305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83

General

Target

305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe
Size

1.8MB
MD5

22e37a07e0e66715109a8aee71d6c21b
SHA1

ed85ea1ac4f54c3c1400e3741189f8b2c2e5309f
SHA256

305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83
SHA512

0a64b052a2d48132f52b25a8202e6a48aa936a8d7be991c76cdae0be178385ba5c202b569fa5e67e2489ff3279806dc1a65953bbd781101e9a7613344b096582
SSDEEP

49152:VSBeCTBg/nYFBE4Lwl7mCfpweTsYfOJBW+VPb:VuTkYFm4Lwl7mKmEskozPb

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\libeay32.dll	acprotect
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\ssleay32.dll	acprotect

Loads dropped DLL 2 IoCs

Processes:

305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe

pid	process
1212	305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe
1212	305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\libeay32.dll	upx
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\ssleay32.dll	upx
behavioral1/memory/1212-79-0x0000000011000000-0x0000000011179000-memory.dmp	upx
behavioral1/memory/1212-80-0x0000000012000000-0x000000001205F000-memory.dmp	upx
behavioral1/memory/1212-112-0x0000000011000000-0x0000000011179000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe

pid	process
1212	305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe
1212	305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe

pid	process
1212	305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe
1212	305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe
1212	305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe
1212	305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe

pid	process
1212	305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe
1212	305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe
1212	305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe
1212	305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe

pid	process
1212	305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe
1212	305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe

C:\Users\Admin\AppData\Local\Temp\305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe
"C:\Users\Admin\AppData\Local\Temp\305f27e9064b4ebb4738dd644a2686f623a02d067b7c2e78ed54d64332b3ee83.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\user.dat.tmp
Filesize
8B

MD5
3b0f2d77e15beb3b85e8ef752d6a3bd3

SHA1
9a39f2dd186749fea11b84e53cfa77194eed88d3

SHA256
b171e283c6145acf2b923098dbbc40ffc39b4f1db0212928f9869747376c4ac8

SHA512
998af177560b6f6e225d9dfe1ae7799cdeec81ae437654c210197dce1cd41f3f9dac087dfef0652caba6b0c5fcdae50b29c2c96862b76ab3712227fb937d61c8

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\NCaddon.xml
Filesize
20KB

MD5
d81614bb7fb14af10dbc333ecc2ae5c5

SHA1
4e7f5d989e991da45b22b85e25f0b9cdfd21d2ab

SHA256
165a9f7beeb4010f85f794bcb6f4931c2e3cbc8282be885057de883e674ba42e

SHA512
36f099c701e0f5ad356009835a3d4f971ae3d13864c0aab299a5755d546d17e1924604ff5eb9dbd938e046e0595ab2c964719dccb245fb17f3d8fcb7779c47ef

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\activity.xml
Filesize
38KB

MD5
01c471c9192f84bb86073a5e06e0e760

SHA1
355af37c254e820ce6ed9c620b719ea7c0505b96

SHA256
09765185ede59930a01b33d7c62b7557f717a4fa7b089b93b632ee009601fc2e

SHA512
81536f0eeaac9893e1bd5d6f9b518473b65bb12ad768f83576a76167812f8bf19dafff8f6ac74f679bd6ca507fda45f797bb71cbd2f2ec0964030d4157dae0a1

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\crop.xml
Filesize
2.5MB

MD5
e59a1bc1cd90fd0867ebd4344ce553ee

SHA1
aea2f2b18a611e9f911bb8406a7f3c9709627d31

SHA256
aeecb43355f0c1cace9abb776da17bf0db65a9557c08c886208e1cbb4b20e450

SHA512
8360a2ec7f15778515192d94ebba681087d5c7fc2dfa0b570438d9532c5dc27201ba39da12c931697d2848cf36ad866546acb4a3c306025858ee6d87bc3a6c62

Download Submit
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\libeay32.dll
Filesize
558KB

MD5
5f86d65a1686e6bb031048d04bb3fe04

SHA1
08052c7dda12c53971dd5600223cfb3a47283998

SHA256
39531152d763dd51da8ae6a50b206f296a07410602cdb399c991987e8a11f6b4

SHA512
970e9965236cfb827848e93de3ad0132cde0a57cbee38ad72441dc65fb824ea6c749e5993cd948231bb881d4cf6dfc735231b643d58b64de1f81caff91987e5b

Download Submit
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\ssleay32.dll
Filesize
140KB

MD5
e503921a6061251302cb45772cb75f42

SHA1
b84a9daf1250dd33962feb6faaa122273a0b29a2

SHA256
970bfe2045464dfda89a1cd262f09813ab9c9ceb3c7375f02bca8aeecdc4cfcb

SHA512
d52b471d3e71e255d5bc7c9f04e141e80e750482183b770fdc35c08c0cc696c66643bc7074ebbeb2f9d95b6b728666414ad0ae5908f16e9a6e21d159dce33c48

Download Submit
memory/1212-67-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/1212-160-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1212-79-0x0000000011000000-0x0000000011179000-memory.dmp

Filesize
1.5MB

Download
memory/1212-80-0x0000000012000000-0x000000001205F000-memory.dmp

Filesize
380KB

Download
memory/1212-81-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1212-68-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/1212-66-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/1212-128-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1212-166-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1212-56-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1212-111-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1212-131-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1212-134-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1212-137-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1212-148-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1212-151-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1212-154-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1212-70-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1212-163-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1212-112-0x0000000011000000-0x0000000011179000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads