dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
20/09/2023, 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175.exe
Size

10.7MB
MD5

ab49ad81412be98c774cde275196c9cb
SHA1

d91e859e3b6a809881ac306425b1a46dc1628821
SHA256

dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175
SHA512

e32e89318e80896dca00f4f2f2c19efce37fc8de1d5fc965dd38ca94e21ec778c98f5df58caab1288aa748a6973a001ea0a4e480d56f1ba915b2dccc901ed0de
SSDEEP

196608:1kzGKRvAur/k6WD/voTpgPvgdWQmQPUwR5waKW1J0wI5h6PPIi:1kzG8v9MxD/vGkvgpUqN/xHz

Score

7^/10

upx vmprotect

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000016446-80.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2040	dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2040-13-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-15-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-17-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-18-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-22-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-28-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-31-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-34-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-38-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-40-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-42-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-46-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-48-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-50-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-52-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-54-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-58-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-60-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-62-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-64-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-66-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2040-68-0x00000000771E0000-0x00000000772E0000-memory.dmp	upx
behavioral1/files/0x0009000000016446-80.dat	upx
behavioral1/memory/2040-83-0x00000000721F0000-0x0000000072229000-memory.dmp	upx
behavioral1/memory/2040-96-0x00000000721F0000-0x0000000072229000-memory.dmp	upx
behavioral1/memory/2040-100-0x00000000721F0000-0x0000000072229000-memory.dmp	upx
behavioral1/memory/2040-102-0x00000000721F0000-0x0000000072229000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2040-0-0x0000000000400000-0x0000000002215000-memory.dmp	vmprotect
behavioral1/memory/2040-6-0x0000000000400000-0x0000000002215000-memory.dmp	vmprotect
behavioral1/memory/2040-43-0x0000000000400000-0x0000000002215000-memory.dmp	vmprotect

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\gb.mu	dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main	dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2040	dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2040	dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175.exe
2040	dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175.exe
2040	dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175.exe
2040	dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175.exe
2040	dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175.exe

C:\Users\Admin\AppData\Local\Temp\dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175.exe
"C:\Users\Admin\AppData\Local\Temp\dfc474d4eac834fcad9cb1d88a7273aec181070cf551f15cc6c5cded4324d175.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Cursors\gb.mu

Filesize
13KB

MD5
be702be6be99ad2203d50516014e5cd9

SHA1
b4842827e5bc9de24e74d5b08afa0675df570dba

SHA256
02bb80610621625b0c420a9fc8ba32efeef4b859b327aaa0dfb62da38abbf41c

SHA512
79cfb96a73ec2b8341c59580f7ecd5db53b5023e41acad47e6e8bd8350532d1c4dcb04c1e62bbf3bd149b1779ed904b271bb1b9fb23c6fed1752ade43239f9a8

Download Submit
\Users\Admin\AppData\Local\Temp\HPSocket.dll

Filesize
80KB

MD5
b220f0b3057a925147f57c5ebff51523

SHA1
bb9faca3b0e9f849301ecbd58381e7965a143781

SHA256
f12af891c0c1cb5e793ab260ff92e9792c8f7f2541162390a44c27e2e954dcb8

SHA512
1e9fb6bd6005aab4f553b0a02c373671ce26fa773b06461e0041cfad0ae62bbf319105296ebd5e2c1ccf1c478ce17510aeb32dab8b83254fa2a18c9148f121f1

Download Submit
memory/2040-48-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-50-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-52-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-12-0x0000000077900000-0x0000000077901000-memory.dmp

Filesize
4KB

Download
memory/2040-13-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-15-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-17-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-18-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-22-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-28-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-31-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-38-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-40-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-43-0x0000000000400000-0x0000000002215000-memory.dmp

Filesize
30.1MB

Download
memory/2040-42-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-46-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-6-0x0000000000400000-0x0000000002215000-memory.dmp

Filesize
30.1MB

Download
memory/2040-0-0x0000000000400000-0x0000000002215000-memory.dmp

Filesize
30.1MB

Download
memory/2040-8-0x0000000077900000-0x0000000077901000-memory.dmp

Filesize
4KB

Download
memory/2040-54-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-58-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-60-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-62-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-66-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2040-68-0x00000000771E0000-0x00000000772E0000-memory.dmp

Filesize
1024KB

Download
memory/2040-69-0x0000000077AC0000-0x0000000077AC1000-memory.dmp

Filesize
4KB

Download
memory/2040-3-0x0000000077AC0000-0x0000000077AC1000-memory.dmp

Filesize
4KB

Download
memory/2040-1-0x0000000077AC0000-0x0000000077AC1000-memory.dmp

Filesize
4KB

Download
memory/2040-83-0x00000000721F0000-0x0000000072229000-memory.dmp

Filesize
228KB

Download
memory/2040-85-0x0000000006210000-0x0000000006220000-memory.dmp

Filesize
64KB

Download
memory/2040-95-0x00000000771E0000-0x00000000772E0000-memory.dmp

Filesize
1024KB

Download
memory/2040-96-0x00000000721F0000-0x0000000072229000-memory.dmp

Filesize
228KB

Download
memory/2040-98-0x0000000006210000-0x0000000006220000-memory.dmp

Filesize
64KB

Download
memory/2040-100-0x00000000721F0000-0x0000000072229000-memory.dmp

Filesize
228KB

Download
memory/2040-102-0x00000000721F0000-0x0000000072229000-memory.dmp

Filesize
228KB

Download