e6195d43acdbfca10f97fe1230b0d1d16b67c0d51babc3f18abcf27ba62b45b8

General

Target

e6195d43acdbfca10f97fe1230b0d1d16b67c0d51babc3f18abcf27ba62b45b8.exe
Size

104KB
MD5

3d4934a48e0cdcc7dd674ccf4dd362f8
SHA1

cbf3d6406827016478dfaf16aa3c18ca76f80fab
SHA256

e6195d43acdbfca10f97fe1230b0d1d16b67c0d51babc3f18abcf27ba62b45b8
SHA512

dca583b6aa529ed83bf2607e3359aac9f516635889831104a3fbb8635f2e33f1983da0d76cd3dcd98adefceaed201dd2d8e737ce7677533135f0703715cbf6b5
SSDEEP

3072:IgXdZt9P6D3XJbC8s1tvTTDNjl3MQSRLHhb4ek+rBDl3tqw:Ie3448etxjl3MfL1zDww

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b0000000132fb-57.dat	acprotect
behavioral1/files/0x000b0000000132fb-58.dat	acprotect
behavioral1/files/0x000b0000000132fb-59.dat	acprotect
behavioral1/files/0x000b0000000132fb-60.dat	acprotect
behavioral1/files/0x000b0000000132fb-61.dat	acprotect

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	1120	rundll32.exe
8	1120	rundll32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000132fb-57.dat	upx
behavioral1/files/0x000b0000000132fb-58.dat	upx
behavioral1/files/0x000b0000000132fb-59.dat	upx
behavioral1/files/0x000b0000000132fb-60.dat	upx
behavioral1/files/0x000b0000000132fb-61.dat	upx

Loads dropped DLL 4 IoCs

pid	Process
1120	rundll32.exe
1120	rundll32.exe
1120	rundll32.exe
1120	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
912	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1120	rundll32.exe
1120	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1120	2016	e6195d43acdbfca10f97fe1230b0d1d16b67c0d51babc3f18abcf27ba62b45b8.exe	28
PID 2016 wrote to memory of 1120	2016	e6195d43acdbfca10f97fe1230b0d1d16b67c0d51babc3f18abcf27ba62b45b8.exe	28
PID 2016 wrote to memory of 1120	2016	e6195d43acdbfca10f97fe1230b0d1d16b67c0d51babc3f18abcf27ba62b45b8.exe	28
PID 2016 wrote to memory of 1120	2016	e6195d43acdbfca10f97fe1230b0d1d16b67c0d51babc3f18abcf27ba62b45b8.exe	28
PID 2016 wrote to memory of 1120	2016	e6195d43acdbfca10f97fe1230b0d1d16b67c0d51babc3f18abcf27ba62b45b8.exe	28
PID 2016 wrote to memory of 1120	2016	e6195d43acdbfca10f97fe1230b0d1d16b67c0d51babc3f18abcf27ba62b45b8.exe	28
PID 2016 wrote to memory of 1120	2016	e6195d43acdbfca10f97fe1230b0d1d16b67c0d51babc3f18abcf27ba62b45b8.exe	28
PID 1120 wrote to memory of 1972	1120	rundll32.exe	32
PID 1120 wrote to memory of 1972	1120	rundll32.exe	32
PID 1120 wrote to memory of 1972	1120	rundll32.exe	32
PID 1120 wrote to memory of 1972	1120	rundll32.exe	32
PID 1972 wrote to memory of 912	1972	cmd.exe	34
PID 1972 wrote to memory of 912	1972	cmd.exe	34
PID 1972 wrote to memory of 912	1972	cmd.exe	34
PID 1972 wrote to memory of 912	1972	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\e6195d43acdbfca10f97fe1230b0d1d16b67c0d51babc3f18abcf27ba62b45b8.exe
"C:\Users\Admin\AppData\Local\Temp\e6195d43acdbfca10f97fe1230b0d1d16b67c0d51babc3f18abcf27ba62b45b8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\nSVYTsRt.dll",Install C:\Users\Admin\AppData\Local\Temp\nSVYTsRt
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /e:on /d /c ping -n 6 127.0.0.1 && DEL /F "C:\Users\Admin\AppData\Local\Temp\nSVYTsRt.dll" >> nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 6 127.0.0.1
      4⤵
      Runs ping.exe
      PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nSVYTsRt

Filesize
1024B

MD5
72978773925678f4a39611b43ad4faa7

SHA1
6fa4bbef64c5545a064930dd46e38c21c2521ff7

SHA256
18b1bdf615e5e6b60b1fbf226b7bf18216b1f286012952c02530b93285d4eba0

SHA512
9aff763908621f2522fea8e2c663448c52d882a4896d341aa34402e501a6d3b978f0eff0d2014c006ad8258fd0c17aee77917229c280e3d1b495f452df734902

Download Submit
C:\Users\Admin\AppData\Local\Temp\nSVYTsRt.dll

Filesize
73KB

MD5
6b1b2ab3fc622299dcad52f581855419

SHA1
bcab8a82e52f582983d668bc1f32ae9cf508110b

SHA256
0926a2f0732014450a1897ec287d36642353bc5e4aa1ad4500d340bc20394d48

SHA512
9382791e6e140321146eb6e67af14cae9473d955eaa6bcd520a917b9ebde5a78464318e22bcb25b264561596c35f26275bea7a37040257ed80befa7c398816a5

Download Submit
\Users\Admin\AppData\Local\Temp\nSVYTsRt.dll

Filesize
73KB

MD5
6b1b2ab3fc622299dcad52f581855419

SHA1
bcab8a82e52f582983d668bc1f32ae9cf508110b

SHA256
0926a2f0732014450a1897ec287d36642353bc5e4aa1ad4500d340bc20394d48

SHA512
9382791e6e140321146eb6e67af14cae9473d955eaa6bcd520a917b9ebde5a78464318e22bcb25b264561596c35f26275bea7a37040257ed80befa7c398816a5

Download Submit
\Users\Admin\AppData\Local\Temp\nSVYTsRt.dll

Filesize
73KB

MD5
6b1b2ab3fc622299dcad52f581855419

SHA1
bcab8a82e52f582983d668bc1f32ae9cf508110b

SHA256
0926a2f0732014450a1897ec287d36642353bc5e4aa1ad4500d340bc20394d48

SHA512
9382791e6e140321146eb6e67af14cae9473d955eaa6bcd520a917b9ebde5a78464318e22bcb25b264561596c35f26275bea7a37040257ed80befa7c398816a5

Download Submit
\Users\Admin\AppData\Local\Temp\nSVYTsRt.dll

Filesize
73KB

MD5
6b1b2ab3fc622299dcad52f581855419

SHA1
bcab8a82e52f582983d668bc1f32ae9cf508110b

SHA256
0926a2f0732014450a1897ec287d36642353bc5e4aa1ad4500d340bc20394d48

SHA512
9382791e6e140321146eb6e67af14cae9473d955eaa6bcd520a917b9ebde5a78464318e22bcb25b264561596c35f26275bea7a37040257ed80befa7c398816a5

Download Submit
\Users\Admin\AppData\Local\Temp\nSVYTsRt.dll

Filesize
73KB

MD5
6b1b2ab3fc622299dcad52f581855419

SHA1
bcab8a82e52f582983d668bc1f32ae9cf508110b

SHA256
0926a2f0732014450a1897ec287d36642353bc5e4aa1ad4500d340bc20394d48

SHA512
9382791e6e140321146eb6e67af14cae9473d955eaa6bcd520a917b9ebde5a78464318e22bcb25b264561596c35f26275bea7a37040257ed80befa7c398816a5

Download Submit
memory/912-71-0x0000000000000000-mapping.dmp

Download
memory/1120-62-0x00000000001C0000-0x00000000001E1000-memory.dmp

Filesize
132KB

Download
memory/1120-55-0x0000000000000000-mapping.dmp

Download
memory/1120-64-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download
memory/1120-65-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download
memory/1120-66-0x00000000001C0000-0x00000000001E1000-memory.dmp

Filesize
132KB

Download
memory/1120-69-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download
memory/1972-70-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing