9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187

Analysis

max time kernel
2s
max time network
6s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16-08-2023 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Size

3.2MB
MD5

f4459561d7692d509942012f66de97db
SHA1

566974964db4337b787872d808816f142d0af4e5
SHA256

9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187
SHA512

76d288be2d873f72187cffa6def8f50faef09dd55c1511ac9dab34bde74ff760be231f59967f6a314c9d811a743e78504c97a4af3d15c3e370dc00f20be34434
SSDEEP

49152:/WIj/cs0FX0oGsWB9zKK6la61RAuWFUKAdtv8lZOpgSHZJSgLmcvC:5QbXWB9zKK6lBuu6UKgE8pgSPRaQC

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000012023-55.dat	acprotect
behavioral1/files/0x0009000000012023-177.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2836	sg.tmp
1932	WinNTSetup_x64.exe

Loads dropped DLL 4 IoCs

pid	Process
2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
1932	WinNTSetup_x64.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2680-53-0x0000000000400000-0x000000000056B000-memory.dmp	upx
behavioral1/memory/2680-57-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x0009000000012023-55.dat	upx
behavioral1/memory/2680-59-0x0000000000400000-0x000000000056B000-memory.dmp	upx
behavioral1/files/0x0009000000012023-177.dat	upx

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeBackupPrivilege	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeRestorePrivilege	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: 33	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeIncBasePriorityPrivilege	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: 33	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeIncBasePriorityPrivilege	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: 33	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeIncBasePriorityPrivilege	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeRestorePrivilege	2836	sg.tmp
Token: 35	2836	sg.tmp
Token: SeSecurityPrivilege	2836	sg.tmp
Token: SeSecurityPrivilege	2836	sg.tmp
Token: 33	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeIncBasePriorityPrivilege	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeTakeOwnershipPrivilege	1932	WinNTSetup_x64.exe
Token: SeSecurityPrivilege	1932	WinNTSetup_x64.exe
Token: SeRestorePrivilege	1932	WinNTSetup_x64.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2796	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	28
PID 2680 wrote to memory of 2796	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	28
PID 2680 wrote to memory of 2796	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	28
PID 2680 wrote to memory of 2796	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	28
PID 2680 wrote to memory of 2836	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	30
PID 2680 wrote to memory of 2836	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	30
PID 2680 wrote to memory of 2836	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	30
PID 2680 wrote to memory of 2836	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	30
PID 2680 wrote to memory of 1932	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	32
PID 2680 wrote to memory of 1932	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	32
PID 2680 wrote to memory of 1932	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	32
PID 2680 wrote to memory of 1932	2680	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	32

C:\Users\Admin\AppData\Local\Temp\9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
"C:\Users\Admin\AppData\Local\Temp\9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\~2712373560399203845~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~5182211748940617042"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\~5182211748940617042\WinNTSetup_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\~5182211748940617042\WinNTSetup_x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2712373560399203845~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2712373560399203845~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5182211748940617042\Tools\Imdisk\cpl\amd64\imdisk.cpl

Filesize
113KB

MD5
a19a0f76956805a157281a3998f06a29

SHA1
eb2e8fece8f2ffd2ef605a000fdbfe46bc97067a

SHA256
eb5b467f230bb85a74620a52f139cc35772e89ea9b8ffa2a64e10f878aa7b417

SHA512
5f4a013e28fdb2b67883144772afd717813d96f84d9eb680ad016fd78d0d8cc8061b5dd78d07238fd648c62dd1b09a8a0a752575a826bc1c96cdded84635f9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5182211748940617042\Tools\x64\DISM\wofadk.sys

Filesize
216KB

MD5
fba28d5ac166714737d1d8cdf0aef078

SHA1
eef8d1bca48ecc93a7f165b735f7047ef085e12d

SHA256
54fba1cc80e820b462229fcb987fb8df2321ed85d9450f3f4a81d0982e5d289f

SHA512
50791cf079d9bbc26cd80b1f21fed3e2181ee15241dfcbbd964fca0425e634ae422652b58837352aad61775dc5cec7464ff0d23e0624b6f61fc1bc5cc805fd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5182211748940617042\Tools\x64\offreg.dll

Filesize
117KB

MD5
709fa2fc9dbd03814312f6d28eaf4a37

SHA1
3b85bf42645f5be9d678d0d98a11946a4c7aeb65

SHA256
ec993b3c8d7522793a141c692c63c413d47e77dfc79d95491d913736fe8b1f01

SHA512
25b5f69d926a32de058cfd64dcdfc7579af5908cbbebe80fadd907681a2ca15f863071c5886c8cb5d09e979cce98486e962fc6d81717a49da20cc3eb03e45093

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5182211748940617042\Tools\x64\wimgapi.dll

Filesize
797KB

MD5
fa5b941be590899a59c59dc883ed050f

SHA1
91a9517d09c298eac0a3e6559be90cd4881fd9ed

SHA256
14e85f541b282c59b796ba01ddcf8304f1c94835d2975b3da69cc450afd9d1e8

SHA512
09df8788213b2e44995538e295e44aedd49d5c238aee62ac0ac1e2fd1d2705af9754ba4dac2f376a0e6581155f6d0c84f0b5f4b58602b0d658a0ee291ba4b5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5182211748940617042\Tools\x64\wimlib\libwim-15.dll

Filesize
467KB

MD5
2b5c58bca681b69d3ba255dd6857795a

SHA1
d71461bb4bd154cd416a50ed099f539fed1931cd

SHA256
c5063ece28382bf6a45082e6a77d300aef70ec301bf7591f142056271438b7fb

SHA512
2630f12f5e9e11670b6eafc8ce638580315ae0d60565dc969e9f02a37d3a7128dc17f45b0405c4210eced5fa879fabf144586f30b5183134ebc5bafce9c45f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5182211748940617042\WinNTSetup_x64.exe

Filesize
1.1MB

MD5
8858e0e0f0e50d6d1547bc20ae219f12

SHA1
cb8a02a6d458d724730d3359ad082d318061c49a

SHA256
47d0a7cc610807ea078f74db76301ec31721eac46bde4045c51ed5baa1f4948d

SHA512
ccbfcae1220c3bb0804db50dab076a3b52e918d4082af7ebf7ae3fdc16a78ba0311d34d965853afac687b858a7a20f2aaa20b26e4544c43cf76911e4f7eb2f00

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\~2712373560399203845~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
\Users\Admin\AppData\Local\Temp\~5182211748940617042\Tools\imdisk\cpl\amd64\imdisk.cpl

Filesize
113KB

MD5
a19a0f76956805a157281a3998f06a29

SHA1
eb2e8fece8f2ffd2ef605a000fdbfe46bc97067a

SHA256
eb5b467f230bb85a74620a52f139cc35772e89ea9b8ffa2a64e10f878aa7b417

SHA512
5f4a013e28fdb2b67883144772afd717813d96f84d9eb680ad016fd78d0d8cc8061b5dd78d07238fd648c62dd1b09a8a0a752575a826bc1c96cdded84635f9db

Download Submit
\Users\Admin\AppData\Local\Temp\~5182211748940617042\Tools\x64\DISM\wofadk.sys

Filesize
216KB

MD5
fba28d5ac166714737d1d8cdf0aef078

SHA1
eef8d1bca48ecc93a7f165b735f7047ef085e12d

SHA256
54fba1cc80e820b462229fcb987fb8df2321ed85d9450f3f4a81d0982e5d289f

SHA512
50791cf079d9bbc26cd80b1f21fed3e2181ee15241dfcbbd964fca0425e634ae422652b58837352aad61775dc5cec7464ff0d23e0624b6f61fc1bc5cc805fd7e

Download Submit
\Users\Admin\AppData\Local\Temp\~5182211748940617042\Tools\x64\DISM\wofadk.sys

Filesize
216KB

MD5
fba28d5ac166714737d1d8cdf0aef078

SHA1
eef8d1bca48ecc93a7f165b735f7047ef085e12d

SHA256
54fba1cc80e820b462229fcb987fb8df2321ed85d9450f3f4a81d0982e5d289f

SHA512
50791cf079d9bbc26cd80b1f21fed3e2181ee15241dfcbbd964fca0425e634ae422652b58837352aad61775dc5cec7464ff0d23e0624b6f61fc1bc5cc805fd7e

Download Submit
\Users\Admin\AppData\Local\Temp\~5182211748940617042\Tools\x64\offreg.dll

Filesize
117KB

MD5
709fa2fc9dbd03814312f6d28eaf4a37

SHA1
3b85bf42645f5be9d678d0d98a11946a4c7aeb65

SHA256
ec993b3c8d7522793a141c692c63c413d47e77dfc79d95491d913736fe8b1f01

SHA512
25b5f69d926a32de058cfd64dcdfc7579af5908cbbebe80fadd907681a2ca15f863071c5886c8cb5d09e979cce98486e962fc6d81717a49da20cc3eb03e45093

Download Submit
\Users\Admin\AppData\Local\Temp\~5182211748940617042\Tools\x64\wimgapi.dll

Filesize
797KB

MD5
fa5b941be590899a59c59dc883ed050f

SHA1
91a9517d09c298eac0a3e6559be90cd4881fd9ed

SHA256
14e85f541b282c59b796ba01ddcf8304f1c94835d2975b3da69cc450afd9d1e8

SHA512
09df8788213b2e44995538e295e44aedd49d5c238aee62ac0ac1e2fd1d2705af9754ba4dac2f376a0e6581155f6d0c84f0b5f4b58602b0d658a0ee291ba4b5b1

Download Submit
\Users\Admin\AppData\Local\Temp\~5182211748940617042\Tools\x64\wimlib\libwim-15.dll

Filesize
467KB

MD5
2b5c58bca681b69d3ba255dd6857795a

SHA1
d71461bb4bd154cd416a50ed099f539fed1931cd

SHA256
c5063ece28382bf6a45082e6a77d300aef70ec301bf7591f142056271438b7fb

SHA512
2630f12f5e9e11670b6eafc8ce638580315ae0d60565dc969e9f02a37d3a7128dc17f45b0405c4210eced5fa879fabf144586f30b5183134ebc5bafce9c45f8c

Download Submit
\Users\Admin\AppData\Local\Temp\~5182211748940617042\WinNTSetup_x64.exe

Filesize
1.1MB

MD5
8858e0e0f0e50d6d1547bc20ae219f12

SHA1
cb8a02a6d458d724730d3359ad082d318061c49a

SHA256
47d0a7cc610807ea078f74db76301ec31721eac46bde4045c51ed5baa1f4948d

SHA512
ccbfcae1220c3bb0804db50dab076a3b52e918d4082af7ebf7ae3fdc16a78ba0311d34d965853afac687b858a7a20f2aaa20b26e4544c43cf76911e4f7eb2f00

Download Submit
memory/2680-53-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2680-57-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2680-59-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download