0b252685009906aa54b8bc36fa8cb3322a59badfcc5853fc60bfdf2914ee2f0c

Analysis

max time kernel
105s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

driverfixwebdl-9330386980.exe
Size

701KB
MD5

bb1d489eb833e8ea9c35ae9ab043e619
SHA1

7a0c432b79c2e723c14f0d721a2dee3d29a29299
SHA256

0b252685009906aa54b8bc36fa8cb3322a59badfcc5853fc60bfdf2914ee2f0c
SHA512

566ad27480dee2d5c40cfc44c3224996a8b3994e4eded5157a8eaf608dc33a50f05cc0cb8c30c9f3fb3c522206204c63e4ea4812599df87f5025df2a8355308d
SSDEEP

12288:LEpJPxOcmmiLy0megd58i/4mIIwKl8jU++N6Tcin1iWuoWXMylb:LoxJmR+l5xAmIElXxOcin1iz35b

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll	acprotect

Loads dropped DLL 17 IoCs

Processes:

driverfixwebdl-9330386980.exe

pid	process
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe
4800	driverfixwebdl-9330386980.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll	upx
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll	upx
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll	upx
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll	upx
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4384 tasklist.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tasklist.exe

description pid process

Token: SeDebugPrivilege 4384 tasklist.exe

pid	process
4384	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	4384	tasklist.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

driverfixwebdl-9330386980.execmd.exe

description	pid	process	target process
PID 4800 wrote to memory of 1476	4800	driverfixwebdl-9330386980.exe	cmd.exe
PID 4800 wrote to memory of 1476	4800	driverfixwebdl-9330386980.exe	cmd.exe
PID 4800 wrote to memory of 1476	4800	driverfixwebdl-9330386980.exe	cmd.exe
PID 1476 wrote to memory of 4384	1476	cmd.exe	tasklist.exe
PID 1476 wrote to memory of 4384	1476	cmd.exe	tasklist.exe
PID 1476 wrote to memory of 4384	1476	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\driverfixwebdl-9330386980.exe
"C:\Users\Admin\AppData\Local\Temp\driverfixwebdl-9330386980.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq DriverFix.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq DriverFix.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
Filesize
64B

MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\Banner.dll
Filesize
3KB

MD5
e264d0f91103758bc5b088e8547e0ec1

SHA1
24a94ff59668d18b908c78afd2a9563de2819680

SHA256
501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63

SHA512
a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\LogEx.dll
Filesize
44KB

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\System.dll
Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\UserInfo.dll
Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\WmiInspector.dll
Filesize
78KB

MD5
b757cd400e19c6722e721e27a6db1cfd

SHA1
2e07f3a7b036c3c263049af483721f88ecdb2c53

SHA256
26c8981d7e3cd8093c40bb7da0c045e89f6dfc1a0888efaac9e22a555d763142

SHA512
9e4675f380d7b79ac0c2f59c8b38663710798f8ee19233aabbd9f5ba81b74901c4f7c0e3d982ccca640ca240b631f889daad27160d3456ed7bb66ffe68e29e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\WmiInspector.dll
Filesize
78KB

MD5
b757cd400e19c6722e721e27a6db1cfd

SHA1
2e07f3a7b036c3c263049af483721f88ecdb2c53

SHA256
26c8981d7e3cd8093c40bb7da0c045e89f6dfc1a0888efaac9e22a555d763142

SHA512
9e4675f380d7b79ac0c2f59c8b38663710798f8ee19233aabbd9f5ba81b74901c4f7c0e3d982ccca640ca240b631f889daad27160d3456ed7bb66ffe68e29e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\WmiInspector.dll
Filesize
78KB

MD5
b757cd400e19c6722e721e27a6db1cfd

SHA1
2e07f3a7b036c3c263049af483721f88ecdb2c53

SHA256
26c8981d7e3cd8093c40bb7da0c045e89f6dfc1a0888efaac9e22a555d763142

SHA512
9e4675f380d7b79ac0c2f59c8b38663710798f8ee19233aabbd9f5ba81b74901c4f7c0e3d982ccca640ca240b631f889daad27160d3456ed7bb66ffe68e29e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\WmiInspector.dll
Filesize
78KB

MD5
b757cd400e19c6722e721e27a6db1cfd

SHA1
2e07f3a7b036c3c263049af483721f88ecdb2c53

SHA256
26c8981d7e3cd8093c40bb7da0c045e89f6dfc1a0888efaac9e22a555d763142

SHA512
9e4675f380d7b79ac0c2f59c8b38663710798f8ee19233aabbd9f5ba81b74901c4f7c0e3d982ccca640ca240b631f889daad27160d3456ed7bb66ffe68e29e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\WmiInspector.dll
Filesize
78KB

MD5
b757cd400e19c6722e721e27a6db1cfd

SHA1
2e07f3a7b036c3c263049af483721f88ecdb2c53

SHA256
26c8981d7e3cd8093c40bb7da0c045e89f6dfc1a0888efaac9e22a555d763142

SHA512
9e4675f380d7b79ac0c2f59c8b38663710798f8ee19233aabbd9f5ba81b74901c4f7c0e3d982ccca640ca240b631f889daad27160d3456ed7bb66ffe68e29e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\WmiInspector.dll
Filesize
78KB

MD5
b757cd400e19c6722e721e27a6db1cfd

SHA1
2e07f3a7b036c3c263049af483721f88ecdb2c53

SHA256
26c8981d7e3cd8093c40bb7da0c045e89f6dfc1a0888efaac9e22a555d763142

SHA512
9e4675f380d7b79ac0c2f59c8b38663710798f8ee19233aabbd9f5ba81b74901c4f7c0e3d982ccca640ca240b631f889daad27160d3456ed7bb66ffe68e29e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\inetc.dll
Filesize
31KB

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\inetc.dll
Filesize
31KB

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\nsDialogs.dll
Filesize
9KB

MD5
4ccc4a742d4423f2f0ed744fd9c81f63

SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc

SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC078.tmp\nsExec.dll
Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
memory/4800-165-0x0000000002520000-0x000000000252A000-memory.dmp

Filesize
40KB

Download
memory/4800-189-0x0000000002520000-0x000000000252A000-memory.dmp

Filesize
40KB

Download
memory/4800-195-0x0000000002520000-0x000000000252B000-memory.dmp

Filesize
44KB

Download
memory/4800-164-0x0000000002520000-0x000000000252A000-memory.dmp

Filesize
40KB

Download
memory/4800-205-0x0000000002520000-0x000000000252A000-memory.dmp

Filesize
40KB

Download