940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe
Size

6.4MB
MD5

f14d9aa9b487fb86e67e5c537cc5e266
SHA1

d85406a48927dbc4756aaaf9549a3c6da6a37ee8
SHA256

940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34
SHA512

75d101208b841f01a6d8462717028f36f02312299bf21a75a4720e423ccd555b854a9754a81b9b4000dea2925d044d2d725dab46077201d842f9bb6b64efd5fc
SSDEEP

196608:+4EW7DsOV6cYeJh2zcG4tbVK0+Gw5s8atJVEZe:nUPeDSA1VKYw5nat1

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000231fd-48.dat	acprotect
behavioral2/files/0x00070000000231fd-50.dat	acprotect
behavioral2/files/0x00070000000231fe-61.dat	acprotect
behavioral2/files/0x00070000000231fe-58.dat	acprotect
behavioral2/files/0x0007000000023204-69.dat	acprotect
behavioral2/files/0x0007000000023204-75.dat	acprotect
behavioral2/files/0x00070000000231fd-74.dat	acprotect

Loads dropped DLL 5 IoCs

pid	Process
4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe
4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe
4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe
4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe
4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4648-0-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral2/memory/4648-1-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral2/memory/4648-3-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-2-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-4-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-5-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-7-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-9-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-11-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-13-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-15-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-17-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-19-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-20-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral2/memory/4648-22-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-24-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-30-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-28-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-26-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-32-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-36-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-42-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-46-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-44-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-40-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-38-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/memory/4648-34-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/files/0x00070000000231fd-48.dat	upx
behavioral2/memory/4648-53-0x0000000003580000-0x00000000038AB000-memory.dmp	upx
behavioral2/memory/4648-54-0x0000000003580000-0x00000000038AB000-memory.dmp	upx
behavioral2/files/0x00070000000231fd-50.dat	upx
behavioral2/memory/4648-55-0x0000000001150000-0x000000000118E000-memory.dmp	upx
behavioral2/files/0x00070000000231fe-61.dat	upx
behavioral2/files/0x00070000000231fe-58.dat	upx
behavioral2/memory/4648-62-0x00000000742B0000-0x00000000744E8000-memory.dmp	upx
behavioral2/files/0x0007000000023204-69.dat	upx
behavioral2/memory/4648-73-0x0000000074070000-0x0000000074184000-memory.dmp	upx
behavioral2/files/0x0007000000023204-75.dat	upx
behavioral2/files/0x00070000000231fd-74.dat	upx
behavioral2/memory/4648-76-0x0000000003580000-0x00000000038AB000-memory.dmp	upx
behavioral2/memory/4648-77-0x00000000742B0000-0x00000000744E8000-memory.dmp	upx
behavioral2/memory/4648-78-0x0000000074070000-0x0000000074184000-memory.dmp	upx
behavioral2/memory/4648-81-0x0000000074070000-0x0000000074184000-memory.dmp	upx
behavioral2/memory/4648-82-0x0000000003580000-0x00000000038AB000-memory.dmp	upx
behavioral2/memory/4648-83-0x00000000742B0000-0x00000000744E8000-memory.dmp	upx
behavioral2/memory/4648-84-0x0000000074070000-0x0000000074184000-memory.dmp	upx
behavioral2/memory/4648-85-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral2/memory/4648-86-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral2/memory/4648-87-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral2/memory/4648-88-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral2/memory/4648-90-0x00000000742B0000-0x00000000744E8000-memory.dmp	upx
behavioral2/memory/4648-91-0x0000000074070000-0x0000000074184000-memory.dmp	upx

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2644	NETSTAT.EXE
4024	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe
4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe
4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe
4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	NETSTAT.EXE
Token: SeDebugPrivilege	4024	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe
4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe
4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe
4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 3240	4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe	91
PID 4648 wrote to memory of 3240	4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe	91
PID 4648 wrote to memory of 3240	4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe	91
PID 3240 wrote to memory of 2644	3240	cmd.exe	93
PID 3240 wrote to memory of 2644	3240	cmd.exe	93
PID 3240 wrote to memory of 2644	3240	cmd.exe	93
PID 3240 wrote to memory of 4432	3240	cmd.exe	94
PID 3240 wrote to memory of 4432	3240	cmd.exe	94
PID 3240 wrote to memory of 4432	3240	cmd.exe	94
PID 4648 wrote to memory of 4032	4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe	95
PID 4648 wrote to memory of 4032	4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe	95
PID 4648 wrote to memory of 4032	4648	940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe	95
PID 4032 wrote to memory of 4024	4032	cmd.exe	97
PID 4032 wrote to memory of 4024	4032	cmd.exe	97
PID 4032 wrote to memory of 4024	4032	cmd.exe	97
PID 4032 wrote to memory of 4924	4032	cmd.exe	98
PID 4032 wrote to memory of 4924	4032	cmd.exe	98
PID 4032 wrote to memory of 4924	4032	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe
"C:\Users\Admin\AppData\Local\Temp\940e82e6807df9edcd7598ecc7d848c245531504fa92f7c8dbc3286a662c6f34.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c netstat -ano | find ":41200 "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -ano
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\SysWOW64\find.exe
    find ":41200 "
    3⤵
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c netstat -ano | find ":41300 "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -ano
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:4024
- - C:\Windows\SysWOW64\find.exe
    find ":41300 "
    3⤵
    PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ee\Plugins\rdjson.dll

Filesize
192KB

MD5
2244857ed4d33e3ab8b32c1a09eaff39

SHA1
9af9d5bc1be9c202471075b5222500c409428fd0

SHA256
e345f88529b2337bb2719550985a049c61a6bca84c113c7b07f7ec5313446f7d

SHA512
c88af689b603c22dac0be5cdb0922d0bb58325ee57d736b6fa090e967704edb5fa535100149fd5d02ac764ab32b0ccea99310dd28101ffc907a58414e8867590

Download Submit
C:\Users\Admin\Documents\ee\Plugins\WebView2.dll

Filesize
333KB

MD5
31c053643e5776f89462db3284ce9f63

SHA1
a86d5c11cc109275392b34aa3ee21b86fbe533d9

SHA256
60928b09e8ff531e029ecf465212b377c930102f627ac0150e04b149a50b774c

SHA512
f840d143509a54992a3fb790a23a4cce9a7600e0919007afcbe306c5db796655df661a91196030fd52f964b22d31a5ef0ba8c9a4eafc657f2c15f918235a660d

Download Submit
C:\Users\Admin\Documents\ee\Plugins\WebView2.dll

Filesize
333KB

MD5
31c053643e5776f89462db3284ce9f63

SHA1
a86d5c11cc109275392b34aa3ee21b86fbe533d9

SHA256
60928b09e8ff531e029ecf465212b377c930102f627ac0150e04b149a50b774c

SHA512
f840d143509a54992a3fb790a23a4cce9a7600e0919007afcbe306c5db796655df661a91196030fd52f964b22d31a5ef0ba8c9a4eafc657f2c15f918235a660d

Download Submit
C:\Users\Admin\Documents\ee\Plugins\WebView2Plus.dll

Filesize
1.5MB

MD5
574d3209c25d3f2595d0ad97fe7dc949

SHA1
cab29752a188d3d6128273d5690d5b64837990d9

SHA256
7d00543740e6c254beabab4f0b9f788186b75c97463f552e84b394d2b359479a

SHA512
4f48054b7ebacdd61a4469c49156e5e53a6403533badfd2342049c7e2ee8ae816dff6009c7d5840f5de99272f17a1705ec6ed53f1437b7923c408be61523641b

Download Submit
C:\Users\Admin\Documents\ee\Plugins\WebView2Plus.dll

Filesize
1.5MB

MD5
574d3209c25d3f2595d0ad97fe7dc949

SHA1
cab29752a188d3d6128273d5690d5b64837990d9

SHA256
7d00543740e6c254beabab4f0b9f788186b75c97463f552e84b394d2b359479a

SHA512
4f48054b7ebacdd61a4469c49156e5e53a6403533badfd2342049c7e2ee8ae816dff6009c7d5840f5de99272f17a1705ec6ed53f1437b7923c408be61523641b

Download Submit
C:\Users\Admin\Documents\ee\Plugins\WebView2Plus.dll

Filesize
1.5MB

MD5
574d3209c25d3f2595d0ad97fe7dc949

SHA1
cab29752a188d3d6128273d5690d5b64837990d9

SHA256
7d00543740e6c254beabab4f0b9f788186b75c97463f552e84b394d2b359479a

SHA512
4f48054b7ebacdd61a4469c49156e5e53a6403533badfd2342049c7e2ee8ae816dff6009c7d5840f5de99272f17a1705ec6ed53f1437b7923c408be61523641b

Download Submit
C:\Users\Admin\Documents\ee\Plugins\hp_socket4c.dll

Filesize
792KB

MD5
6637599f87ab11b6238f2f24c55797fc

SHA1
a84090bed39c91503300ab3bd78883001bf71aac

SHA256
65e65ccfe5b7fc075e06a5cf58507253a92dd9b7ab7a1a2b9e6b31fe7810e6ac

SHA512
8edecfb2ac6865bd3886f5ff77c78ccd44a4362d2305b69397526a1e463207430bd838d390979cbdc498040a2fbca21ccdab679df506efec07be400f6b42d828

Download Submit
C:\Users\Admin\Documents\ee\Plugins\hp_socket4c.dll

Filesize
792KB

MD5
6637599f87ab11b6238f2f24c55797fc

SHA1
a84090bed39c91503300ab3bd78883001bf71aac

SHA256
65e65ccfe5b7fc075e06a5cf58507253a92dd9b7ab7a1a2b9e6b31fe7810e6ac

SHA512
8edecfb2ac6865bd3886f5ff77c78ccd44a4362d2305b69397526a1e463207430bd838d390979cbdc498040a2fbca21ccdab679df506efec07be400f6b42d828

Download Submit
memory/4648-20-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/4648-55-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-15-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-17-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-19-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-0-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/4648-22-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-24-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-30-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-28-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-26-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-32-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-36-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-42-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-46-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-44-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-40-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-38-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-34-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-11-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-53-0x0000000003580000-0x00000000038AB000-memory.dmp

Filesize
3.2MB

Download
memory/4648-54-0x0000000003580000-0x00000000038AB000-memory.dmp

Filesize
3.2MB

Download
memory/4648-9-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-13-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-7-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-5-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-62-0x00000000742B0000-0x00000000744E8000-memory.dmp

Filesize
2.2MB

Download
memory/4648-4-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-2-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-73-0x0000000074070000-0x0000000074184000-memory.dmp

Filesize
1.1MB

Download
memory/4648-3-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/4648-1-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/4648-76-0x0000000003580000-0x00000000038AB000-memory.dmp

Filesize
3.2MB

Download
memory/4648-77-0x00000000742B0000-0x00000000744E8000-memory.dmp

Filesize
2.2MB

Download
memory/4648-78-0x0000000074070000-0x0000000074184000-memory.dmp

Filesize
1.1MB

Download
memory/4648-81-0x0000000074070000-0x0000000074184000-memory.dmp

Filesize
1.1MB

Download
memory/4648-82-0x0000000003580000-0x00000000038AB000-memory.dmp

Filesize
3.2MB

Download
memory/4648-83-0x00000000742B0000-0x00000000744E8000-memory.dmp

Filesize
2.2MB

Download
memory/4648-84-0x0000000074070000-0x0000000074184000-memory.dmp

Filesize
1.1MB

Download
memory/4648-85-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/4648-86-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/4648-87-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/4648-88-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/4648-90-0x00000000742B0000-0x00000000744E8000-memory.dmp

Filesize
2.2MB

Download
memory/4648-91-0x0000000074070000-0x0000000074184000-memory.dmp

Filesize
1.1MB

Download