b182a0b9f7aaac1a0129a6a21c1b29f0f2ce99cfb0b7de6922d922f9d4067695

General

Target

b182a0b9f7aaac1a0129a6a21c1b29f0f2ce99cfb0b7de6922d922f9d4067695.exe
Size

107KB
MD5

a8b27e2851c66b2bedf526a190ff5b18
SHA1

83c7b396b31394e099ceece18663c7b54bcefb24
SHA256

b182a0b9f7aaac1a0129a6a21c1b29f0f2ce99cfb0b7de6922d922f9d4067695
SHA512

f48162fb2a4f7441097eace0bd71becf0691b508313d30a7b03e154f0058d24eefa3f9ad7bfdd954857c8ee377ece9f6c37b287f8c7441fd9905b86eaef73c9c
SSDEEP

3072:IgXdZt9P6D3XJbCqPVTMF+LGT02bVcu+HZN+p5Z:Ie344Sio0fbVc5HZN+p5Z

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c000000012300-57.dat	acprotect
behavioral1/files/0x000c000000012300-58.dat	acprotect
behavioral1/files/0x000c000000012300-59.dat	acprotect
behavioral1/files/0x000c000000012300-60.dat	acprotect
behavioral1/files/0x000c000000012300-61.dat	acprotect

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	952	rundll32.exe
8	952	rundll32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012300-57.dat	upx
behavioral1/files/0x000c000000012300-58.dat	upx
behavioral1/files/0x000c000000012300-59.dat	upx
behavioral1/files/0x000c000000012300-60.dat	upx
behavioral1/files/0x000c000000012300-61.dat	upx

Loads dropped DLL 4 IoCs

pid	Process
952	rundll32.exe
952	rundll32.exe
952	rundll32.exe
952	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
388	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
952	rundll32.exe
952	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 952	1816	b182a0b9f7aaac1a0129a6a21c1b29f0f2ce99cfb0b7de6922d922f9d4067695.exe	28
PID 1816 wrote to memory of 952	1816	b182a0b9f7aaac1a0129a6a21c1b29f0f2ce99cfb0b7de6922d922f9d4067695.exe	28
PID 1816 wrote to memory of 952	1816	b182a0b9f7aaac1a0129a6a21c1b29f0f2ce99cfb0b7de6922d922f9d4067695.exe	28
PID 1816 wrote to memory of 952	1816	b182a0b9f7aaac1a0129a6a21c1b29f0f2ce99cfb0b7de6922d922f9d4067695.exe	28
PID 1816 wrote to memory of 952	1816	b182a0b9f7aaac1a0129a6a21c1b29f0f2ce99cfb0b7de6922d922f9d4067695.exe	28
PID 1816 wrote to memory of 952	1816	b182a0b9f7aaac1a0129a6a21c1b29f0f2ce99cfb0b7de6922d922f9d4067695.exe	28
PID 1816 wrote to memory of 952	1816	b182a0b9f7aaac1a0129a6a21c1b29f0f2ce99cfb0b7de6922d922f9d4067695.exe	28
PID 952 wrote to memory of 1316	952	rundll32.exe	32
PID 952 wrote to memory of 1316	952	rundll32.exe	32
PID 952 wrote to memory of 1316	952	rundll32.exe	32
PID 952 wrote to memory of 1316	952	rundll32.exe	32
PID 1316 wrote to memory of 388	1316	cmd.exe	34
PID 1316 wrote to memory of 388	1316	cmd.exe	34
PID 1316 wrote to memory of 388	1316	cmd.exe	34
PID 1316 wrote to memory of 388	1316	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\b182a0b9f7aaac1a0129a6a21c1b29f0f2ce99cfb0b7de6922d922f9d4067695.exe
"C:\Users\Admin\AppData\Local\Temp\b182a0b9f7aaac1a0129a6a21c1b29f0f2ce99cfb0b7de6922d922f9d4067695.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\miniloader.dll",Install C:\Users\Admin\AppData\Local\Temp\activate.dat
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /e:on /d /c ping -n 6 127.0.0.1 && DEL /F "C:\Users\Admin\AppData\Local\Temp\miniloader.dll" >> nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 6 127.0.0.1
      4⤵
      Runs ping.exe
      PID:388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\activate.dat

Filesize
1024B

MD5
2d979a945c7da94f4141f2d8ca2e2c64

SHA1
fa44549c7af24969a4230be6cc0cc0356c955e29

SHA256
475c31d01bf1b345c1725b02474ac79b40c44074b4ad5ec45f693ff70f9482f4

SHA512
6595ccd22542688e8720020091a61d251dd0de63bb7937d879af647a23f77818a428f3622022b3c044e8875acb9339feaea067bb3b9200179146e0b72ab71b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
76KB

MD5
a3fa5c73d9efda1ac7f9b70d08387e46

SHA1
900af6dc41e846ce84e5e692b53f732aadcc074e

SHA256
c30c903a0b7068ab021af249c762e56aff6778c85957b397892c1aa7bc6332b5

SHA512
e1b6d46be75ce15ca46ee2740e39cdb1a292faf1c31b907f9a8c509e4207931b597ccc24cde9b0b56341cc69caba8da4e5ec1c6840c84097bd07c9af2cec6b5d

Download Submit
\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
76KB

MD5
a3fa5c73d9efda1ac7f9b70d08387e46

SHA1
900af6dc41e846ce84e5e692b53f732aadcc074e

SHA256
c30c903a0b7068ab021af249c762e56aff6778c85957b397892c1aa7bc6332b5

SHA512
e1b6d46be75ce15ca46ee2740e39cdb1a292faf1c31b907f9a8c509e4207931b597ccc24cde9b0b56341cc69caba8da4e5ec1c6840c84097bd07c9af2cec6b5d

Download Submit
\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
76KB

MD5
a3fa5c73d9efda1ac7f9b70d08387e46

SHA1
900af6dc41e846ce84e5e692b53f732aadcc074e

SHA256
c30c903a0b7068ab021af249c762e56aff6778c85957b397892c1aa7bc6332b5

SHA512
e1b6d46be75ce15ca46ee2740e39cdb1a292faf1c31b907f9a8c509e4207931b597ccc24cde9b0b56341cc69caba8da4e5ec1c6840c84097bd07c9af2cec6b5d

Download Submit
\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
76KB

MD5
a3fa5c73d9efda1ac7f9b70d08387e46

SHA1
900af6dc41e846ce84e5e692b53f732aadcc074e

SHA256
c30c903a0b7068ab021af249c762e56aff6778c85957b397892c1aa7bc6332b5

SHA512
e1b6d46be75ce15ca46ee2740e39cdb1a292faf1c31b907f9a8c509e4207931b597ccc24cde9b0b56341cc69caba8da4e5ec1c6840c84097bd07c9af2cec6b5d

Download Submit
\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
76KB

MD5
a3fa5c73d9efda1ac7f9b70d08387e46

SHA1
900af6dc41e846ce84e5e692b53f732aadcc074e

SHA256
c30c903a0b7068ab021af249c762e56aff6778c85957b397892c1aa7bc6332b5

SHA512
e1b6d46be75ce15ca46ee2740e39cdb1a292faf1c31b907f9a8c509e4207931b597ccc24cde9b0b56341cc69caba8da4e5ec1c6840c84097bd07c9af2cec6b5d

Download Submit
memory/952-62-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/952-64-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/1816-54-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing