Analysis
-
max time kernel
141s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 10:58
Static task
static1
Behavioral task
behavioral1
Sample
1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exe
Resource
win10v2004-20230220-en
General
-
Target
1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exe
-
Size
948KB
-
MD5
ba734918d156be30bcb21285cac627d6
-
SHA1
a228e675b467a698003b087cb4850cfad1cad7e1
-
SHA256
1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c
-
SHA512
7b6c3b59e7a03cf956a91bb8bfdf1f4859d5158c6293d9e3c741ecfa8e4870cb3ff45bd66c3b34be2cf70660f31fd9202f3ac5c935d79718656d5c5bd70e52bd
-
SSDEEP
12288:Zgrykts3BqO0DoMOrGSYHcfLHDCCCkTanVQ4BircoaYui0HoYoVnM:+mko0pmL6c7pTanVucoLuToo
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 4 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\LIBEAY32.dll acprotect \Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\libeay32.dll acprotect \Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\ssleay32.dll acprotect C:\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\SSLEAY32.dll acprotect -
Executes dropped EXE 1 IoCs
Processes:
MailMagicLite.exepid process 1996 MailMagicLite.exe -
Loads dropped DLL 4 IoCs
Processes:
1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exeMailMagicLite.exepid process 1400 1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exe 1400 1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exe 1996 MailMagicLite.exe 1996 MailMagicLite.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\LIBEAY32.dll upx \Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\libeay32.dll upx \Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\ssleay32.dll upx C:\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\SSLEAY32.dll upx behavioral1/memory/1996-70-0x0000000010000000-0x000000001002C000-memory.dmp upx behavioral1/memory/1996-71-0x0000000000220000-0x0000000000311000-memory.dmp upx -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exeMailMagicLite.exepid process 1400 1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exe 1996 MailMagicLite.exe 1996 MailMagicLite.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exedescription pid process target process PID 1400 wrote to memory of 1996 1400 1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exe MailMagicLite.exe PID 1400 wrote to memory of 1996 1400 1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exe MailMagicLite.exe PID 1400 wrote to memory of 1996 1400 1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exe MailMagicLite.exe PID 1400 wrote to memory of 1996 1400 1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exe MailMagicLite.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exe"C:\Users\Admin\AppData\Local\Temp\1f9b168ee4f0d6cca603a5665e5f7c2b520fb7b986b2933bb7a200bd666ecf1c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\MailMagicLite.exeC:\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\MailMagicLite.exe C:\Users\Admin\AppData\Local\Temp\2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\ChineseSimplified.iniFilesize
33KB
MD598b5662486a5cba0f9f9eb173fe92c77
SHA19afaa104b2a98d2cf1af7b085f225a89cb05caf3
SHA256475fdaaa0deed17cb4baf7aebbcc232f2ce98fc4def94e10cfc5a6b554b6514b
SHA512d6e1ef5258755ec9ee012c0056a04336823661493b4f4d984ccba442821d22cd4754007399add3a96ddfcd42bd02072359e9e24546fbc0497e222a82e5e7089a
-
C:\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\LIBEAY32.dllFilesize
364KB
MD5dfd0a2b38848b849474f07e0cdc596b1
SHA16d5d3e3183dd391055263ac6ee19c9ac1281550d
SHA256ad449bbbf1dcee2dc445231ec4103dd98c29f4eba8023a3bb684170780df35d6
SHA51277d0febc33cf041fc26f412ec8e45b859bdb9fda12536200462cf9f8008fdbd6f1655a02ab9e6a9b3f12bd6957eefbd5d17cf36053d5f672b4e52c56c62f05c6
-
C:\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\MailMagicLite.exeFilesize
332KB
MD5905b8a0b7ddeceb4f248b06e467bdca5
SHA18bfd91a152a933b5803376328353a2b1e644b0c3
SHA2563b12a389d048a30369713b9a048a9ffcba4ee0121fe18f703780792bdb11780b
SHA512580b69a8a6d6cc2edce39888f78461cd27f4999b17152186d75b0a238a91e9501dbc9e417bd2851c9c3b5c2117325e483a540d96909b7c8eb9b8ee6a0cb24a9d
-
C:\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\MailMagicLite.exeFilesize
332KB
MD5905b8a0b7ddeceb4f248b06e467bdca5
SHA18bfd91a152a933b5803376328353a2b1e644b0c3
SHA2563b12a389d048a30369713b9a048a9ffcba4ee0121fe18f703780792bdb11780b
SHA512580b69a8a6d6cc2edce39888f78461cd27f4999b17152186d75b0a238a91e9501dbc9e417bd2851c9c3b5c2117325e483a540d96909b7c8eb9b8ee6a0cb24a9d
-
C:\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\SSLEAY32.dllFilesize
66KB
MD50c29e546dbf1d3239f773bdd8cbd863c
SHA10d498107c1bc964cc399b1513e0bd9d9bf243de4
SHA2560bcb221776c620078998a4edfd1b8041123f239f7a6ac8c71356011f9f49f80b
SHA512aa79600407ec6eca70e14e42fc5f4a64b599ed13e10eb32bce8ea24e7fce3dda504550d411b447356b1c068e17cbbc394836050dfa439d17c54269ff4041f3d1
-
\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\MailMagicLite.exeFilesize
332KB
MD5905b8a0b7ddeceb4f248b06e467bdca5
SHA18bfd91a152a933b5803376328353a2b1e644b0c3
SHA2563b12a389d048a30369713b9a048a9ffcba4ee0121fe18f703780792bdb11780b
SHA512580b69a8a6d6cc2edce39888f78461cd27f4999b17152186d75b0a238a91e9501dbc9e417bd2851c9c3b5c2117325e483a540d96909b7c8eb9b8ee6a0cb24a9d
-
\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\MailMagicLite.exeFilesize
332KB
MD5905b8a0b7ddeceb4f248b06e467bdca5
SHA18bfd91a152a933b5803376328353a2b1e644b0c3
SHA2563b12a389d048a30369713b9a048a9ffcba4ee0121fe18f703780792bdb11780b
SHA512580b69a8a6d6cc2edce39888f78461cd27f4999b17152186d75b0a238a91e9501dbc9e417bd2851c9c3b5c2117325e483a540d96909b7c8eb9b8ee6a0cb24a9d
-
\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\libeay32.dllFilesize
364KB
MD5dfd0a2b38848b849474f07e0cdc596b1
SHA16d5d3e3183dd391055263ac6ee19c9ac1281550d
SHA256ad449bbbf1dcee2dc445231ec4103dd98c29f4eba8023a3bb684170780df35d6
SHA51277d0febc33cf041fc26f412ec8e45b859bdb9fda12536200462cf9f8008fdbd6f1655a02ab9e6a9b3f12bd6957eefbd5d17cf36053d5f672b4e52c56c62f05c6
-
\Users\Admin\AppData\Local\Temp\f3208a07-3e81-40c4-a511-c3ef43921b1b\ssleay32.dllFilesize
66KB
MD50c29e546dbf1d3239f773bdd8cbd863c
SHA10d498107c1bc964cc399b1513e0bd9d9bf243de4
SHA2560bcb221776c620078998a4edfd1b8041123f239f7a6ac8c71356011f9f49f80b
SHA512aa79600407ec6eca70e14e42fc5f4a64b599ed13e10eb32bce8ea24e7fce3dda504550d411b447356b1c068e17cbbc394836050dfa439d17c54269ff4041f3d1
-
memory/1996-70-0x0000000010000000-0x000000001002C000-memory.dmpFilesize
176KB
-
memory/1996-71-0x0000000000220000-0x0000000000311000-memory.dmpFilesize
964KB