43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192

General

Target

43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe
Size

13.9MB
MD5

6ae9afcd7c622d75e5b0d834fdd69197
SHA1

03eee390b064dc881a1e3b4d519a4557996c3315
SHA256

43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192
SHA512

9791d87b216ba94635214480514e6f3a95d608163fb27dfc80655a1c800b909f34709826778b3333f22898d5a21d5fcc2a5049ec1130238c7405b73661730123
SSDEEP

393216:4HYcPouTK7G6+WtKzxTGYaYqVdTa2T+HGV+biK:4HdPouKuXzxyYaYqVoRn

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000500000001db36-169.dat	acprotect
behavioral2/files/0x000500000001db36-170.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe

Executes dropped EXE 1 IoCs

pid	Process
1104	FurMark.exe

Loads dropped DLL 2 IoCs

pid	Process
1104	FurMark.exe
1104	FurMark.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3180-149-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2976-164-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000500000001db36-169.dat	upx
behavioral2/files/0x000500000001db36-170.dat	upx
behavioral2/memory/1104-172-0x0000000010000000-0x00000000102A8000-memory.dmp	upx
behavioral2/memory/3180-173-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1104-175-0x0000000010000000-0x00000000102A8000-memory.dmp	upx
behavioral2/memory/1104-181-0x0000000010000000-0x00000000102A8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FurMark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FurMark.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 2976	3180	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe	85
PID 3180 wrote to memory of 2976	3180	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe	85
PID 3180 wrote to memory of 2976	3180	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe	85
PID 2976 wrote to memory of 1104	2976	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe	86
PID 2976 wrote to memory of 1104	2976	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe	86
PID 2976 wrote to memory of 1104	2976	43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe	86

C:\Users\Admin\AppData\Local\Temp\43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe
"C:\Users\Admin\AppData\Local\Temp\43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe
  "C:\Users\Admin\AppData\Local\Temp\43b53938bae0027d5df56d65b4e198023dbf7a88f7a3fbd211da71fb7b0af192.exe" -sfxwaitall:0 "FurMark.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FurMark.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FurMark.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FreeImage.dll

Filesize
889KB

MD5
cb1c50b16863e835371a2a8fcea3a653

SHA1
9b98f2aefe5a2d7f7b27d0cf3422746a54635cec

SHA256
a2ed0dd0a52847645a05a2c61f64284cb5cbefa9cd8e168af5e8c6138ef7fe4b

SHA512
df619f4f85cd9bd464e9216f7b6a9414898cf7f5e293a741f033b5a7259da94e0b65860b8b3ca244afdb8eee93a9cfbe56af88d742760aa00353332897fe06de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FreeImage.dll

Filesize
889KB

MD5
cb1c50b16863e835371a2a8fcea3a653

SHA1
9b98f2aefe5a2d7f7b27d0cf3422746a54635cec

SHA256
a2ed0dd0a52847645a05a2c61f64284cb5cbefa9cd8e168af5e8c6138ef7fe4b

SHA512
df619f4f85cd9bd464e9216f7b6a9414898cf7f5e293a741f033b5a7259da94e0b65860b8b3ca244afdb8eee93a9cfbe56af88d742760aa00353332897fe06de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FurMark.exe

Filesize
2.9MB

MD5
dfc7cd9b74418e5bc5850d14565119d8

SHA1
a51a4431ff0ab77135803d4af09bb9152e92ef6d

SHA256
e770e8113de2676a5f77a1e8d3febc7a88af8d1fe77bbe1417e5142e7e8c9274

SHA512
635b558b4fd7744f0e11e70465c023d04e17083dffeb149f8c3952823324f1a89126e0f847c680de1bfac1f357484f0bda4d5b1a7c4b69d511be754e7f079b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FurMark.exe

Filesize
2.9MB

MD5
dfc7cd9b74418e5bc5850d14565119d8

SHA1
a51a4431ff0ab77135803d4af09bb9152e92ef6d

SHA256
e770e8113de2676a5f77a1e8d3febc7a88af8d1fe77bbe1417e5142e7e8c9274

SHA512
635b558b4fd7744f0e11e70465c023d04e17083dffeb149f8c3952823324f1a89126e0f847c680de1bfac1f357484f0bda4d5b1a7c4b69d511be754e7f079b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\core3d.dll

Filesize
2.0MB

MD5
dc8c84bcffcd54c3f9d3f078a1907b84

SHA1
322b30f3ad527f06ab438c51121c7a1165c497ef

SHA256
07cb52467d1faaeab0bb3aff6a3f6e9bfb0c2f699db36b00beec137dbf652a63

SHA512
6ff46c9ae3475f7a79d8361b3b9862d2e3e3de465f17c57026a960685ec533bd238c7d5eeb08d3bab9ad619b1619e785d4763b487f1c474d58263167884ebcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\core3d.dll

Filesize
2.0MB

MD5
dc8c84bcffcd54c3f9d3f078a1907b84

SHA1
322b30f3ad527f06ab438c51121c7a1165c497ef

SHA256
07cb52467d1faaeab0bb3aff6a3f6e9bfb0c2f699db36b00beec137dbf652a63

SHA512
6ff46c9ae3475f7a79d8361b3b9862d2e3e3de465f17c57026a960685ec533bd238c7d5eeb08d3bab9ad619b1619e785d4763b487f1c474d58263167884ebcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\startup_options.xml

Filesize
354B

MD5
a606a8646cfe5be739f85e383cea5b63

SHA1
d7bbe78d5086444ce7768eec9226ae6019cdae3a

SHA256
509b65a26be4479d7491ebfb5e1cb57e672403803e2c9f7bac1ff575a8617ec9

SHA512
4cadaa3f4e36475dd1556ecb17827341e932f4ffdc80aed629c7e8f9c25c013d90e61cac69c7745af495d764ae933175a7edaf3f0cb5650f707f5ec3935351fb

Download Submit
memory/1104-172-0x0000000010000000-0x00000000102A8000-memory.dmp

Filesize
2.7MB

Download
memory/1104-175-0x0000000010000000-0x00000000102A8000-memory.dmp

Filesize
2.7MB

Download
memory/1104-181-0x0000000010000000-0x00000000102A8000-memory.dmp

Filesize
2.7MB

Download
memory/2976-164-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3180-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3180-173-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads