350faab1162e3b87132f0a525c2c53c86f3521bb8b8e7e04eeb5b5d48dca17fe

Analysis

max time kernel
120s
max time network
151s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02-10-2023 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe
Size

318.0MB
MD5

8c9ae9f0a0f5055e33b40161a511830e
SHA1

bfb024240c587bf3c355ba4cbe512e7490f3fcaf
SHA256

18fe7975769432565e0990817d3fd46a1a28fb14672386504254037905a7217f
SHA512

f8ec9acc95801f44da2e6cce7a23d805d7cca015a69217d6a105719d853e8b0fe3cee7121f4d71df3bc103d65413a94cf91d1fc3f4fe58d380b979e5363a69a5
SSDEEP

6291456:IMShiZwO/1w7g2Daf4zAiV2TRmjiqzINgNRdO+eRedlIiuijyWTtJirh:qhif1xWXUqVzNRE7Re5Zch

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
964	Setup.exe

Loads dropped DLL 1 IoCs

pid	Process
2812	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1988-0-0x0000000000400000-0x0000000000503000-memory.dmp	upx
behavioral1/memory/1988-1-0x0000000000400000-0x0000000000503000-memory.dmp	upx
behavioral1/memory/1988-1341-0x0000000000400000-0x0000000000503000-memory.dmp	upx
behavioral1/memory/2812-1342-0x0000000000400000-0x0000000000503000-memory.dmp	upx
behavioral1/memory/824-1343-0x0000000000400000-0x0000000000503000-memory.dmp	upx
behavioral1/memory/824-1346-0x0000000000400000-0x0000000000503000-memory.dmp	upx
behavioral1/memory/1980-1347-0x0000000000400000-0x0000000000503000-memory.dmp	upx
behavioral1/memory/1980-1349-0x0000000000400000-0x0000000000503000-memory.dmp	upx
behavioral1/memory/1988-1992-0x0000000000400000-0x0000000000503000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2100	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1988	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2812	1988	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	30
PID 1988 wrote to memory of 2812	1988	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	30
PID 1988 wrote to memory of 2812	1988	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	30
PID 1988 wrote to memory of 2812	1988	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	30
PID 2812 wrote to memory of 964	2812	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	31
PID 2812 wrote to memory of 964	2812	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	31
PID 2812 wrote to memory of 964	2812	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	31
PID 2812 wrote to memory of 964	2812	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	31
PID 2812 wrote to memory of 964	2812	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	31
PID 2812 wrote to memory of 964	2812	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	31
PID 2812 wrote to memory of 964	2812	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	31
PID 1988 wrote to memory of 824	1988	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	32
PID 1988 wrote to memory of 824	1988	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	32
PID 1988 wrote to memory of 824	1988	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	32
PID 1988 wrote to memory of 824	1988	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	32
PID 824 wrote to memory of 1344	824	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	33
PID 824 wrote to memory of 1344	824	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	33
PID 824 wrote to memory of 1344	824	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	33
PID 824 wrote to memory of 1344	824	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	33
PID 1344 wrote to memory of 832	1344	cmd.exe	35
PID 1344 wrote to memory of 832	1344	cmd.exe	35
PID 1344 wrote to memory of 832	1344	cmd.exe	35
PID 1344 wrote to memory of 832	1344	cmd.exe	35
PID 832 wrote to memory of 2020	832	net.exe	36
PID 832 wrote to memory of 2020	832	net.exe	36
PID 832 wrote to memory of 2020	832	net.exe	36
PID 832 wrote to memory of 2020	832	net.exe	36
PID 1988 wrote to memory of 1980	1988	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	37
PID 1988 wrote to memory of 1980	1988	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	37
PID 1988 wrote to memory of 1980	1988	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	37
PID 1988 wrote to memory of 1980	1988	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	37
PID 1980 wrote to memory of 1148	1980	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	38
PID 1980 wrote to memory of 1148	1980	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	38
PID 1980 wrote to memory of 1148	1980	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	38
PID 1980 wrote to memory of 1148	1980	8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe	38
PID 1148 wrote to memory of 2100	1148	cmd.exe	40
PID 1148 wrote to memory of 2100	1148	cmd.exe	40
PID 1148 wrote to memory of 2100	1148	cmd.exe	40
PID 1148 wrote to memory of 2100	1148	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe
"C:\Users\Admin\AppData\Local\Temp\8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe
  "C:\Users\Admin\AppData\Local\Temp\8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe" -sfxwaitall:0 "setup.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:964
- C:\Users\Admin\AppData\Local\Temp\8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe
  "C:\Users\Admin\AppData\Local\Temp\8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe" -sfxwaitall:1 "cmd" /c If Exist Stop_SC.bat Stop_SC.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c If Exist Stop_SC.bat Stop_SC.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\SysWOW64\net.exe
      net stop ABBYY.Licensing.FineReader.Professional.12.0
      4⤵
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ABBYY.Licensing.FineReader.Professional.12.0
        5⤵
        
        PID:2020
- C:\Users\Admin\AppData\Local\Temp\8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe
  "C:\Users\Admin\AppData\Local\Temp\8cce40741f5cf8a9e96c1a2b3998410356c492d8ba97b99ed9a7dcfcbaf58c7e.exe" -sfxwaitall:1 "cmd" /c If Exist Del_SC.bat Del_SC.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c If Exist Del_SC.bat Del_SC.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ABBYY.Licensing.FineReader.Professional.12.0
      4⤵
      Launches sc.exe
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\1030.mst

Filesize
404KB

MD5
785e7c677ce4d4b4c2ae86b738a69d0f

SHA1
bc60d45e27b2aa09e9fc4833ef6784067333bf9b

SHA256
c352009bcd0c07ef3c40b137fe23ba6501c51ecd0aa72bd0fc6469109be8b070

SHA512
108463fb9048b8c1e9e12d93807b38684b458ad8512aef05d0b534e1364bb35cb2ae9d7b504383e07676412b9b96f204f208f81bfbdfa01aea8ab726f91eae47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\1031.mst

Filesize
388KB

MD5
dffe5667d8f3be056e3012302ec6d1d6

SHA1
5bfa9e0cfc8db1a5d6cdc90990913d4cb13350ef

SHA256
f0b6e6e5e520b2acddeb01a8c45f30495b69b5544241f7f1b0e03f329ea04b16

SHA512
10583a495ccbdc11f67336c203b4502028e583f43f2192cad815566b47c0789ba81519c5702356a6800ad3ace59fd2f3641f902360001fdcc3cfd8774fbf2c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\ABBYY FineReader 12\Bonus.ScreenshotReader.dlp

Filesize
37KB

MD5
4c7f49f0ee5431efcb0ec2de7b918b8c

SHA1
7c5e25919d11f8c1aac01235a7dea1416ebebe51

SHA256
3475bfa0dcf522db5805fe6633bfb29b53393aafdbf42805db1a02ab1cfefd79

SHA512
e74ffe3880bf3ded0ee822b113c6ca4adc0f3e0df70962d98af78b1f4934649a9f5c0d7ca3c611039b88e5ddab6b648df959ee93dc0b14e389d1d9b65c83b3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\ABBYY FineReader 12\EULA22.rtf

Filesize
598KB

MD5
96183b5f95aa6e87bcbdb50d1249efa4

SHA1
6cc9a94d09d982479bfc38ee418ed0e5e45838d6

SHA256
fcdf480bfa215cfb39175ebae5b08c359101520a0a8686610424ce56b5bd02e6

SHA512
0c1eee948370a2b9bb11d63a1cd2ed0f9e048b9467120920c43eda6bca3692f1c79beb3f73884578d3b94c6828f75ff700cd2f22290d0e786a0687d5410377d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\ABBYY FineReader 12\EULA7.rtf

Filesize
272KB

MD5
c87297e94ebb53045227380e1ac6cad9

SHA1
1de58c9573455441587e358734e4bcf17dce68bc

SHA256
6ce7f50644930e8d36e869151b85ef0785a6aebf4f2910604962efa300ae250c

SHA512
698038acb7f1d9ccb87e098efc7e546e0645243e24f8ed5f1f11203141a23d9d2460597605d6ce286e9d5fb9e8a8ac9515f0b305f0d3e7dee4ceb557523bae69

Download Submit
C:\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\ABBYY FineReader 12\EULA8.rtf

Filesize
305KB

MD5
e546f10e3e835ec78876f6f79352fa2e

SHA1
29bc3a78e68243d69adbda0bddb0cea5a32226f0

SHA256
d25d42c311bc4058f7c131e7300e64d611b3921f534db83c14a7a7168a5b7642

SHA512
b66d8b24045f90aa50c38140ba2269098b81775e4848ab92efd9f183104b0984d5d3f2221601c137ad4e1d3bbc74c8597619a98c9e096ed323029b80d800094d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\ABBYY FineReader 12\FineUI.dlp

Filesize
34KB

MD5
e4f3ddb30a20726c7c1b749c51ea126f

SHA1
0003d46ff5acb3bbebb064763932661d78e74ef2

SHA256
adc359aa884af4f560f78421324a3b129296dac2f65d4673c54dbf3fa5d98bce

SHA512
83b42b839f1c864df1846d07fff8121ac426292a6722ede8bfd0bb3d27e98df0fdf151aadb2e918c64c86e4b6186e19f34f911cdd7a58d8477b45ba8d5e069ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\ABBYY FineReader 12\Korean.ecjk

Filesize
4.9MB

MD5
ca8dd0bf646074ebc04bc42c74954d74

SHA1
525c6ccf2744b67c01fcd4ac0430260f0f0fa020

SHA256
37b21645bd102f7037cb93f90bec877f9ad3f13879097bb97b0782606ab87285

SHA512
54d4d34a4a5692379cc88ea93e80ed053362b6d69146ff99d7fc19fc47a153715f40c4d425ced5df702c46e8a5cd2b927179ec297900f8a3330ca8cc0911e0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\Del_SC.bat

Filesize
71B

MD5
ee5cdc59804274a62241b7f6f3d40b25

SHA1
a59f2e60b0e7cf775abf82d92800ff6307d95519

SHA256
dc22ee05d8ecec30798b2a354550e838f67c3f71dd903c944652efe03d9d5c32

SHA512
1d113a15567806c9714245a262e6e738cc187e7cb15dfa0c7ff7fcb74bbdf58ccb3ef9ee6e68683515af32e71fddb244cf7f2540c30e0ee13c710ead4ef3e103

Download Submit
C:\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\Setup.exe

Filesize
650KB

MD5
6411424e227ae5034dd89841b4f7a368

SHA1
ccdf3e5581916a439a71e105f5d4c2137ed99c70

SHA256
8ecc3628080c938283112eb13e85e1caa4c0d3cc45932a69857588ef32732e01

SHA512
b920127f986e18aafabe02d7d3003fbbd9590ab311ed493454488ab0ada58da0a9a7acdd06f05ec31d276528fab7b5d7dbc6415ec124fe7e48bdda2d2d00b5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\Setup.exe

Filesize
650KB

MD5
6411424e227ae5034dd89841b4f7a368

SHA1
ccdf3e5581916a439a71e105f5d4c2137ed99c70

SHA256
8ecc3628080c938283112eb13e85e1caa4c0d3cc45932a69857588ef32732e01

SHA512
b920127f986e18aafabe02d7d3003fbbd9590ab311ed493454488ab0ada58da0a9a7acdd06f05ec31d276528fab7b5d7dbc6415ec124fe7e48bdda2d2d00b5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\Stop_SC.bat

Filesize
70B

MD5
5df157af7925a78b53ca171468395632

SHA1
0a9090d27821dd73661e9198b159974ba2507141

SHA256
66c32ff4369e8204af78c3512a20547f96fc8f808ffa7237e521a48c191f4516

SHA512
ee57000ce41931a45bffda87e9f6b910de6f0b9ee66a05e6a5a4a1b507d505e943a0e06802358a83df8bec81ebf432b82fc4f2e7b5dbb69be5df12ef1e5fc53b

Download Submit
\Users\Admin\AppData\Local\Temp\RePack ABBYY FineReader_\Setup.exe

Filesize
650KB

MD5
6411424e227ae5034dd89841b4f7a368

SHA1
ccdf3e5581916a439a71e105f5d4c2137ed99c70

SHA256
8ecc3628080c938283112eb13e85e1caa4c0d3cc45932a69857588ef32732e01

SHA512
b920127f986e18aafabe02d7d3003fbbd9590ab311ed493454488ab0ada58da0a9a7acdd06f05ec31d276528fab7b5d7dbc6415ec124fe7e48bdda2d2d00b5f3

Download Submit
memory/824-1346-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/824-1343-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1980-1349-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1980-1347-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1988-0-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1988-1992-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1988-1344-0x0000000002C40000-0x0000000002D43000-memory.dmp

Filesize
1.0MB

Download
memory/1988-1341-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1988-1-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2812-1342-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download