Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2023 19:13
Behavioral task
behavioral1
Sample
7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe
Resource
win7-20230621-en
General
-
Target
7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe
-
Size
2.4MB
-
MD5
950be563cffc355231d4e9f1d8e6a902
-
SHA1
b0ddd2201fb60253f92a5d4df18487c649436025
-
SHA256
7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6
-
SHA512
f7d5b7cd25edb404351f21533a29f9a45fffe671100f25950235a09303e0d6d6da66bc4f03fa6705bf20fd5ce8cf712de9479f6f5063c9df90fe5557bbc3ccdc
-
SSDEEP
24576:i4GHnhIzO6YYXsf9vA5eNizYpnjfONnXfoMBtyfuzRODhXym0Iwzl7DDEb81O:tshd6YYXYNA5L+njat9ROEJNDEo1
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll acprotect -
Processes:
resource yara_rule C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe aspack_v212_v242 C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe aspack_v212_v242 C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
MP3SoundRecorder.exepid process 1300 MP3SoundRecorder.exe -
Loads dropped DLL 5 IoCs
Processes:
MP3SoundRecorder.exepid process 1300 MP3SoundRecorder.exe 1300 MP3SoundRecorder.exe 1300 MP3SoundRecorder.exe 1300 MP3SoundRecorder.exe 1300 MP3SoundRecorder.exe -
Processes:
resource yara_rule behavioral2/memory/2560-133-0x0000000000400000-0x00000000006CC000-memory.dmp upx C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll upx behavioral2/memory/2560-212-0x0000000000400000-0x00000000006CC000-memory.dmp upx -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2560-133-0x0000000000400000-0x00000000006CC000-memory.dmp autoit_exe behavioral2/memory/2560-212-0x0000000000400000-0x00000000006CC000-memory.dmp autoit_exe -
Drops file in Program Files directory 28 IoCs
Processes:
7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exedescription ioc process File created C:\Program Files (x86)\MP3SoundRecorder\ti_play_p.ico 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File created C:\Program Files (x86)\MP3SoundRecorder\ti_play.ico 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File created C:\Program Files (x86)\MP3SoundRecorder\ti_rec_p.ico 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\ti.ico 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\ti_play.ico 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File created C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\record.dll 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\ti_rec_p.ico 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\mp3decdll.dll 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File created C:\Program Files (x86)\MP3SoundRecorder\ti.ico 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File created C:\Program Files (x86)\MP3SoundRecorder\readme.txt 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\set.ini 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File created C:\Program Files (x86)\MP3SoundRecorder\Help.chm 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\mp3dec2.dll 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File created C:\Program Files (x86)\MP3SoundRecorder\mp3decdll.dll 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File created C:\Program Files (x86)\MP3SoundRecorder\prmixer.dll 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\readme.txt 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\ti_play_p.ico 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File created C:\Program Files (x86)\MP3SoundRecorder\ti_rec.ico 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\Help.chm 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File created C:\Program Files (x86)\MP3SoundRecorder\mp3dec2.dll 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File created C:\Program Files (x86)\MP3SoundRecorder\set.ini 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File created C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\prmixer.dll 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File created C:\Program Files (x86)\MP3SoundRecorder\record.dll 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\ti_rec.ico 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MP3SoundRecorder.exepid process 1300 MP3SoundRecorder.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exedescription pid process target process PID 2560 wrote to memory of 1300 2560 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe MP3SoundRecorder.exe PID 2560 wrote to memory of 1300 2560 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe MP3SoundRecorder.exe PID 2560 wrote to memory of 1300 2560 7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe MP3SoundRecorder.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe"C:\Users\Admin\AppData\Local\Temp\7b7f97109ad8e1a640269aabdfa9b85d35c0cbaa785c84f2625f73bd04b89eb6.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe"C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exeFilesize
293KB
MD54b4596685b04d3d2fa26d3db2566e3d9
SHA1a585baa7927b7d9ed48e71d16be1cb082380ccf9
SHA2560febad3d37a4181e6fb0c4b22e3c474ed31feca37ed5cdf467c47034a12801d1
SHA51246a1919c33a4c560d148e819d723774d70a59a39d1bdcfbfdd8b21c35e79d539408a3c0eedaa8deb773a35fe460852840997eb46f7ae6e03301866a0cea81c39
-
C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exeFilesize
293KB
MD54b4596685b04d3d2fa26d3db2566e3d9
SHA1a585baa7927b7d9ed48e71d16be1cb082380ccf9
SHA2560febad3d37a4181e6fb0c4b22e3c474ed31feca37ed5cdf467c47034a12801d1
SHA51246a1919c33a4c560d148e819d723774d70a59a39d1bdcfbfdd8b21c35e79d539408a3c0eedaa8deb773a35fe460852840997eb46f7ae6e03301866a0cea81c39
-
C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exeFilesize
293KB
MD54b4596685b04d3d2fa26d3db2566e3d9
SHA1a585baa7927b7d9ed48e71d16be1cb082380ccf9
SHA2560febad3d37a4181e6fb0c4b22e3c474ed31feca37ed5cdf467c47034a12801d1
SHA51246a1919c33a4c560d148e819d723774d70a59a39d1bdcfbfdd8b21c35e79d539408a3c0eedaa8deb773a35fe460852840997eb46f7ae6e03301866a0cea81c39
-
C:\Program Files (x86)\MP3SoundRecorder\Record.dllFilesize
144KB
MD50900b5101c195e81136d9ae29f2ffab1
SHA123aa366cd9680a7cb9d852eafd792ecfacc1b2a0
SHA256db1773367d1f1577083c92f8af9aaad2697730a8e2114bd979077a2eb83cb3e1
SHA51229f3bcfe931d3e213362ddb9006cf3cee1279797edc296921075301be4c5b54a88941f252f055ea0141d15cba2e75bcd8a349a064b9811340a91cd74043ee944
-
C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dllFilesize
129KB
MD5b3827cd4220b03a488558ab1d0375688
SHA1f8b691df0c58ab126aabf716d8ad9b45e0486403
SHA2565aa9f5dd3532cd512b6a995bfc732fa41920497e58f4a1c4090943b8cc0be272
SHA512e5b32a8aae9bff6f4d7c5877a60d07383573bed7276495bc01d6cafa5a9ecbe15cbdb40f55d2bf8b8492ffea5e3115df53e649356e82c51b956e7e191c373c22
-
C:\Program Files (x86)\MP3SoundRecorder\mp3dec2.dllFilesize
44KB
MD5e37e04a72f9c06a0ddb327c7a85c4433
SHA168dd5bc160ad3838264e3be75211f0a709790b8e
SHA256b77ef65a7e415a6aa4b10244057951d37e6c19750fec58e271360aa0dc5d94c3
SHA512de33fec8a9a560b4712c8f17eb34f66f44216e8b05d46f10b4e60636f7fda299cd91d8d893914f741d701497a95e636114e21c4f8533b082a9df49b5aa1c0c20
-
C:\Program Files (x86)\MP3SoundRecorder\mp3dec2.dllFilesize
44KB
MD5e37e04a72f9c06a0ddb327c7a85c4433
SHA168dd5bc160ad3838264e3be75211f0a709790b8e
SHA256b77ef65a7e415a6aa4b10244057951d37e6c19750fec58e271360aa0dc5d94c3
SHA512de33fec8a9a560b4712c8f17eb34f66f44216e8b05d46f10b4e60636f7fda299cd91d8d893914f741d701497a95e636114e21c4f8533b082a9df49b5aa1c0c20
-
C:\Program Files (x86)\MP3SoundRecorder\prmixer.dllFilesize
184KB
MD543d7d7490fa34f55abb2d91a886f9f86
SHA1fcb09bc35908631db403a05bb9e4b0b72a0bb003
SHA25638ca4d2075d74f4ac6a5dade53754320cd31a4270e2c6ab0498ff4bcf4f07acc
SHA512e48effed54499cfa39ea252064f71bba157e2afb55f7006f6f670d9b1e9a4bd3c8f4d7869658fa5e7b7b043c162df565f64ee07ce3d704647858971b6dc72038
-
C:\Program Files (x86)\MP3SoundRecorder\prmixer.dllFilesize
184KB
MD543d7d7490fa34f55abb2d91a886f9f86
SHA1fcb09bc35908631db403a05bb9e4b0b72a0bb003
SHA25638ca4d2075d74f4ac6a5dade53754320cd31a4270e2c6ab0498ff4bcf4f07acc
SHA512e48effed54499cfa39ea252064f71bba157e2afb55f7006f6f670d9b1e9a4bd3c8f4d7869658fa5e7b7b043c162df565f64ee07ce3d704647858971b6dc72038
-
C:\Program Files (x86)\MP3SoundRecorder\prmixer.dllFilesize
184KB
MD543d7d7490fa34f55abb2d91a886f9f86
SHA1fcb09bc35908631db403a05bb9e4b0b72a0bb003
SHA25638ca4d2075d74f4ac6a5dade53754320cd31a4270e2c6ab0498ff4bcf4f07acc
SHA512e48effed54499cfa39ea252064f71bba157e2afb55f7006f6f670d9b1e9a4bd3c8f4d7869658fa5e7b7b043c162df565f64ee07ce3d704647858971b6dc72038
-
C:\Program Files (x86)\MP3SoundRecorder\record.dllFilesize
144KB
MD50900b5101c195e81136d9ae29f2ffab1
SHA123aa366cd9680a7cb9d852eafd792ecfacc1b2a0
SHA256db1773367d1f1577083c92f8af9aaad2697730a8e2114bd979077a2eb83cb3e1
SHA51229f3bcfe931d3e213362ddb9006cf3cee1279797edc296921075301be4c5b54a88941f252f055ea0141d15cba2e75bcd8a349a064b9811340a91cd74043ee944
-
C:\Program Files (x86)\MP3SoundRecorder\record.dllFilesize
144KB
MD50900b5101c195e81136d9ae29f2ffab1
SHA123aa366cd9680a7cb9d852eafd792ecfacc1b2a0
SHA256db1773367d1f1577083c92f8af9aaad2697730a8e2114bd979077a2eb83cb3e1
SHA51229f3bcfe931d3e213362ddb9006cf3cee1279797edc296921075301be4c5b54a88941f252f055ea0141d15cba2e75bcd8a349a064b9811340a91cd74043ee944
-
C:\Program Files (x86)\MP3SoundRecorder\set.iniFilesize
562B
MD53bdff134bb920cb94e0f8c276d15b641
SHA123fec0ca9ea4b75ed0a01ba8856d365eddd9c375
SHA256e4ddef3d1e5063d0e57bd70798c45a118b4fe8675029f14aeee3a7578e9e05bb
SHA512ffdb18835ef95258f16d101dae452c67e5c02d49b281684a67a2ac1d108a5c7643ea9e3d849fa428d0a86fbaa3048a949a59f6e3e99513d256c9daed50536ed8
-
C:\Program Files (x86)\MP3SoundRecorder\ti.icoFilesize
318B
MD5134c8bed1fc5e4a3e770601ae8f27da5
SHA16ff5a0f9c9edad8a30ce4892f1b8bf3d313d2160
SHA256b736782a412a078e8d46ea43199f2f8725cb40ea470ec314763f9cb2a88c9954
SHA512237941da48a648aa55624001ad3e7f8bf2289de4d6b5fdea78c9c552c7d21cd05d2d6665fa52ac0d761bdbbe3313bf4c8ba07da8e8e8e2de48dc1e1e0670bc81
-
C:\Users\Admin\AppData\Local\Temp\autA628.tmpFilesize
248KB
MD59186d8fc4b4298ca4fc0caa405970a9e
SHA1f6f97cf79d261908a5872c657aba9cefd9c170c6
SHA256cff94f945b47337dcf86a255f34c86f7970cd03b194329be0cbd0b980a33ac61
SHA5125db9ac188a464e382c58c877cf4b4d8c4e528c5db93fe8f501cad8352ee74b59fc910d3de011c0d42e1ac6ec53c16a81f1bcf73e106a8117863e557e74a3f43e
-
memory/1300-222-0x00000000023F0000-0x0000000002418000-memory.dmpFilesize
160KB
-
memory/1300-217-0x0000000000AD0000-0x0000000000B02000-memory.dmpFilesize
200KB
-
memory/1300-226-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB
-
memory/1300-227-0x0000000000400000-0x0000000000527000-memory.dmpFilesize
1.2MB
-
memory/1300-232-0x0000000000400000-0x0000000000527000-memory.dmpFilesize
1.2MB
-
memory/1300-233-0x0000000000400000-0x0000000000527000-memory.dmpFilesize
1.2MB
-
memory/2560-133-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/2560-212-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB