43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192

Analysis

max time kernel
143s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/04/2023, 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe
Size

13.9MB
MD5

6ae9afcd7c622d75e5b0d834fdd69197
SHA1

03eee390b064dc881a1e3b4d519a4557996c3315
SHA256

43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192
SHA512

9791d87b216ba94635214480514e6f3a95d608163fb27dfc80655a1c800b909f34709826778b3333f22898d5a21d5fcc2a5049ec1130238c7405b73661730123
SSDEEP

393216:4HYcPouTK7G6+WtKzxTGYaYqVdTa2T+HGV+biK:4HdPouKuXzxyYaYqVoRn

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000013a7c-94.dat	acprotect
behavioral1/files/0x0007000000013a7c-93.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1188	FurMark.exe

Loads dropped DLL 4 IoCs

pid	Process
696	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe
696	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe
1188	FurMark.exe
1188	FurMark.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1364-70-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/696-86-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0007000000013a7c-94.dat	upx
behavioral1/files/0x0007000000013a7c-93.dat	upx
behavioral1/memory/1188-95-0x0000000010000000-0x00000000102A8000-memory.dmp	upx
behavioral1/memory/1364-97-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1188-99-0x0000000010000000-0x00000000102A8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FurMark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FurMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1188	FurMark.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 696	1364	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe	28
PID 1364 wrote to memory of 696	1364	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe	28
PID 1364 wrote to memory of 696	1364	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe	28
PID 1364 wrote to memory of 696	1364	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe	28
PID 696 wrote to memory of 1188	696	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe	29
PID 696 wrote to memory of 1188	696	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe	29
PID 696 wrote to memory of 1188	696	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe	29
PID 696 wrote to memory of 1188	696	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe	29

C:\Users\Admin\AppData\Local\Temp\43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe
"C:\Users\Admin\AppData\Local\Temp\43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe
  "C:\Users\Admin\AppData\Local\Temp\43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe" -sfxwaitall:0 "FurMark.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FurMark.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FurMark.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FreeImage.dll

Filesize
889KB

MD5
cb1c50b16863e835371a2a8fcea3a653

SHA1
9b98f2aefe5a2d7f7b27d0cf3422746a54635cec

SHA256
a2ed0dd0a52847645a05a2c61f64284cb5cbefa9cd8e168af5e8c6138ef7fe4b

SHA512
df619f4f85cd9bd464e9216f7b6a9414898cf7f5e293a741f033b5a7259da94e0b65860b8b3ca244afdb8eee93a9cfbe56af88d742760aa00353332897fe06de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FurMark.exe

Filesize
2.9MB

MD5
dfc7cd9b74418e5bc5850d14565119d8

SHA1
a51a4431ff0ab77135803d4af09bb9152e92ef6d

SHA256
e770e8113de2676a5f77a1e8d3febc7a88af8d1fe77bbe1417e5142e7e8c9274

SHA512
635b558b4fd7744f0e11e70465c023d04e17083dffeb149f8c3952823324f1a89126e0f847c680de1bfac1f357484f0bda4d5b1a7c4b69d511be754e7f079b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FurMark.exe

Filesize
2.9MB

MD5
dfc7cd9b74418e5bc5850d14565119d8

SHA1
a51a4431ff0ab77135803d4af09bb9152e92ef6d

SHA256
e770e8113de2676a5f77a1e8d3febc7a88af8d1fe77bbe1417e5142e7e8c9274

SHA512
635b558b4fd7744f0e11e70465c023d04e17083dffeb149f8c3952823324f1a89126e0f847c680de1bfac1f357484f0bda4d5b1a7c4b69d511be754e7f079b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\core3d.dll

Filesize
2.0MB

MD5
dc8c84bcffcd54c3f9d3f078a1907b84

SHA1
322b30f3ad527f06ab438c51121c7a1165c497ef

SHA256
07cb52467d1faaeab0bb3aff6a3f6e9bfb0c2f699db36b00beec137dbf652a63

SHA512
6ff46c9ae3475f7a79d8361b3b9862d2e3e3de465f17c57026a960685ec533bd238c7d5eeb08d3bab9ad619b1619e785d4763b487f1c474d58263167884ebcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\startup_options.xml

Filesize
354B

MD5
a606a8646cfe5be739f85e383cea5b63

SHA1
d7bbe78d5086444ce7768eec9226ae6019cdae3a

SHA256
509b65a26be4479d7491ebfb5e1cb57e672403803e2c9f7bac1ff575a8617ec9

SHA512
4cadaa3f4e36475dd1556ecb17827341e932f4ffdc80aed629c7e8f9c25c013d90e61cac69c7745af495d764ae933175a7edaf3f0cb5650f707f5ec3935351fb

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FreeImage.dll

Filesize
889KB

MD5
cb1c50b16863e835371a2a8fcea3a653

SHA1
9b98f2aefe5a2d7f7b27d0cf3422746a54635cec

SHA256
a2ed0dd0a52847645a05a2c61f64284cb5cbefa9cd8e168af5e8c6138ef7fe4b

SHA512
df619f4f85cd9bd464e9216f7b6a9414898cf7f5e293a741f033b5a7259da94e0b65860b8b3ca244afdb8eee93a9cfbe56af88d742760aa00353332897fe06de

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FurMark.exe

Filesize
2.9MB

MD5
dfc7cd9b74418e5bc5850d14565119d8

SHA1
a51a4431ff0ab77135803d4af09bb9152e92ef6d

SHA256
e770e8113de2676a5f77a1e8d3febc7a88af8d1fe77bbe1417e5142e7e8c9274

SHA512
635b558b4fd7744f0e11e70465c023d04e17083dffeb149f8c3952823324f1a89126e0f847c680de1bfac1f357484f0bda4d5b1a7c4b69d511be754e7f079b6c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FurMark.exe

Filesize
2.9MB

MD5
dfc7cd9b74418e5bc5850d14565119d8

SHA1
a51a4431ff0ab77135803d4af09bb9152e92ef6d

SHA256
e770e8113de2676a5f77a1e8d3febc7a88af8d1fe77bbe1417e5142e7e8c9274

SHA512
635b558b4fd7744f0e11e70465c023d04e17083dffeb149f8c3952823324f1a89126e0f847c680de1bfac1f357484f0bda4d5b1a7c4b69d511be754e7f079b6c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\core3d.dll

Filesize
2.0MB

MD5
dc8c84bcffcd54c3f9d3f078a1907b84

SHA1
322b30f3ad527f06ab438c51121c7a1165c497ef

SHA256
07cb52467d1faaeab0bb3aff6a3f6e9bfb0c2f699db36b00beec137dbf652a63

SHA512
6ff46c9ae3475f7a79d8361b3b9862d2e3e3de465f17c57026a960685ec533bd238c7d5eeb08d3bab9ad619b1619e785d4763b487f1c474d58263167884ebcdb

Download Submit
memory/696-86-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1188-95-0x0000000010000000-0x00000000102A8000-memory.dmp

Filesize
2.7MB

Download
memory/1188-99-0x0000000010000000-0x00000000102A8000-memory.dmp

Filesize
2.7MB

Download
memory/1364-85-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download
memory/1364-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1364-97-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1364-100-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download