8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081

General

Target

8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe
Size

1.9MB
MD5

0f648bdbca1e6733c9170b4f4cf6a5dd
SHA1

fd2a74e99a6fd0b331f45deeb2097a6a62f035a7
SHA256

8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081
SHA512

41b603d971f077a14b4c6f6349449669e81d864b91dc5fef6f6310086189d124a071c2f42ef1689ca2d13293f3d9b6ad795810cf81777e4969e5f48afb379990
SSDEEP

49152:BptwI9BEWeBzPCxwboRWKXeTsYfOJBW+9GRb:BptwI9BEnC6oIwEskoEb

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\libeay32.dll	acprotect
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\ssleay32.dll	acprotect

Loads dropped DLL 2 IoCs

Processes:

8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe

pid	process
1676	8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe
1676	8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\libeay32.dll	upx
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\ssleay32.dll	upx
behavioral1/memory/1676-80-0x0000000011000000-0x0000000011179000-memory.dmp	upx
behavioral1/memory/1676-81-0x0000000012000000-0x000000001205F000-memory.dmp	upx
behavioral1/memory/1676-112-0x0000000011000000-0x0000000011179000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe

pid	process
1676	8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe
1676	8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe

pid	process
1676	8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe
1676	8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe
1676	8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe
1676	8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe

pid	process
1676	8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe
1676	8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe
1676	8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe
1676	8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe

pid	process
1676	8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe
1676	8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe

C:\Users\Admin\AppData\Local\Temp\8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe
"C:\Users\Admin\AppData\Local\Temp\8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\user.dat.tmp
Filesize
36B

MD5
940334fe1a1ff48e5af5f8106264febf

SHA1
72ab67da23385384de7a3644b79b44d697fe7629

SHA256
78b36417aeee4381b54211afffdb418c2e33bb02e4b85b2cc60b1bfc0b1bad29

SHA512
07adff2f22fc7783ae2421e5683e5504b3b856c894965899d098f261a8bca4a27b90c2f66af54db8078fd40f50d46c691382a320ce160cb6e0e3b0bc036d0e78

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\NCaddon.xml
Filesize
20KB

MD5
a8116f70d9ab4f5eff658a2bb83b895b

SHA1
3af11c583aa0fce88a21a3802b662cccd5e6cfb8

SHA256
a2570fc9fbab44750f039fb093915e37f6fd27b151fe809f505377c5f4bb2c2c

SHA512
be5b17d5ec3ce09d6e6faababb49e97f839dbb3d9308e6e5af19982487dcddc9eb5730c84883c64e2f69803698ed67c79d3b3bc439a2c45996ceb4ccb2b8e913

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\activity.xml
Filesize
37KB

MD5
f621d587b49982f64cbb8da84cd27703

SHA1
436779e5f27accc193e657e29e7303ba49fa48e5

SHA256
b1d3ec62b4f451dca187de2903f8b2eb3dbda4fdcafc8765c31bef11c27b409c

SHA512
0bf06dc172290124330200627f0417073996e3a0474b15942d905733ec9419d247e119b89ac5cd6ca041d82909700f9ef8fd68eaeebcfeffa3dd23afe89a8d81

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\crop.xml
Filesize
2.5MB

MD5
e59a1bc1cd90fd0867ebd4344ce553ee

SHA1
aea2f2b18a611e9f911bb8406a7f3c9709627d31

SHA256
aeecb43355f0c1cace9abb776da17bf0db65a9557c08c886208e1cbb4b20e450

SHA512
8360a2ec7f15778515192d94ebba681087d5c7fc2dfa0b570438d9532c5dc27201ba39da12c931697d2848cf36ad866546acb4a3c306025858ee6d87bc3a6c62

Download Submit
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\libeay32.dll
Filesize
558KB

MD5
5f86d65a1686e6bb031048d04bb3fe04

SHA1
08052c7dda12c53971dd5600223cfb3a47283998

SHA256
39531152d763dd51da8ae6a50b206f296a07410602cdb399c991987e8a11f6b4

SHA512
970e9965236cfb827848e93de3ad0132cde0a57cbee38ad72441dc65fb824ea6c749e5993cd948231bb881d4cf6dfc735231b643d58b64de1f81caff91987e5b

Download Submit
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\ssleay32.dll
Filesize
140KB

MD5
e503921a6061251302cb45772cb75f42

SHA1
b84a9daf1250dd33962feb6faaa122273a0b29a2

SHA256
970bfe2045464dfda89a1cd262f09813ab9c9ceb3c7375f02bca8aeecdc4cfcb

SHA512
d52b471d3e71e255d5bc7c9f04e141e80e750482183b770fdc35c08c0cc696c66643bc7074ebbeb2f9d95b6b728666414ad0ae5908f16e9a6e21d159dce33c48

Download Submit
memory/1676-73-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/1676-65-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/1676-70-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1676-80-0x0000000011000000-0x0000000011179000-memory.dmp

Filesize
1.5MB

Download
memory/1676-81-0x0000000012000000-0x000000001205F000-memory.dmp

Filesize
380KB

Download
memory/1676-68-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/1676-67-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/1676-111-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/1676-112-0x0000000011000000-0x0000000011179000-memory.dmp

Filesize
1.5MB

Download
memory/1676-56-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1676-66-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/1676-131-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/1676-134-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/1676-137-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/1676-142-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/1676-148-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/1676-151-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/1676-154-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/1676-160-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads