d3d6685942c48093280cfe225781d898b0c2af4c4393886dbaaa428d20f083a2

Analysis

max time kernel
141s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28/03/2023, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3d6685942c48093280cfe225781d898b0c2af4c4393886dbaaa428d20f083a2.exe
Size

948KB
MD5

32c522f406310a762bd567cb1d8170d9
SHA1

fde54e68f8c9d718da268c9eb5f3a09fbecd6c37
SHA256

d3d6685942c48093280cfe225781d898b0c2af4c4393886dbaaa428d20f083a2
SHA512

f2174c238851c13bcbb58c5c0af8d2d4e495d09112703aa785a7e064d7ed07f198d1a55a345c3fd7202070ed3ee87fe04d3f421780172c20a5952cfd50abc1e9
SSDEEP

12288:Zgrykts3BqO0DoMOrGSYHcfLHDCCCkTanVQ4Bi3coaYui0HoYoVsC:+mko0pmL6c7pTanVicoLuToT

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000012305-67.dat	acprotect
behavioral1/files/0x0009000000012305-68.dat	acprotect
behavioral1/files/0x000a0000000122f9-66.dat	acprotect
behavioral1/files/0x000a0000000122f9-65.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2020	MailMagicLite.exe

Loads dropped DLL 4 IoCs

pid	Process
1148	d3d6685942c48093280cfe225781d898b0c2af4c4393886dbaaa428d20f083a2.exe
1148	d3d6685942c48093280cfe225781d898b0c2af4c4393886dbaaa428d20f083a2.exe
2020	MailMagicLite.exe
2020	MailMagicLite.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012305-67.dat	upx
behavioral1/files/0x0009000000012305-68.dat	upx
behavioral1/files/0x000a0000000122f9-66.dat	upx
behavioral1/files/0x000a0000000122f9-65.dat	upx
behavioral1/memory/2020-70-0x0000000010000000-0x000000001002C000-memory.dmp	upx
behavioral1/memory/2020-71-0x0000000000460000-0x0000000000551000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1148	d3d6685942c48093280cfe225781d898b0c2af4c4393886dbaaa428d20f083a2.exe
2020	MailMagicLite.exe
2020	MailMagicLite.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2020	1148	d3d6685942c48093280cfe225781d898b0c2af4c4393886dbaaa428d20f083a2.exe	28
PID 1148 wrote to memory of 2020	1148	d3d6685942c48093280cfe225781d898b0c2af4c4393886dbaaa428d20f083a2.exe	28
PID 1148 wrote to memory of 2020	1148	d3d6685942c48093280cfe225781d898b0c2af4c4393886dbaaa428d20f083a2.exe	28
PID 1148 wrote to memory of 2020	1148	d3d6685942c48093280cfe225781d898b0c2af4c4393886dbaaa428d20f083a2.exe	28

C:\Users\Admin\AppData\Local\Temp\d3d6685942c48093280cfe225781d898b0c2af4c4393886dbaaa428d20f083a2.exe
"C:\Users\Admin\AppData\Local\Temp\d3d6685942c48093280cfe225781d898b0c2af4c4393886dbaaa428d20f083a2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\e741c675-a7b5-448e-bcf1-c13b1fa492f4\MailMagicLite.exe
  C:\Users\Admin\AppData\Local\Temp\e741c675-a7b5-448e-bcf1-c13b1fa492f4\MailMagicLite.exe C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e741c675-a7b5-448e-bcf1-c13b1fa492f4\ChineseSimplified.ini

Filesize
33KB

MD5
98b5662486a5cba0f9f9eb173fe92c77

SHA1
9afaa104b2a98d2cf1af7b085f225a89cb05caf3

SHA256
475fdaaa0deed17cb4baf7aebbcc232f2ce98fc4def94e10cfc5a6b554b6514b

SHA512
d6e1ef5258755ec9ee012c0056a04336823661493b4f4d984ccba442821d22cd4754007399add3a96ddfcd42bd02072359e9e24546fbc0497e222a82e5e7089a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e741c675-a7b5-448e-bcf1-c13b1fa492f4\LIBEAY32.dll

Filesize
364KB

MD5
dfd0a2b38848b849474f07e0cdc596b1

SHA1
6d5d3e3183dd391055263ac6ee19c9ac1281550d

SHA256
ad449bbbf1dcee2dc445231ec4103dd98c29f4eba8023a3bb684170780df35d6

SHA512
77d0febc33cf041fc26f412ec8e45b859bdb9fda12536200462cf9f8008fdbd6f1655a02ab9e6a9b3f12bd6957eefbd5d17cf36053d5f672b4e52c56c62f05c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e741c675-a7b5-448e-bcf1-c13b1fa492f4\MailMagicLite.exe

Filesize
332KB

MD5
1f327a1b18e15cf78999a365ef0093dc

SHA1
c3f6c8bc85fe87ba090ce91b980cca1e2fda72d8

SHA256
0a63d315ea25a2928a0311be90cb2ae1d9f8b88933d5296ff2020fb72050860a

SHA512
10b47fed5e5e1578112c4c9cb099a12f0c23b6bb451d42038a379c2c5f52290b6b8044c7c446d82eeebef5f8533d108e3af45649b080131ffa08c7746ba3424e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e741c675-a7b5-448e-bcf1-c13b1fa492f4\MailMagicLite.exe

Filesize
332KB

MD5
1f327a1b18e15cf78999a365ef0093dc

SHA1
c3f6c8bc85fe87ba090ce91b980cca1e2fda72d8

SHA256
0a63d315ea25a2928a0311be90cb2ae1d9f8b88933d5296ff2020fb72050860a

SHA512
10b47fed5e5e1578112c4c9cb099a12f0c23b6bb451d42038a379c2c5f52290b6b8044c7c446d82eeebef5f8533d108e3af45649b080131ffa08c7746ba3424e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e741c675-a7b5-448e-bcf1-c13b1fa492f4\SSLEAY32.dll

Filesize
66KB

MD5
0c29e546dbf1d3239f773bdd8cbd863c

SHA1
0d498107c1bc964cc399b1513e0bd9d9bf243de4

SHA256
0bcb221776c620078998a4edfd1b8041123f239f7a6ac8c71356011f9f49f80b

SHA512
aa79600407ec6eca70e14e42fc5f4a64b599ed13e10eb32bce8ea24e7fce3dda504550d411b447356b1c068e17cbbc394836050dfa439d17c54269ff4041f3d1

Download Submit
\Users\Admin\AppData\Local\Temp\e741c675-a7b5-448e-bcf1-c13b1fa492f4\MailMagicLite.exe

Filesize
332KB

MD5
1f327a1b18e15cf78999a365ef0093dc

SHA1
c3f6c8bc85fe87ba090ce91b980cca1e2fda72d8

SHA256
0a63d315ea25a2928a0311be90cb2ae1d9f8b88933d5296ff2020fb72050860a

SHA512
10b47fed5e5e1578112c4c9cb099a12f0c23b6bb451d42038a379c2c5f52290b6b8044c7c446d82eeebef5f8533d108e3af45649b080131ffa08c7746ba3424e

Download Submit
\Users\Admin\AppData\Local\Temp\e741c675-a7b5-448e-bcf1-c13b1fa492f4\MailMagicLite.exe

Filesize
332KB

MD5
1f327a1b18e15cf78999a365ef0093dc

SHA1
c3f6c8bc85fe87ba090ce91b980cca1e2fda72d8

SHA256
0a63d315ea25a2928a0311be90cb2ae1d9f8b88933d5296ff2020fb72050860a

SHA512
10b47fed5e5e1578112c4c9cb099a12f0c23b6bb451d42038a379c2c5f52290b6b8044c7c446d82eeebef5f8533d108e3af45649b080131ffa08c7746ba3424e

Download Submit
\Users\Admin\AppData\Local\Temp\e741c675-a7b5-448e-bcf1-c13b1fa492f4\libeay32.dll

Filesize
364KB

MD5
dfd0a2b38848b849474f07e0cdc596b1

SHA1
6d5d3e3183dd391055263ac6ee19c9ac1281550d

SHA256
ad449bbbf1dcee2dc445231ec4103dd98c29f4eba8023a3bb684170780df35d6

SHA512
77d0febc33cf041fc26f412ec8e45b859bdb9fda12536200462cf9f8008fdbd6f1655a02ab9e6a9b3f12bd6957eefbd5d17cf36053d5f672b4e52c56c62f05c6

Download Submit
\Users\Admin\AppData\Local\Temp\e741c675-a7b5-448e-bcf1-c13b1fa492f4\ssleay32.dll

Filesize
66KB

MD5
0c29e546dbf1d3239f773bdd8cbd863c

SHA1
0d498107c1bc964cc399b1513e0bd9d9bf243de4

SHA256
0bcb221776c620078998a4edfd1b8041123f239f7a6ac8c71356011f9f49f80b

SHA512
aa79600407ec6eca70e14e42fc5f4a64b599ed13e10eb32bce8ea24e7fce3dda504550d411b447356b1c068e17cbbc394836050dfa439d17c54269ff4041f3d1

Download Submit
memory/2020-70-0x0000000010000000-0x000000001002C000-memory.dmp

Filesize
176KB

Download
memory/2020-71-0x0000000000460000-0x0000000000551000-memory.dmp

Filesize
964KB

Download