ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b

Analysis

max time kernel
40s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Size

44KB
MD5

28b0b03a1d23529a1f5c59ba7cd6b918
SHA1

f73d4e435c50eb344f95c2c787b73f9ef497200d
SHA256

ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b
SHA512

a6f473015a890c04a32a0ce84ee5283e6e89c32f9ef5a41dfb16b77f122c34e9eed2b6153312002b9c1d97d144cabcbd927d54dbbb79955945d3f567731ff96a
SSDEEP

768:iTGU6btwHyyOJJJJJJJDzaKqA8NCRj0lfAQTQ2O:iif6yHJJJJJJJDzaKJ6CjHQTQ2O

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000014b5d-55.dat	acprotect

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000014b5d-55.dat	upx
behavioral1/memory/1996-56-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/1996-57-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/1996-59-0x0000000010000000-0x0000000010011000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1500	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\122B901E.dll	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fOnts\cFDPmh3MDPjcHMPd.Ttf	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}\InprocServer32	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\122B901E.dll"	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}\InprocServer32\ThreadingModel = "Apartment"	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}\InprocServer32	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
Token: SeDebugPrivilege	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1500	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe	27
PID 1996 wrote to memory of 1500	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe	27
PID 1996 wrote to memory of 1500	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe	27
PID 1996 wrote to memory of 1500	1996	ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe	27

C:\Users\Admin\AppData\Local\Temp\ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
"C:\Users\Admin\AppData\Local\Temp\ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EF047F~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\122B901E.dll

Filesize
18KB

MD5
0e2ffeed4f6e3301535f1d77debedc1b

SHA1
bf8dabe39876db2ad369702252456ffcfc9541d9

SHA256
7cf910da8e6116c9448e9e53781c51051b42c1376976fe6db1af5ad7961e2977

SHA512
47afee207001c6d24782197b8a6fb3d1dc6ae4f91d9b5bec975bc482c182d2adb38c0a42281d1629181aeab2b766f97e96d2eb7378b05900e0095fd0f81b50ad

Download Submit
memory/1500-58-0x0000000000000000-mapping.dmp

Download
memory/1996-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1996-56-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1996-57-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1996-59-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download