ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8

Analysis

max time kernel
122s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
23/03/2023, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
Size

1.1MB
MD5

0de7628e31c00f721cf810cf3725de27
SHA1

74e6688bba51f7722e178c02223391d10c9b360b
SHA256

ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8
SHA512

d7e26206a329467fc23706cae62191a361ab6317cecff8df6504c25313cea36ace0769ee0648ad4ec181780dc4b1c4fe2a6dfca0fb00f342fc73c1c9ab3bddb3
SSDEEP

24576:VaONSoRpW+rXo1KyVgf3oxxozLmZar6a+L9uR/:kONSs5cxYtGL9o/

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 11 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023177-141.dat	acprotect
behavioral2/files/0x0006000000023176-144.dat	acprotect
behavioral2/files/0x0006000000023176-146.dat	acprotect
behavioral2/files/0x0006000000023175-151.dat	acprotect
behavioral2/files/0x0006000000023175-149.dat	acprotect
behavioral2/files/0x0006000000023178-156.dat	acprotect
behavioral2/files/0x0006000000023178-154.dat	acprotect
behavioral2/files/0x000900000002316c-172.dat	acprotect
behavioral2/files/0x000900000002316c-170.dat	acprotect
behavioral2/files/0x0006000000023174-167.dat	acprotect
behavioral2/files/0x0006000000023174-165.dat	acprotect

Loads dropped DLL 13 IoCs

pid	Process
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023177-141.dat	upx
behavioral2/files/0x0006000000023176-144.dat	upx
behavioral2/files/0x0006000000023176-146.dat	upx
behavioral2/files/0x0006000000023175-151.dat	upx
behavioral2/files/0x0006000000023175-149.dat	upx
behavioral2/files/0x0006000000023178-156.dat	upx
behavioral2/files/0x0006000000023178-154.dat	upx
behavioral2/memory/4116-159-0x0000000000400000-0x000000000063C000-memory.dmp	upx
behavioral2/memory/4116-161-0x0000000010000000-0x0000000010010000-memory.dmp	upx
behavioral2/memory/4116-162-0x0000000002B90000-0x0000000002C86000-memory.dmp	upx
behavioral2/memory/4116-163-0x0000000002C90000-0x0000000002D6F000-memory.dmp	upx
behavioral2/memory/4116-164-0x00000000029C0000-0x00000000029CA000-memory.dmp	upx
behavioral2/files/0x000900000002316c-172.dat	upx
behavioral2/memory/4116-235-0x0000000004A00000-0x0000000004A39000-memory.dmp	upx
behavioral2/memory/4116-234-0x0000000004890000-0x00000000048FA000-memory.dmp	upx
behavioral2/files/0x000900000002316c-170.dat	upx
behavioral2/files/0x0006000000023174-167.dat	upx
behavioral2/files/0x0006000000023174-165.dat	upx
behavioral2/memory/4116-242-0x0000000000400000-0x000000000063C000-memory.dmp	upx
behavioral2/memory/4116-275-0x0000000000400000-0x000000000063C000-memory.dmp	upx
behavioral2/memory/4116-283-0x0000000000400000-0x000000000063C000-memory.dmp	upx

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\G:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\J:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\Y:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\Z:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\W:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\F:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\M:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\N:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\P:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\Q:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\R:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\V:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\H:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\I:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\L:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\O:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\X:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\K:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\S:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\T:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
File opened (read-only)	\??\U:	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
4116	ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe

C:\Users\Admin\AppData\Local\Temp\ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe
"C:\Users\Admin\AppData\Local\Temp\ccd74e1168d01857f645bfa9ae277f1ead84e74086fc20c05ea06d3c883637f8.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x4ec
1⤵
PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\No23Recorder\CDRip.dll

Filesize
81KB

MD5
c881f078f282a8b46cf67a6b3982ec1a

SHA1
6ea4bf90ac62c7ce79c9e5ee9087c9d3d91c47d5

SHA256
58baef4681448dc4c1c29ce83fbb4e86662928580a5736aaefd0a2f191522f86

SHA512
81a381380ffae766d8ec2029292ec7d33a2a1851b6c867878f3dd805af9698932bdbb7d3ac5e68fb0b3c01d4ad7d8c493d9e3a57a01549735a77166c8dd11c76

Download Submit
C:\No23Recorder\CDRip.dll

Filesize
81KB

MD5
c881f078f282a8b46cf67a6b3982ec1a

SHA1
6ea4bf90ac62c7ce79c9e5ee9087c9d3d91c47d5

SHA256
58baef4681448dc4c1c29ce83fbb4e86662928580a5736aaefd0a2f191522f86

SHA512
81a381380ffae766d8ec2029292ec7d33a2a1851b6c867878f3dd805af9698932bdbb7d3ac5e68fb0b3c01d4ad7d8c493d9e3a57a01549735a77166c8dd11c76

Download Submit
C:\No23Recorder\No23CdRip.ini

Filesize
40B

MD5
a1fa869a208f695e97be330a463ad9f9

SHA1
afc35f5424874feb0f4cba95410a996ee76bd2db

SHA256
e4736eff4686d7487090730fe14010db5109ae898dbdd086215dd61d9b778da3

SHA512
93a5f70a9d620be8196a5663e3dad57e66241fd89ece9efbc51e8aa04a08a02d6a2a2e7a33aa373629cc7fc51ddd63fc5d099b82135aadf024c04f4e313db0e8

Download Submit
C:\No23Recorder\bass.dll

Filesize
95KB

MD5
8ebebc361274e621f2612926137a917d

SHA1
7469863a2d387b56fb19b3515bb346f81e664be5

SHA256
991af65c5b63fc32ce4b3b27e800f7bfb8c228bc736d7994ca30fb6864b97824

SHA512
088ff3581718ede6f09d31a3ea8e2aab6d839c78a77a0f35807378ef122ddaa6e1e09f11312c8b7b318948d6f87c22f6f5b54f7c264d2b1f171aad9098312fb1

Download Submit
C:\No23Recorder\bass.dll

Filesize
95KB

MD5
8ebebc361274e621f2612926137a917d

SHA1
7469863a2d387b56fb19b3515bb346f81e664be5

SHA256
991af65c5b63fc32ce4b3b27e800f7bfb8c228bc736d7994ca30fb6864b97824

SHA512
088ff3581718ede6f09d31a3ea8e2aab6d839c78a77a0f35807378ef122ddaa6e1e09f11312c8b7b318948d6f87c22f6f5b54f7c264d2b1f171aad9098312fb1

Download Submit
C:\No23Recorder\lame_enc.dll

Filesize
97KB

MD5
03a04b1e7322eddb3fd996c318509d88

SHA1
af5a7e4457975ec5903a53aebb387d61eed6550d

SHA256
6eefb0db7d48818ea0ca78e0b5682f8670a70e7442773867747c8773d583dc18

SHA512
b003e949dff45e98337546dcaab6d57e64fc65804a7b395b99698a2cd563b4b9490b29ac594000fc2dd73bcf98e3555398253280b20b8c9eb77117c5569df01b

Download Submit
C:\No23Recorder\lame_enc.dll

Filesize
97KB

MD5
03a04b1e7322eddb3fd996c318509d88

SHA1
af5a7e4457975ec5903a53aebb387d61eed6550d

SHA256
6eefb0db7d48818ea0ca78e0b5682f8670a70e7442773867747c8773d583dc18

SHA512
b003e949dff45e98337546dcaab6d57e64fc65804a7b395b99698a2cd563b4b9490b29ac594000fc2dd73bcf98e3555398253280b20b8c9eb77117c5569df01b

Download Submit
C:\No23Recorder\ogg.dll

Filesize
20KB

MD5
4a3d252abfbb7bf4598ea438f4006bc2

SHA1
bb8ccb50de51b4dd0aa06f565f625f08a9c48231

SHA256
a90c0f33f656e7ea65524307c4402d688b6b001bfcd31b98d5defe5dbb1a8588

SHA512
72eb22785726e17f661e9c91885394d6e0a7a64d27f45a7d56afe185094707291e2b6d431fd65b14374d1d16bd14f517bca61fde2172972345b40a4dbac0ef87

Download Submit
C:\No23Recorder\vorbis.dll

Filesize
104KB

MD5
e942846f49adfad783c215d6e83d2f2b

SHA1
1685dcbdbe268ea6d1f7cbe2ec8e8db5c2605080

SHA256
d9c38fad15731aaa1a6af19b9304042db6fab94c8e0efd11ed33e93423945b81

SHA512
eac04c3a034557865d6aad1802a8243962e19973abcb130ef32b958ded941ebc7427fe903f333176d957188ee0d6cde1079b1207fa3c0ea561d7e7d81742baff

Download Submit
C:\No23Recorder\vorbis.dll

Filesize
104KB

MD5
e942846f49adfad783c215d6e83d2f2b

SHA1
1685dcbdbe268ea6d1f7cbe2ec8e8db5c2605080

SHA256
d9c38fad15731aaa1a6af19b9304042db6fab94c8e0efd11ed33e93423945b81

SHA512
eac04c3a034557865d6aad1802a8243962e19973abcb130ef32b958ded941ebc7427fe903f333176d957188ee0d6cde1079b1207fa3c0ea561d7e7d81742baff

Download Submit
C:\No23Recorder\vorbisenc.dll

Filesize
60KB

MD5
a3ff27b9bbf1d4afe8af426711ce12cf

SHA1
04b5eb8e9ce4bbd23185d71b576437333a6df2f7

SHA256
0786b206ec79c0815ac27b26fa355104352ec518e39a99b9420f9ed2fcdcf0de

SHA512
d61898ebeadfd0afee8adc041e26f678c2bb5b311f531dc1bb4c2255e4536e1633fa7a30c6a16b9a501efcca508bfbc275ebbf2980d52ca40f918bf79caf0418

Download Submit
C:\No23Recorder\vorbisenc.dll

Filesize
60KB

MD5
a3ff27b9bbf1d4afe8af426711ce12cf

SHA1
04b5eb8e9ce4bbd23185d71b576437333a6df2f7

SHA256
0786b206ec79c0815ac27b26fa355104352ec518e39a99b9420f9ed2fcdcf0de

SHA512
d61898ebeadfd0afee8adc041e26f678c2bb5b311f531dc1bb4c2255e4536e1633fa7a30c6a16b9a501efcca508bfbc275ebbf2980d52ca40f918bf79caf0418

Download Submit
C:\No23Recorder\vorbisfile.dll

Filesize
9KB

MD5
1e8fc7b623b62770558e8cbff53728ff

SHA1
014b43fc1d95caa85e1522f752f60e31ed87d66c

SHA256
bfceaa89c9b696a508c6c179abb4591d76e7a9aa736548b455c4a556ce196390

SHA512
e49d354dd3551ca203cd8d5af4ef5401dac560d4bff1e41c8ff06ba66027c92bc675b1acc4ec0318df2d94f60ccf30877402123b4703beced544d9f0cfaa72c3

Download Submit
C:\No23Recorder\vorbisfile.dll

Filesize
9KB

MD5
1e8fc7b623b62770558e8cbff53728ff

SHA1
014b43fc1d95caa85e1522f752f60e31ed87d66c

SHA256
bfceaa89c9b696a508c6c179abb4591d76e7a9aa736548b455c4a556ce196390

SHA512
e49d354dd3551ca203cd8d5af4ef5401dac560d4bff1e41c8ff06ba66027c92bc675b1acc4ec0318df2d94f60ccf30877402123b4703beced544d9f0cfaa72c3

Download Submit
memory/4116-160-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/4116-235-0x0000000004A00000-0x0000000004A39000-memory.dmp

Filesize
228KB

Download
memory/4116-234-0x0000000004890000-0x00000000048FA000-memory.dmp

Filesize
424KB

Download
memory/4116-162-0x0000000002B90000-0x0000000002C86000-memory.dmp

Filesize
984KB

Download
memory/4116-161-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4116-164-0x00000000029C0000-0x00000000029CA000-memory.dmp

Filesize
40KB

Download
memory/4116-159-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/4116-163-0x0000000002C90000-0x0000000002D6F000-memory.dmp

Filesize
892KB

Download
memory/4116-241-0x0000000004B70000-0x0000000004BCA000-memory.dmp

Filesize
360KB

Download
memory/4116-242-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/4116-250-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/4116-275-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/4116-283-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download