c7d5c2d7df032671544a0974fb292e2131b541469ef1daf9c103c1a534a8ee60

General

Target

infected.zip
Size

11.4MB
MD5

20378da4066af3d5b0ac9f0d6879e752
SHA1

b6486b33e22c02ee93d32200f2f4f4dbb2dcc08d
SHA256

c7d5c2d7df032671544a0974fb292e2131b541469ef1daf9c103c1a534a8ee60
SHA512

9cc56049ab71c2df9f41f9faa5b30848d33721d1911bca2190ed2a0fae4e54ff959568362a0f0769f985660cab7035816e8cebc30ae35997238b07c671510a31
SSDEEP

196608:W/yaLXILj6fFsb16m9kGRii2BSe2qE3LsGqjRGPnosvg93p9N0MY/6FGD2TDY:W/fSj0ebv2G2MJqE389GPnPvgb0Mz4Z

Score

9^/10

cryptone packer upx

Malware Config

Signatures

CryptOne packer 2 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\infected\Bin\Client.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\infected\Bin\Client.exe	cryptone

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\infected\Bin\SkinH.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\infected\Bin\SkinH.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

3872 Client.exe
Loads dropped DLL 1 IoCs

Processes:

Client.exe

pid process

3872 Client.exe

pid	process
3872	Client.exe

pid	process
3872	Client.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\infected\Bin\SkinH.dll	upx
C:\Users\Admin\AppData\Local\Temp\infected\Bin\SkinH.dll	upx
behavioral1/memory/3872-277-0x0000000010000000-0x000000001003B000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

7zFM.exe7zG.exe

description	pid	process
Token: SeRestorePrivilege	2204	7zFM.exe
Token: 35	2204	7zFM.exe
Token: SeSecurityPrivilege	2204	7zFM.exe
Token: SeRestorePrivilege	2640	7zG.exe
Token: 35	2640	7zG.exe
Token: SeSecurityPrivilege	2640	7zG.exe
Token: SeSecurityPrivilege	2640	7zG.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

7zFM.exe7zG.exeClient.exe

pid process

2204 7zFM.exe
2204 7zFM.exe
2640 7zG.exe
3872 Client.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Client.exe

pid process

3872 Client.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Client.exe

pid process

3872 Client.exe
3872 Client.exe
3872 Client.exe
3872 Client.exe

pid	process
2204	7zFM.exe
2204	7zFM.exe
2640	7zG.exe
3872	Client.exe

pid	process
3872	Client.exe

pid	process
3872	Client.exe
3872	Client.exe
3872	Client.exe
3872	Client.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\infected.zip
1⤵
PID:2000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:736

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\infected.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2204

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\infected\" -spe -an -ai#7zMap436:96:7zEvent23508
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2640

C:\Users\Admin\AppData\Local\Temp\infected\Bin\Client.exe
"C:\Users\Admin\AppData\Local\Temp\infected\Bin\Client.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\infected\Bin\Client.exe
Filesize
6.4MB

MD5
8624f5450d12dc8176edeb2473076156

SHA1
e0b470210439f0bfdeb0cd8e394a23c3e5c01a19

SHA256
8f24d878fa71e2ecc85a67d230d47476434bf845348c5651455e7d56b815e9ae

SHA512
a6142d4c845a1a02775fbde5155f9bac257a1115347581db6c535977f1534f282ed189c2d2fc3af8169d844ad04545ed0c10eff26545391ebe58da09cf0b58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\infected\Bin\Client.exe
Filesize
6.4MB

MD5
8624f5450d12dc8176edeb2473076156

SHA1
e0b470210439f0bfdeb0cd8e394a23c3e5c01a19

SHA256
8f24d878fa71e2ecc85a67d230d47476434bf845348c5651455e7d56b815e9ae

SHA512
a6142d4c845a1a02775fbde5155f9bac257a1115347581db6c535977f1534f282ed189c2d2fc3af8169d844ad04545ed0c10eff26545391ebe58da09cf0b58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\infected\Bin\Client.ini
Filesize
337B

MD5
9d63e1be1d6db9b2b71bda5a922de35f

SHA1
9552f4c1ae0d32b69911f278177024065f56d8b1

SHA256
a000ab2a922e50cd2c27fdf725958147c819cf0d5a08ecc99d9287ecb8ff1f80

SHA512
838755e3499145e6a5b3392763097e937d369a583c61f7f7a9dad51705b56d23a471730709a67e748846a41060281aa2744b06d46c64c6341ce4e9af30663fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\infected\Bin\Plugins\QQwry.dat
Filesize
9.9MB

MD5
ef60d4bf05da99c5d23a9ace6add5d27

SHA1
09f4182d5474efdd3c88822b2532c38cc16fde89

SHA256
71c82f666885ac7ced69bbb11276f6893bfcfd37b63c34d925480798bbcdf295

SHA512
ab95640e155de9dc7ea0b5b9f764bbe993bc80cedd8f401ecc53719da21fa882b9cdcca5395a9976c353309d3581e524bda497f382aae993768f48d52a2a6e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\infected\Bin\SkinH.dll
Filesize
89KB

MD5
1a3c27813a808a558f5ca49f6a7d14aa

SHA1
910424d61a3f2fff71b2670f5b738cfecc4974f5

SHA256
9f1463942ad4a8156c460b02d47b8e8b80c3cee630d2d07f690a18e168fb7ddc

SHA512
b413c885928093334c04caf367e3dbbcb7c0493963860ed7bc4a45aefcac2680c2188e1aa1ec7c36637d97f67cbb34ed1f6412356a6f708a6d3fe640ae606fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\infected\Bin\SkinH.dll
Filesize
89KB

MD5
1a3c27813a808a558f5ca49f6a7d14aa

SHA1
910424d61a3f2fff71b2670f5b738cfecc4974f5

SHA256
9f1463942ad4a8156c460b02d47b8e8b80c3cee630d2d07f690a18e168fb7ddc

SHA512
b413c885928093334c04caf367e3dbbcb7c0493963860ed7bc4a45aefcac2680c2188e1aa1ec7c36637d97f67cbb34ed1f6412356a6f708a6d3fe640ae606fa7

Download Submit
memory/3872-277-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads