5f11beddefa675c83c556db36130b05536f642dd3d53a9ededfa2c3dd1e7967a

Resubmissions

13/04/2023, 16:04

230413-th2t2sdg8z 7

13/04/2023, 16:03

230413-thp59ace64 7

Analysis

max time kernel
11s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/04/2023, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Patch.exe
Size

493KB
MD5

7a3d160baa69768dc437383f10950889
SHA1

a1c606e7745199e6355aabbb37f4cc753f9f2e66
SHA256

5f11beddefa675c83c556db36130b05536f642dd3d53a9ededfa2c3dd1e7967a
SHA512

3484a4ebfd0d1e80f0b3b154e69d49637a3972d6ca74450705294ce3e48b22d530887155ef34646d1e211de663ad0fa38a22fc986d206a404753fd723e15545a
SSDEEP

12288:hHWnjgPH80/T0NFi739dX3ZCC8wmTId9SuuVtko:hHWjgv8Cp7HZPGTIauuVtko

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000014492-72.dat	acprotect
behavioral1/files/0x0007000000014492-71.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1680	create.exe

Loads dropped DLL 4 IoCs

pid	Process
2020	Patch.exe
2020	Patch.exe
2020	Patch.exe
1680	create.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001453d-66.dat	upx
behavioral1/files/0x000700000001453d-69.dat	upx
behavioral1/memory/1680-74-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1964	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1964	AUDIODG.EXE
Token: 33	1964	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1964	AUDIODG.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1680	2020	Patch.exe	28
PID 2020 wrote to memory of 1680	2020	Patch.exe	28
PID 2020 wrote to memory of 1680	2020	Patch.exe	28
PID 2020 wrote to memory of 1680	2020	Patch.exe	28
PID 1680 wrote to memory of 628	1680	create.exe	29
PID 1680 wrote to memory of 628	1680	create.exe	29
PID 1680 wrote to memory of 628	1680	create.exe	29
PID 1680 wrote to memory of 628	1680	create.exe	29

C:\Users\Admin\AppData\Local\Temp\Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Patch.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\create.exe
  "C:\Users\Admin\AppData\Local\Temp\create.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\368C.tmp\368D.tmp\369D.bat C:\Users\Admin\AppData\Local\Temp\create.exe"
    3⤵
    PID:628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\368C.tmp\368D.tmp\369D.bat

Filesize
34B

MD5
5c20f4f8cdf553da70b888e39d6d0190

SHA1
96fb5b8224b01760a6cc92c13b4f2b35324ff5cc

SHA256
391bf88a4b93296a87059637e357954b42b5dc8a26216219e671fa476d78268d

SHA512
5dd06bcfff3eab68b9ec5ed55b99bae5ce3006d7cf53c467e783a14336c1e68952f29d1b22336af5bc756a325f97bc9b23f248129f8fea806f69888fe97600c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\create.exe

Filesize
44KB

MD5
e5fcd90838141ff50efde6a8d60016ab

SHA1
1d1ce6d5d43b8290359469bc08ee909bf28a2d0d

SHA256
2977e50c4cfc046605f94316562b456fe18d5f51c20bfeadc01250aa41e07303

SHA512
87b4f0463283389ed4e539ed73ae8384a3fc9bf972365696ff0ab8297020551071cec75155588a14dcb820d8143fec4a42991cfb3c925df6747ead5a5d792e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\version.DLL

Filesize
16KB

MD5
56d87442f7aedf06a936ca737d8e9aad

SHA1
acc37694c627ff326280ec721d7fbb694bd7f3a0

SHA256
4b93a437c2a36402831d0f57be8ffd3e9dfb0a001102bc26dfb76c3a80e449ae

SHA512
a04e05558ec565de2f5a70250391156c4bf233b0bdde3d1ffa680679880012e1c099d5ccf9bd06fdd34d073fea7c35ae9309571debf79d995816ae8d364afffc

Download Submit
\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
\Users\Admin\AppData\Local\Temp\create.exe

Filesize
44KB

MD5
e5fcd90838141ff50efde6a8d60016ab

SHA1
1d1ce6d5d43b8290359469bc08ee909bf28a2d0d

SHA256
2977e50c4cfc046605f94316562b456fe18d5f51c20bfeadc01250aa41e07303

SHA512
87b4f0463283389ed4e539ed73ae8384a3fc9bf972365696ff0ab8297020551071cec75155588a14dcb820d8143fec4a42991cfb3c925df6747ead5a5d792e02

Download Submit
\Users\Admin\AppData\Local\Temp\dup2patcher.dll

Filesize
457KB

MD5
b5d1823d4ffd41be31012b98680dc827

SHA1
4e990578f3a423617a9f0462bce325b83aec8e06

SHA256
8d214d14b182d858aab556a61a07ab7c266596aadc0255a7dce92ef8a787b1e3

SHA512
4dc255c5fdc56c437331555566bb0cf6b5e58d41cf063b321b844860498f47ab1f43a42bda8a9d847734aba26559e3c4155737c30ab0029712cd6bbbc50b3582

Download Submit
\Users\Admin\AppData\Local\Temp\version.dll

Filesize
16KB

MD5
56d87442f7aedf06a936ca737d8e9aad

SHA1
acc37694c627ff326280ec721d7fbb694bd7f3a0

SHA256
4b93a437c2a36402831d0f57be8ffd3e9dfb0a001102bc26dfb76c3a80e449ae

SHA512
a04e05558ec565de2f5a70250391156c4bf233b0bdde3d1ffa680679880012e1c099d5ccf9bd06fdd34d073fea7c35ae9309571debf79d995816ae8d364afffc

Download Submit
memory/1680-74-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2020-60-0x00000000749E0000-0x0000000074A6B000-memory.dmp

Filesize
556KB

Download
memory/2020-61-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2020-75-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download