30ad19408d4e5db2f68c7b9c990eacf4659c86e0936bee5f919999e294f98bc0

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 22:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16ae7a136fdbf226ab2b08d03c3cc15a.exe
Size

450KB
MD5

16ae7a136fdbf226ab2b08d03c3cc15a
SHA1

74ce89cb462ae0c554bcbe9080c4a5b099604aa4
SHA256

30ad19408d4e5db2f68c7b9c990eacf4659c86e0936bee5f919999e294f98bc0
SHA512

ea4a60cb4baae2c38f477085fd654fd13926ffecbe90d9eb40d843d245610dd5296bed12eea7e4eb39a59931f713a4a8ac495246652e3e1e0ee1710f2c4e6606
SSDEEP

6144:5ZunObR8sVImcyYC5JxY5XlCdraWDgfjrfhartBI+zlbKvCB2txqWwKQ3GdYuxP8:WK+mzWNE/Ds3fM20lHmYWwH3zuxP8

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000014395-31.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3044	loadwg.exe
2824	ztwg.exe

Loads dropped DLL 7 IoCs

pid	Process
2548	16ae7a136fdbf226ab2b08d03c3cc15a.exe
2548	16ae7a136fdbf226ab2b08d03c3cc15a.exe
3044	loadwg.exe
3044	loadwg.exe
2824	ztwg.exe
3044	loadwg.exe
2548	16ae7a136fdbf226ab2b08d03c3cc15a.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d0000000139e6-7.dat	upx
behavioral1/memory/2548-9-0x0000000003570000-0x000000000361C000-memory.dmp	upx
behavioral1/memory/2548-35-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral1/memory/3044-34-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral1/memory/2824-33-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral1/files/0x0007000000014395-31.dat	upx
behavioral1/memory/2824-24-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/files/0x000900000001412c-21.dat	upx
behavioral1/memory/3044-16-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/2824-37-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral1/memory/3044-39-0x0000000000400000-0x00000000004AC000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3044-39-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\704C3595.dll	ztwg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fOnts\S8a8cnEuaydPJGg8.Ttf	ztwg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{704C3595-DB85-40F6-A601-8D6F346907BD}\InprocServer32	ztwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ztwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID	ztwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{704C3595-DB85-40F6-A601-8D6F346907BD}	ztwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{704C3595-DB85-40F6-A601-8D6F346907BD}\InprocServer32	ztwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{704C3595-DB85-40F6-A601-8D6F346907BD}\InprocServer32\ = "C:\\Windows\\SysWow64\\704C3595.dll"	ztwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{704C3595-DB85-40F6-A601-8D6F346907BD}\InprocServer32\ThreadingModel = "Apartment"	ztwg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2824	ztwg.exe
2824	ztwg.exe
2824	ztwg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	loadwg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe
Token: SeDebugPrivilege	2824	ztwg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2824	ztwg.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3044	2548	16ae7a136fdbf226ab2b08d03c3cc15a.exe	28
PID 2548 wrote to memory of 3044	2548	16ae7a136fdbf226ab2b08d03c3cc15a.exe	28
PID 2548 wrote to memory of 3044	2548	16ae7a136fdbf226ab2b08d03c3cc15a.exe	28
PID 2548 wrote to memory of 3044	2548	16ae7a136fdbf226ab2b08d03c3cc15a.exe	28
PID 3044 wrote to memory of 2824	3044	loadwg.exe	29
PID 3044 wrote to memory of 2824	3044	loadwg.exe	29
PID 3044 wrote to memory of 2824	3044	loadwg.exe	29
PID 3044 wrote to memory of 2824	3044	loadwg.exe	29
PID 2824 wrote to memory of 2280	2824	ztwg.exe	30
PID 2824 wrote to memory of 2280	2824	ztwg.exe	30
PID 2824 wrote to memory of 2280	2824	ztwg.exe	30
PID 2824 wrote to memory of 2280	2824	ztwg.exe	30

C:\Users\Admin\AppData\Local\Temp\16ae7a136fdbf226ab2b08d03c3cc15a.exe
"C:\Users\Admin\AppData\Local\Temp\16ae7a136fdbf226ab2b08d03c3cc15a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ztwg.exe
    ztwg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\RarSFX0\ztwg.exe >> NUL
      4⤵
      PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ztwg.exe

Filesize
26KB

MD5
00378850d6661510262d7b058ffc4c79

SHA1
63d63406c57bd32466cbe3bd9ff7c00adb77b887

SHA256
7d352fcc70229b4d784181d590733b4d7d44964d425d7931a0fdd0b3b5b01847

SHA512
95dc5ce14a77dac64d42c33cecf0e56685f56daa3e782c4c56370b3008317d5144dfd37960dab2c9ccf56e4b13195a612c9d5af0346647e6b1ce9774dd474d83

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe

Filesize
333KB

MD5
5a74f1a22e11a717cff8bd4f6f18913d

SHA1
459db43f79a38a9d67aeb248328039eb6c77ac43

SHA256
0e32d8dbe4d9861956539fa69bc3475bedcf1d02f42807b651d2d699928c1d6a

SHA512
bee37a8e334329e4e4fb27f4b9850924aeb2a363d93c770af0dc61ac3b5794b5bf1fecf2978c1cd4a2a0d29a645b49bab78d219480680241792062493249ddaa

Download Submit
\Windows\SysWOW64\704C3595.dll

Filesize
20KB

MD5
691daddef58f12c1ff3a12fa96975482

SHA1
69d87851517b26c9b1c5c4b841cf26c3e38fde28

SHA256
0a64529345b98b3a5bef3586b343d77435391b4b0f6f593c7d676f2368e56773

SHA512
d0dcb4beaf57d31d5a190ffd5b84b5653c2bab8d7e41cb6d5e49f143fd450b8cbb50feacf402f11dad2c7431d66ebf6a2d0591e7e235e638ae6fe460670dc571

Download Submit
memory/2548-14-0x0000000003570000-0x000000000361C000-memory.dmp

Filesize
688KB

Download
memory/2548-9-0x0000000003570000-0x000000000361C000-memory.dmp

Filesize
688KB

Download
memory/2548-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2548-35-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2824-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2824-33-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2824-37-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/3044-22-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/3044-34-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/3044-16-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3044-23-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/3044-39-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3044-42-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/3044-43-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download