827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27

Analysis

max time kernel
32s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27.exe
Size

34KB
MD5

00ea4b7e2e53a8dedc45734a9f46a820
SHA1

5940ca389ee96f384880ab21724d9d3dfd80819b
SHA256

827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27
SHA512

65de70ac60bf1b5e808c4cab22040aa450075afc5f86c6c7fde50e4488711566a54e5e5b06e8b86ce7dda55debb3e98860aa14dfcd94efae5d72c48ddeee2c09
SSDEEP

768:tO2+qy5VszZPljT76gPCmaNT1r1NZFhu9o+:wJqwVsdPljtSNxrpgf

Score

9^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000005c50-58.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2020	dnote.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dnote = "C:\\Windows\\dnote.exe"	827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\mwin.dll	827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27.exe
File created	C:\Windows\dnote.exe	827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27.exe
File opened for modification	C:\Windows\dnote.exe	827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27.exe
File opened for modification	C:\Windows\mwin.dll	dnote.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2020	dnote.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2020	1612	827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27.exe	26
PID 1612 wrote to memory of 2020	1612	827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27.exe	26
PID 1612 wrote to memory of 2020	1612	827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27.exe	26
PID 1612 wrote to memory of 2020	1612	827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27.exe	26

C:\Users\Admin\AppData\Local\Temp\827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27.exe
"C:\Users\Admin\AppData\Local\Temp\827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\dnote.exe
  "C:\Windows\dnote.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\dnote.exe

Filesize
34KB

MD5
00ea4b7e2e53a8dedc45734a9f46a820

SHA1
5940ca389ee96f384880ab21724d9d3dfd80819b

SHA256
827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27

SHA512
65de70ac60bf1b5e808c4cab22040aa450075afc5f86c6c7fde50e4488711566a54e5e5b06e8b86ce7dda55debb3e98860aa14dfcd94efae5d72c48ddeee2c09

Download Submit
C:\Windows\mwin.dll

Filesize
6KB

MD5
f1f336b40cc3ca08dbab92e5de157228

SHA1
a41ef9ecfaab57601f28287b303593b8d904bce5

SHA256
b8b0c6a03592ff58c433badce10e436dcf2f0b832cac9f96fdc6e18867286ecd

SHA512
e2d0ad48288d0d45603c77fdcdee20f9b43ea8e0e3c2752aa312726405625c46f81ddf53be1bfbb68e4a4c018b86cc4a6d03afef96013943cb984b0435db7317

Download Submit
memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/2020-59-0x0000000000220000-0x000000000022D000-memory.dmp

Filesize
52KB

Download