ba699fa216b461de5e27f5cfae329c8ea82878

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DRH79.tmp\BASS.dll

Filesize
96KB

MD5
43564b7dbdf619e28334973fbf61b29b

SHA1
7dd28aa2654e22a59c01f6e71a7a9daf386b9479

SHA256
cf9e1af309de242fe453d36c22ec86e09c5b9dc0ddcf1696510ee00f4b0b475e

SHA512
a9e7842d6f63b0a5fa5a20ac1b893d4a0fa6781af9387d6735d86e82cb2667d58bba0ce5b1ec46d94a629ab77d652fd069a92b1bf47b62947a76af423e38ac75

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DRH79.tmp\WaterLib.dll

Filesize
120KB

MD5
7aaf9f850b21512678623a9206f572a3

SHA1
1b13e31efa4b32e368010e6a4d02436373220279

SHA256
ad46a43f535d647ab6ed9a8badcee1eff3497e45348844be327f505905b66e2b

SHA512
af2e2fe324928da0c9d59fa9f20bc5614ffe414b5d460296c81452acd0952ee523b75e6a7163c35a52b5b7e134739736331297da6e466d64edf3785222f7ab9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DRH79.tmp\WaterLib.dll

Filesize
120KB

MD5
7aaf9f850b21512678623a9206f572a3

SHA1
1b13e31efa4b32e368010e6a4d02436373220279

SHA256
ad46a43f535d647ab6ed9a8badcee1eff3497e45348844be327f505905b66e2b

SHA512
af2e2fe324928da0c9d59fa9f20bc5614ffe414b5d460296c81452acd0952ee523b75e6a7163c35a52b5b7e134739736331297da6e466d64edf3785222f7ab9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DRH79.tmp\isskin.dll

Filesize
363KB

MD5
b31ad1bacfd7c51f35e052b8c7047d44

SHA1
ba58ae4a4a28cd2a4c2a7b85d260e105fa6e79de

SHA256
117ae53cf3e8bc95e6297a15d8365efd792da04df90744d4e244bbf72075ccc3

SHA512
2a4c0d3f7065a9272bd70e8fd121e80d9c4e3d9089285841b245790f4789704c27cb88333ddbf3bbecbc26af926b7ffd7a722352c7f418c84a9087cb1a748368

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DRH79.tmp\skin.cjstyles

Filesize
633KB

MD5
8600d8d22512459f9a195e82610af90a

SHA1
2f173a9698d0679f1ba366375e78a902aff91528

SHA256
3c33935f5ad8d991f2eb7419e08b6539cabc68584f24bbcc7b5f07dd59b88202

SHA512
bbf9a936777890b524068db2d9e072ba5402866389c5a5f0799ad4f6973395820b6a330d465fe6615102f1178571b4e480ed9f00992f607df6bd565d5cfea0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DRH79.tmp\skin.cjstyles

Filesize
633KB

MD5
8600d8d22512459f9a195e82610af90a

SHA1
2f173a9698d0679f1ba366375e78a902aff91528

SHA256
3c33935f5ad8d991f2eb7419e08b6539cabc68584f24bbcc7b5f07dd59b88202

SHA512
bbf9a936777890b524068db2d9e072ba5402866389c5a5f0799ad4f6973395820b6a330d465fe6615102f1178571b4e480ed9f00992f607df6bd565d5cfea0fb

Download Submit
memory/2300-175-0x00000000759B0000-0x0000000075A8C000-memory.dmp

Filesize
880KB

Download
memory/2300-183-0x0000000076800000-0x0000000076DB3000-memory.dmp

Filesize
5.7MB

Download
memory/2300-274-0x0000000011000000-0x0000000011063000-memory.dmp

Filesize
396KB

Download
memory/2300-273-0x0000000011000000-0x0000000011063000-memory.dmp

Filesize
396KB

Download
memory/2300-271-0x0000000005540000-0x0000000005595000-memory.dmp

Filesize
340KB

Download
memory/2300-214-0x0000000074F40000-0x0000000075150000-memory.dmp

Filesize
2.1MB

Download
memory/2300-152-0x00000000755C0000-0x000000007563A000-memory.dmp

Filesize
488KB

Download
memory/2300-153-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-154-0x00000000755C0000-0x000000007563A000-memory.dmp

Filesize
488KB

Download
memory/2300-156-0x00000000755C0000-0x000000007563A000-memory.dmp

Filesize
488KB

Download
memory/2300-157-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-158-0x00000000755C0000-0x000000007563A000-memory.dmp

Filesize
488KB

Download
memory/2300-155-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-160-0x0000000005540000-0x0000000005595000-memory.dmp

Filesize
340KB

Download
memory/2300-159-0x0000000076580000-0x00000000765A5000-memory.dmp

Filesize
148KB

Download
memory/2300-161-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-162-0x00000000755C0000-0x000000007563A000-memory.dmp

Filesize
488KB

Download
memory/2300-163-0x0000000076580000-0x00000000765A5000-memory.dmp

Filesize
148KB

Download
memory/2300-164-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-167-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-166-0x0000000076580000-0x00000000765A5000-memory.dmp

Filesize
148KB

Download
memory/2300-165-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-168-0x0000000074820000-0x0000000074944000-memory.dmp

Filesize
1.1MB

Download
memory/2300-169-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-170-0x0000000076EA0000-0x0000000076F83000-memory.dmp

Filesize
908KB

Download
memory/2300-171-0x0000000076800000-0x0000000076DB3000-memory.dmp

Filesize
5.7MB

Download
memory/2300-172-0x00000000764D0000-0x000000007657F000-memory.dmp

Filesize
700KB

Download
memory/2300-173-0x0000000074F40000-0x0000000075150000-memory.dmp

Filesize
2.1MB

Download
memory/2300-174-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-213-0x0000000076800000-0x0000000076DB3000-memory.dmp

Filesize
5.7MB

Download
memory/2300-176-0x0000000076EA0000-0x0000000076F83000-memory.dmp

Filesize
908KB

Download
memory/2300-177-0x0000000076800000-0x0000000076DB3000-memory.dmp

Filesize
5.7MB

Download
memory/2300-178-0x00000000764D0000-0x000000007657F000-memory.dmp

Filesize
700KB

Download
memory/2300-179-0x0000000074F40000-0x0000000075150000-memory.dmp

Filesize
2.1MB

Download
memory/2300-180-0x0000000074EC0000-0x0000000074F34000-memory.dmp

Filesize
464KB

Download
memory/2300-181-0x0000000074820000-0x0000000074944000-memory.dmp

Filesize
1.1MB

Download
memory/2300-212-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-182-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-184-0x00000000764D0000-0x000000007657F000-memory.dmp

Filesize
700KB

Download
memory/2300-185-0x0000000074F40000-0x0000000075150000-memory.dmp

Filesize
2.1MB

Download
memory/2300-186-0x0000000074EC0000-0x0000000074F34000-memory.dmp

Filesize
464KB

Download
memory/2300-187-0x0000000074820000-0x0000000074944000-memory.dmp

Filesize
1.1MB

Download
memory/2300-188-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-189-0x0000000076800000-0x0000000076DB3000-memory.dmp

Filesize
5.7MB

Download
memory/2300-190-0x00000000764D0000-0x000000007657F000-memory.dmp

Filesize
700KB

Download
memory/2300-191-0x0000000074F40000-0x0000000075150000-memory.dmp

Filesize
2.1MB

Download
memory/2300-192-0x0000000076580000-0x00000000765A5000-memory.dmp

Filesize
148KB

Download
memory/2300-193-0x0000000074EC0000-0x0000000074F34000-memory.dmp

Filesize
464KB

Download
memory/2300-195-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-194-0x0000000074820000-0x0000000074944000-memory.dmp

Filesize
1.1MB

Download
memory/2300-196-0x0000000076800000-0x0000000076DB3000-memory.dmp

Filesize
5.7MB

Download
memory/2300-197-0x00000000764D0000-0x000000007657F000-memory.dmp

Filesize
700KB

Download
memory/2300-199-0x0000000074EC0000-0x0000000074F34000-memory.dmp

Filesize
464KB

Download
memory/2300-198-0x0000000074F40000-0x0000000075150000-memory.dmp

Filesize
2.1MB

Download
memory/2300-200-0x0000000074820000-0x0000000074944000-memory.dmp

Filesize
1.1MB

Download
memory/2300-201-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-202-0x00000000759B0000-0x0000000075A8C000-memory.dmp

Filesize
880KB

Download
memory/2300-203-0x0000000076EA0000-0x0000000076F83000-memory.dmp

Filesize
908KB

Download
memory/2300-204-0x0000000076800000-0x0000000076DB3000-memory.dmp

Filesize
5.7MB

Download
memory/2300-205-0x00000000764D0000-0x000000007657F000-memory.dmp

Filesize
700KB

Download
memory/2300-206-0x0000000074F40000-0x0000000075150000-memory.dmp

Filesize
2.1MB

Download
memory/2300-207-0x0000000074EC0000-0x0000000074F34000-memory.dmp

Filesize
464KB

Download
memory/2300-208-0x0000000074820000-0x0000000074944000-memory.dmp

Filesize
1.1MB

Download
memory/2300-210-0x0000000076800000-0x0000000076DB3000-memory.dmp

Filesize
5.7MB

Download
memory/2300-209-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2300-211-0x0000000074F40000-0x0000000075150000-memory.dmp

Filesize
2.1MB

Download
memory/3532-135-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3532-136-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4048-146-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4048-140-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4048-145-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download