Analysis
-
max time kernel
176s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 13:36
Behavioral task
behavioral1
Sample
76eee07d720405e8d6c0165441c6a5180202770f8ab2820aee55e0f7d21676ab.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
76eee07d720405e8d6c0165441c6a5180202770f8ab2820aee55e0f7d21676ab.exe
Resource
win10v2004-20220812-en
General
-
Target
76eee07d720405e8d6c0165441c6a5180202770f8ab2820aee55e0f7d21676ab.exe
-
Size
6.2MB
-
MD5
5842a6c45ad72f004cfa7bd90d95b0dc
-
SHA1
80472a89e5e11c2cdffa281667e1d280c20d3dee
-
SHA256
76eee07d720405e8d6c0165441c6a5180202770f8ab2820aee55e0f7d21676ab
-
SHA512
00814a5fa70b12cf547e5b8dad6b801395f72dc309fe656a78c49e9cd32ed738f405fa8af96b9525d4c1cbb15860fe791c4b50ee0fd58eb2ecf5c48c2341a1b1
-
SSDEEP
98304:w7M1xJHb4Q8Ihu3CB5+4cDMGZwBKbS30I4L5tkFh3+x9harqSLlvgrMAJrOztWx:w7UxJ0Q8BMEtpFN1Lc/3+x90JafOE
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 5 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000b000000022e36-133.dat acprotect behavioral2/files/0x000b000000022e36-132.dat acprotect behavioral2/files/0x000b000000022e36-143.dat acprotect behavioral2/files/0x000b000000022e36-142.dat acprotect behavioral2/files/0x000b000000022e36-141.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 2672 install.exe -
resource yara_rule behavioral2/memory/1100-134-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral2/memory/1100-137-0x0000000000400000-0x0000000000424000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 76eee07d720405e8d6c0165441c6a5180202770f8ab2820aee55e0f7d21676ab.exe -
Loads dropped DLL 4 IoCs
pid Process 1100 76eee07d720405e8d6c0165441c6a5180202770f8ab2820aee55e0f7d21676ab.exe 1100 76eee07d720405e8d6c0165441c6a5180202770f8ab2820aee55e0f7d21676ab.exe 2672 install.exe 2672 install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1100 76eee07d720405e8d6c0165441c6a5180202770f8ab2820aee55e0f7d21676ab.exe 2672 install.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1100 wrote to memory of 2672 1100 76eee07d720405e8d6c0165441c6a5180202770f8ab2820aee55e0f7d21676ab.exe 81 PID 1100 wrote to memory of 2672 1100 76eee07d720405e8d6c0165441c6a5180202770f8ab2820aee55e0f7d21676ab.exe 81 PID 1100 wrote to memory of 2672 1100 76eee07d720405e8d6c0165441c6a5180202770f8ab2820aee55e0f7d21676ab.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\76eee07d720405e8d6c0165441c6a5180202770f8ab2820aee55e0f7d21676ab.exe"C:\Users\Admin\AppData\Local\Temp\76eee07d720405e8d6c0165441c6a5180202770f8ab2820aee55e0f7d21676ab.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2672
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.5MB
MD572b75fb7ddd3c9fcd0b68ec1243f4a8a
SHA1ae0d31b182a9330f7c5d5af43ee1c9abc413ecd6
SHA25643d118add4ae4a39284930a8539394ff492d1d1231202948933b53024dbceffd
SHA5129217bf24138b6aab3fd6c515f30cb0643690c547d6786bca4daf69b041edcd4037d5f6959c709285244454ec597275c0f7967fc2af8fd9779db3169ddfba6f0d
-
Filesize
432KB
MD5d8eda4a99ff80a6d20d6c76b70359875
SHA19be3072043a093e0c4dd80024d58e4c20b4feb7f
SHA2564b10ededba918ad41821e5b2d438f2d35618ca7e6bc2481ed4f046b8c194dfc8
SHA51260f27d76f89196921983336ff35e6d5bfa5da9c49e88a89f379ff3f7fafedf35e4d15d89f9d3ff972c4931caaff200f38db2c7c158b34fd8c350d71ece24a04e
-
Filesize
432KB
MD5d8eda4a99ff80a6d20d6c76b70359875
SHA19be3072043a093e0c4dd80024d58e4c20b4feb7f
SHA2564b10ededba918ad41821e5b2d438f2d35618ca7e6bc2481ed4f046b8c194dfc8
SHA51260f27d76f89196921983336ff35e6d5bfa5da9c49e88a89f379ff3f7fafedf35e4d15d89f9d3ff972c4931caaff200f38db2c7c158b34fd8c350d71ece24a04e
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9