cd901fbd7325f4cbf2498bd2b32bb6e79d2dfdaea486ccfdd35af1166478a38b

General

Target

VSoft.archITekt.21.Local.exe
Size

1.7MB
MD5

1574d97088916941ee41075061da076d
SHA1

21ce40ae7bfaf937187e43a6c10865a431bd71bb
SHA256

cd901fbd7325f4cbf2498bd2b32bb6e79d2dfdaea486ccfdd35af1166478a38b
SHA512

bd5f8ad3a60a862fcfd949d8e446cb7c6ec8d6e5d6421015a7b1dcc4f6902c6afd10c99ebf1d2eadb772dc0fa5d8b5289b46a79d896cc022f920725d2fec632a
SSDEEP

24576:My9R8jqZ46+vCA4H2XmMKZjTiqyVGChEJgr/XumfrZFV9riwpGzduJue3H:My9WjqZ4Xvo22/qvfZxFGh5GH

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000012274-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
1172	VSoft.archITekt.21.Local.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012274-1.dat	upx
behavioral1/memory/1172-4-0x0000000010000000-0x000000001024F000-memory.dmp	upx
behavioral1/memory/1172-6-0x0000000010000000-0x000000001024F000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1756	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1172	VSoft.archITekt.21.Local.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2220	1172	VSoft.archITekt.21.Local.exe	28
PID 1172 wrote to memory of 2220	1172	VSoft.archITekt.21.Local.exe	28
PID 1172 wrote to memory of 2220	1172	VSoft.archITekt.21.Local.exe	28
PID 1172 wrote to memory of 2220	1172	VSoft.archITekt.21.Local.exe	28

C:\Users\Admin\AppData\Local\Temp\VSoft.archITekt.21.Local.exe
"C:\Users\Admin\AppData\Local\Temp\VSoft.archITekt.21.Local.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe "C:\Program Files\VSoft\archITekt\Launcher\VSoft.archITekt.Launcher.FirstRun.exe"
  2⤵
  PID:2220

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\htmlInstaller-1172\htmlayout.dll

Filesize
901KB

MD5
0fadddf8de750aa2a9fcb1c35942dacb

SHA1
3fc3c1ea0cbce871f0694205766e30e296c94e2c

SHA256
7d66d80aafe831775a3e5fea050f177422eb2bc43a01b9b6756c22fd75714e0d

SHA512
d94f8c469edc4b0f81dd58546d6eb39d19c00cc53bc05f823562380d613433355c1feaeef9d49ee9642c11f5ba435177ff0b80ef37b8bdf1a54f472fa8290f58

Download Submit
memory/1172-4-0x0000000010000000-0x000000001024F000-memory.dmp

Filesize
2.3MB

Download
memory/1172-6-0x0000000010000000-0x000000001024F000-memory.dmp

Filesize
2.3MB

Download
memory/1756-7-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/1756-8-0x0000000003A00000-0x0000000003A10000-memory.dmp

Filesize
64KB

Download
memory/1756-9-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing