8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854

General

Target

8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe
Size

3.8MB
MD5

6f0eff8e713fda72ee6795a64ddaaedb
SHA1

047eca5f561200605f5f5f76302f723283a346a2
SHA256

8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854
SHA512

7c29b19aa5734628cd15b43d9f1d7d384846c4f3221fe7226e48edd45980f5c8801304345b28b9d8391c38f6598c2359d58371ea62155f7c8e29e3de0b1a1134
SSDEEP

98304:hZAiWEkwe+BQUtPeWKZMI0mohzqfP+UmSdcGraFy:xLkwe+6gJKWh+fPPy

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00060000000231ef-6.dat	acprotect
behavioral2/files/0x00060000000231f0-12.dat	acprotect
behavioral2/files/0x00060000000231ef-16.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe
3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe
3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00060000000231ef-6.dat	upx
behavioral2/memory/3728-10-0x0000000074780000-0x00000000749B8000-memory.dmp	upx
behavioral2/files/0x00060000000231f0-12.dat	upx
behavioral2/memory/3728-15-0x0000000010000000-0x0000000010494000-memory.dmp	upx
behavioral2/files/0x00060000000231ef-16.dat	upx
behavioral2/memory/3728-20-0x0000000074780000-0x00000000749B8000-memory.dmp	upx
behavioral2/memory/3728-21-0x0000000010000000-0x0000000010494000-memory.dmp	upx
behavioral2/memory/3728-26-0x0000000074780000-0x00000000749B8000-memory.dmp	upx
behavioral2/memory/3728-38-0x0000000074780000-0x00000000749B8000-memory.dmp	upx
behavioral2/memory/3728-39-0x0000000010000000-0x0000000010494000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4552	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe
3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	NETSTAT.EXE
Token: 33	3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe
Token: SeIncBasePriorityPrivilege	3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe
Token: SeDebugPrivilege	3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe
Token: 33	3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe
Token: SeIncBasePriorityPrivilege	3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe
3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 4688	3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe	86
PID 3728 wrote to memory of 4688	3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe	86
PID 3728 wrote to memory of 4688	3728	8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe	86
PID 4688 wrote to memory of 4552	4688	cmd.exe	88
PID 4688 wrote to memory of 4552	4688	cmd.exe	88
PID 4688 wrote to memory of 4552	4688	cmd.exe	88
PID 4688 wrote to memory of 456	4688	cmd.exe	89
PID 4688 wrote to memory of 456	4688	cmd.exe	89
PID 4688 wrote to memory of 456	4688	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe
"C:\Users\Admin\AppData\Local\Temp\8a3a70bd028956223bb25372a8b4cdc5347a8641871f21315af2253d117ce854.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c netstat -ano | find "13941"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -ano
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- - C:\Windows\SysWOW64\find.exe
    find "13941"
    3⤵
    PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ee\Plugins\owlform_free.dll

Filesize
1.8MB

MD5
225f6b7092c8f856fa4c0fd07799c859

SHA1
98a8e478d43bd3146760d3944fffcb29d5e94330

SHA256
d07b2c47d3808a00f78cc96ee7fea97f5e24fabffa94788f4277efec5a04ede6

SHA512
b68d18a9feeb783d294e6222052d4031a417b2673b056707ea7673041f10f20f0cd1da981d7ed8387dfaf67848667bdb63bf92d49d04d335e8f0ce9575dd554f

Download Submit
C:\ProgramData\ee\Plugins\rapidjson.dll

Filesize
192KB

MD5
2244857ed4d33e3ab8b32c1a09eaff39

SHA1
9af9d5bc1be9c202471075b5222500c409428fd0

SHA256
e345f88529b2337bb2719550985a049c61a6bca84c113c7b07f7ec5313446f7d

SHA512
c88af689b603c22dac0be5cdb0922d0bb58325ee57d736b6fa090e967704edb5fa535100149fd5d02ac764ab32b0ccea99310dd28101ffc907a58414e8867590

Download Submit
C:\ProgramData\ee\Plugins\rapidjson.dll

Filesize
192KB

MD5
2244857ed4d33e3ab8b32c1a09eaff39

SHA1
9af9d5bc1be9c202471075b5222500c409428fd0

SHA256
e345f88529b2337bb2719550985a049c61a6bca84c113c7b07f7ec5313446f7d

SHA512
c88af689b603c22dac0be5cdb0922d0bb58325ee57d736b6fa090e967704edb5fa535100149fd5d02ac764ab32b0ccea99310dd28101ffc907a58414e8867590

Download Submit
C:\ee\Plugins\hp_socket4c.dll

Filesize
792KB

MD5
6637599f87ab11b6238f2f24c55797fc

SHA1
a84090bed39c91503300ab3bd78883001bf71aac

SHA256
65e65ccfe5b7fc075e06a5cf58507253a92dd9b7ab7a1a2b9e6b31fe7810e6ac

SHA512
8edecfb2ac6865bd3886f5ff77c78ccd44a4362d2305b69397526a1e463207430bd838d390979cbdc498040a2fbca21ccdab679df506efec07be400f6b42d828

Download Submit
C:\ee\Plugins\hp_socket4c.dll

Filesize
792KB

MD5
6637599f87ab11b6238f2f24c55797fc

SHA1
a84090bed39c91503300ab3bd78883001bf71aac

SHA256
65e65ccfe5b7fc075e06a5cf58507253a92dd9b7ab7a1a2b9e6b31fe7810e6ac

SHA512
8edecfb2ac6865bd3886f5ff77c78ccd44a4362d2305b69397526a1e463207430bd838d390979cbdc498040a2fbca21ccdab679df506efec07be400f6b42d828

Download Submit
memory/3728-17-0x0000000002A80000-0x0000000002AA7000-memory.dmp

Filesize
156KB

Download
memory/3728-15-0x0000000010000000-0x0000000010494000-memory.dmp

Filesize
4.6MB

Download
memory/3728-10-0x0000000074780000-0x00000000749B8000-memory.dmp

Filesize
2.2MB

Download
memory/3728-20-0x0000000074780000-0x00000000749B8000-memory.dmp

Filesize
2.2MB

Download
memory/3728-21-0x0000000010000000-0x0000000010494000-memory.dmp

Filesize
4.6MB

Download
memory/3728-26-0x0000000074780000-0x00000000749B8000-memory.dmp

Filesize
2.2MB

Download
memory/3728-38-0x0000000074780000-0x00000000749B8000-memory.dmp

Filesize
2.2MB

Download
memory/3728-39-0x0000000010000000-0x0000000010494000-memory.dmp

Filesize
4.6MB

Download

Analysis

Sharing