e2dd50edb563d0b55b34818fb51550e06c535506bc159a485d537d5db0750fdc

General

Target

0d8cfb71aa1b2ada68ce8ab9a025fbd4.exe
Size

1.0MB
MD5

0d8cfb71aa1b2ada68ce8ab9a025fbd4
SHA1

7c45495e77c5cc8f8e257b9c2762ad419e9749da
SHA256

e2dd50edb563d0b55b34818fb51550e06c535506bc159a485d537d5db0750fdc
SHA512

ffd2044624b5d096426009b8e1b49b34f6b6e6f959c839820a2b1ea36b6a8b0cbbdc53d5b4688be62a56f40cc1c36a32db2df3411c3d0944b50c1153336287dd
SSDEEP

12288:KhkqqrSo4VXMuc9cdQqiZIVgQ1HeH0e1a9E0PU08NTjreLnYwaU087HdS99Naqfc:KhcghM8BR6a9E0PFQ/U0jscq1nNR4

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0032000000015e82-73.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2704	hs_message.exe
524	autorun.exe

Loads dropped DLL 5 IoCs

pid	Process
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
524	autorun.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2360-0-0x0000000000400000-0x000000000069C000-memory.dmp	upx
behavioral1/files/0x0032000000015e82-73.dat	upx
behavioral1/memory/524-75-0x0000000010000000-0x000000001007E000-memory.dmp	upx
behavioral1/memory/2360-83-0x0000000000400000-0x000000000069C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2636	2360	0d8cfb71aa1b2ada68ce8ab9a025fbd4.exe	28
PID 2360 wrote to memory of 2636	2360	0d8cfb71aa1b2ada68ce8ab9a025fbd4.exe	28
PID 2360 wrote to memory of 2636	2360	0d8cfb71aa1b2ada68ce8ab9a025fbd4.exe	28
PID 2360 wrote to memory of 2636	2360	0d8cfb71aa1b2ada68ce8ab9a025fbd4.exe	28
PID 2636 wrote to memory of 2704	2636	cmd.exe	30
PID 2636 wrote to memory of 2704	2636	cmd.exe	30
PID 2636 wrote to memory of 2704	2636	cmd.exe	30
PID 2636 wrote to memory of 2704	2636	cmd.exe	30
PID 2636 wrote to memory of 524	2636	cmd.exe	31
PID 2636 wrote to memory of 524	2636	cmd.exe	31
PID 2636 wrote to memory of 524	2636	cmd.exe	31
PID 2636 wrote to memory of 524	2636	cmd.exe	31
PID 2636 wrote to memory of 524	2636	cmd.exe	31
PID 2636 wrote to memory of 524	2636	cmd.exe	31
PID 2636 wrote to memory of 524	2636	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\0d8cfb71aa1b2ada68ce8ab9a025fbd4.exe
"C:\Users\Admin\AppData\Local\Temp\0d8cfb71aa1b2ada68ce8ab9a025fbd4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\6AA5.tmp\Start.cmd" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\6AA5.tmp\hs_message.exe
    HS_MESSAGE "Did you run the program as Administrator? " "Activation Tool" Q YESNO
    3⤵
    - Executes dropped EXE
    PID:2704
- - C:\Users\Admin\AppData\Local\Temp\6AA5.tmp\autorun.exe
    autorun.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6AA5.tmp\Start.cmd

Filesize
194B

MD5
8c6446cd79a6a05491e1c7d7646e2336

SHA1
3291502183bf08fba62ae42fb9ccb8aa02a12161

SHA256
54eab1cae4870171361cee57fa6c07fde95658bc3430f0098d23cd9497b2da31

SHA512
02262fe90e9d78ce6cff912ba8557b39881f0ff831c498d818beb0367f96847003086fbea708536d4f35564bd38fc58801578a1e4ecc0a4b57c35f3d091df417

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AA5.tmp\autorun.apm

Filesize
193KB

MD5
6d451d884397484da93f731b7a1f9d8a

SHA1
05a98899237095a4f043d958676331e18c7a6251

SHA256
a9bc67b8f2eecbefbb085e9e636ce2bc24eaab636c1681bde5f8d2ca4073b04c

SHA512
0c50a81783b0eb41b6c760cdc657766786887195afa16a7d8e33ae5d6b49eddfb472d6784e9c493cf9351c3bea61dbe9480509b31a6c94325035f125bdd82a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AA5.tmp\autorun.exe

Filesize
1.4MB

MD5
9f5db165601843001dd313c6c2840db9

SHA1
3289567355012833e9c47357abc9e65108906ed1

SHA256
17fe65695d275a85977b697fa98ce77a07c006e7744240eb7bbf365ce0bf9074

SHA512
e87908bfcd8d35399d4604d9ce03823d79a6a63510ca8a1fbfdc001c095bd79fc715b438435faa0081f0a445aaf68171ebe0ece09e1998ac46704f3a2cdf6add

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AA5.tmp\hs_message.exe

Filesize
43KB

MD5
2b9c47facb47d3c88e988adbb91c2aff

SHA1
08801cb6a187762c49b9a50d9777dfb84e8b40b8

SHA256
f2020bd17b437fab6224d108de3bf19b98215043ecb2a7f9d02142289d8e8e50

SHA512
7165255ad3bbbccd32c1c6f704aefc68579bd55750e135e99a3682914a2316f46551ffc40eecb74f1f85d1af8903212fdb103b570c826210b08f67b3e7542ee2

Download Submit
\Users\Admin\AppData\Local\Temp\apm864F.tmp

Filesize
146KB

MD5
3d4839228c7ee77e28832879eeb17340

SHA1
ebe4a6388c8c6831837e232b48b8f4266b7f711e

SHA256
5d6ff8a11cda6d5b1e6d8a5562594379a082cee18f402a8a0a26b8cabe428954

SHA512
f3c534524eaa4b51ee44a6c1d05a142c0d10d9c1c48db79b60903dd948d5712b367479b82cd85fa8ee094dcd2569c0fd85a36c10c97deab59e49e1f1f4da6c56

Download Submit
memory/524-71-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/524-75-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/524-84-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/524-89-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2360-0-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2360-83-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2704-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing