9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2023, 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Size

3.2MB
MD5

f4459561d7692d509942012f66de97db
SHA1

566974964db4337b787872d808816f142d0af4e5
SHA256

9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187
SHA512

76d288be2d873f72187cffa6def8f50faef09dd55c1511ac9dab34bde74ff760be231f59967f6a314c9d811a743e78504c97a4af3d15c3e370dc00f20be34434
SSDEEP

49152:/WIj/cs0FX0oGsWB9zKK6la61RAuWFUKAdtv8lZOpgSHZJSgLmcvC:5QbXWB9zKK6lBuu6UKgE8pgSPRaQC

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00080000000231ef-135.dat	acprotect
behavioral2/files/0x00080000000231ef-145.dat	acprotect
behavioral2/files/0x00080000000231ef-144.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4732	sg.tmp
4320	WinNTSetup_x64.exe

Loads dropped DLL 5 IoCs

pid	Process
5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
4732	sg.tmp
4320	WinNTSetup_x64.exe
4320	WinNTSetup_x64.exe
4320	WinNTSetup_x64.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5052-133-0x0000000000400000-0x000000000056B000-memory.dmp	upx
behavioral2/files/0x00080000000231ef-135.dat	upx
behavioral2/memory/5052-137-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/5052-139-0x0000000000400000-0x000000000056B000-memory.dmp	upx
behavioral2/files/0x00080000000231ef-145.dat	upx
behavioral2/files/0x00080000000231ef-144.dat	upx
behavioral2/memory/4732-146-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4732-328-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/5052-348-0x0000000000400000-0x000000000056B000-memory.dmp	upx
behavioral2/memory/5052-349-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/5052-358-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/5052-364-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeBackupPrivilege	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeRestorePrivilege	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: 33	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeIncBasePriorityPrivilege	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: 33	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeIncBasePriorityPrivilege	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: 33	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeIncBasePriorityPrivilege	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeRestorePrivilege	4732	sg.tmp
Token: 35	4732	sg.tmp
Token: SeSecurityPrivilege	4732	sg.tmp
Token: SeSecurityPrivilege	4732	sg.tmp
Token: SeDebugPrivilege	4732	sg.tmp
Token: 33	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeIncBasePriorityPrivilege	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
Token: SeTakeOwnershipPrivilege	4320	WinNTSetup_x64.exe
Token: SeSecurityPrivilege	4320	WinNTSetup_x64.exe
Token: SeRestorePrivilege	4320	WinNTSetup_x64.exe
Token: SeSystemEnvironmentPrivilege	4320	WinNTSetup_x64.exe
Token: SeBackupPrivilege	4320	WinNTSetup_x64.exe
Token: SeSecurityPrivilege	4320	WinNTSetup_x64.exe
Token: SeRestorePrivilege	4320	WinNTSetup_x64.exe
Token: SeSecurityPrivilege	4320	WinNTSetup_x64.exe
Token: SeTakeOwnershipPrivilege	4320	WinNTSetup_x64.exe
Token: SeManageVolumePrivilege	4320	WinNTSetup_x64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4320	WinNTSetup_x64.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4320	WinNTSetup_x64.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4796	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	82
PID 5052 wrote to memory of 4796	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	82
PID 5052 wrote to memory of 4732	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	84
PID 5052 wrote to memory of 4732	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	84
PID 5052 wrote to memory of 4732	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	84
PID 5052 wrote to memory of 4320	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	86
PID 5052 wrote to memory of 4320	5052	9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe	86

C:\Users\Admin\AppData\Local\Temp\9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe
"C:\Users\Admin\AppData\Local\Temp\9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:4796
- C:\Users\Admin\AppData\Local\Temp\~5960569612132370364~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\9d4d5e5ae2bc63a3831dd21a92d75577ee732048b44494e8c2b06882e0123187.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~3095464749789392436"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Users\Admin\AppData\Local\Temp\~3095464749789392436\WinNTSetup_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\~3095464749789392436\WinNTSetup_x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3095464749789392436\Tools\Imdisk\cpl\amd64\imdisk.cpl

Filesize
113KB

MD5
a19a0f76956805a157281a3998f06a29

SHA1
eb2e8fece8f2ffd2ef605a000fdbfe46bc97067a

SHA256
eb5b467f230bb85a74620a52f139cc35772e89ea9b8ffa2a64e10f878aa7b417

SHA512
5f4a013e28fdb2b67883144772afd717813d96f84d9eb680ad016fd78d0d8cc8061b5dd78d07238fd648c62dd1b09a8a0a752575a826bc1c96cdded84635f9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3095464749789392436\Tools\x64\BootICE\Booticex64.exe

Filesize
456KB

MD5
949292f7fa78b84bd07cf521f7a3f603

SHA1
50925a82d8d6566a19a1c9db34462f6b7b1e0f8f

SHA256
75dc47ee7227f6691dea4f6d0d58b742a04d874de74b61e5fbdd8fa298de6f88

SHA512
c1ecd4a0c610f58753cfe1a9f62991b055b38946c25289f1b4643ced3501a5febeded7c6fe926e3ab2b379e220ee1e5a4dfca2b63f51a9b48da7891eac70d1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3095464749789392436\Tools\x64\DISM\wofadk.sys

Filesize
216KB

MD5
fba28d5ac166714737d1d8cdf0aef078

SHA1
eef8d1bca48ecc93a7f165b735f7047ef085e12d

SHA256
54fba1cc80e820b462229fcb987fb8df2321ed85d9450f3f4a81d0982e5d289f

SHA512
50791cf079d9bbc26cd80b1f21fed3e2181ee15241dfcbbd964fca0425e634ae422652b58837352aad61775dc5cec7464ff0d23e0624b6f61fc1bc5cc805fd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3095464749789392436\Tools\x64\offreg.dll

Filesize
117KB

MD5
709fa2fc9dbd03814312f6d28eaf4a37

SHA1
3b85bf42645f5be9d678d0d98a11946a4c7aeb65

SHA256
ec993b3c8d7522793a141c692c63c413d47e77dfc79d95491d913736fe8b1f01

SHA512
25b5f69d926a32de058cfd64dcdfc7579af5908cbbebe80fadd907681a2ca15f863071c5886c8cb5d09e979cce98486e962fc6d81717a49da20cc3eb03e45093

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3095464749789392436\Tools\x64\offreg.dll

Filesize
117KB

MD5
709fa2fc9dbd03814312f6d28eaf4a37

SHA1
3b85bf42645f5be9d678d0d98a11946a4c7aeb65

SHA256
ec993b3c8d7522793a141c692c63c413d47e77dfc79d95491d913736fe8b1f01

SHA512
25b5f69d926a32de058cfd64dcdfc7579af5908cbbebe80fadd907681a2ca15f863071c5886c8cb5d09e979cce98486e962fc6d81717a49da20cc3eb03e45093

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3095464749789392436\Tools\x64\wimgapi.dll

Filesize
797KB

MD5
fa5b941be590899a59c59dc883ed050f

SHA1
91a9517d09c298eac0a3e6559be90cd4881fd9ed

SHA256
14e85f541b282c59b796ba01ddcf8304f1c94835d2975b3da69cc450afd9d1e8

SHA512
09df8788213b2e44995538e295e44aedd49d5c238aee62ac0ac1e2fd1d2705af9754ba4dac2f376a0e6581155f6d0c84f0b5f4b58602b0d658a0ee291ba4b5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3095464749789392436\Tools\x64\wimgapi.dll

Filesize
797KB

MD5
fa5b941be590899a59c59dc883ed050f

SHA1
91a9517d09c298eac0a3e6559be90cd4881fd9ed

SHA256
14e85f541b282c59b796ba01ddcf8304f1c94835d2975b3da69cc450afd9d1e8

SHA512
09df8788213b2e44995538e295e44aedd49d5c238aee62ac0ac1e2fd1d2705af9754ba4dac2f376a0e6581155f6d0c84f0b5f4b58602b0d658a0ee291ba4b5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3095464749789392436\Tools\x64\wimlib\libwim-15.dll

Filesize
467KB

MD5
2b5c58bca681b69d3ba255dd6857795a

SHA1
d71461bb4bd154cd416a50ed099f539fed1931cd

SHA256
c5063ece28382bf6a45082e6a77d300aef70ec301bf7591f142056271438b7fb

SHA512
2630f12f5e9e11670b6eafc8ce638580315ae0d60565dc969e9f02a37d3a7128dc17f45b0405c4210eced5fa879fabf144586f30b5183134ebc5bafce9c45f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3095464749789392436\Tools\x64\wimlib\libwim-15.dll

Filesize
467KB

MD5
2b5c58bca681b69d3ba255dd6857795a

SHA1
d71461bb4bd154cd416a50ed099f539fed1931cd

SHA256
c5063ece28382bf6a45082e6a77d300aef70ec301bf7591f142056271438b7fb

SHA512
2630f12f5e9e11670b6eafc8ce638580315ae0d60565dc969e9f02a37d3a7128dc17f45b0405c4210eced5fa879fabf144586f30b5183134ebc5bafce9c45f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3095464749789392436\WinNTSetup_x64.exe

Filesize
1.1MB

MD5
8858e0e0f0e50d6d1547bc20ae219f12

SHA1
cb8a02a6d458d724730d3359ad082d318061c49a

SHA256
47d0a7cc610807ea078f74db76301ec31721eac46bde4045c51ed5baa1f4948d

SHA512
ccbfcae1220c3bb0804db50dab076a3b52e918d4082af7ebf7ae3fdc16a78ba0311d34d965853afac687b858a7a20f2aaa20b26e4544c43cf76911e4f7eb2f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5960569612132370364~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5960569612132370364~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/4732-328-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4732-146-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5052-338-0x0000000075F70000-0x0000000075FD3000-memory.dmp

Filesize
396KB

Download
memory/5052-133-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/5052-139-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/5052-345-0x0000000075F70000-0x0000000075FD3000-memory.dmp

Filesize
396KB

Download
memory/5052-348-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/5052-349-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5052-354-0x0000000075F70000-0x0000000075FD3000-memory.dmp

Filesize
396KB

Download
memory/5052-358-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5052-137-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5052-364-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5052-388-0x0000000075F70000-0x0000000075FD3000-memory.dmp

Filesize
396KB

Download