210208179e5b58d849558ed55409a45dbc276935a4da1b5e53ec4745c7eb831c

General

Target

11b33f7d609534d8b66f5a0822e4de3e.exe
Size

347KB
MD5

11b33f7d609534d8b66f5a0822e4de3e
SHA1

54cc7edad01925b04322dac8098c6dda87cefa06
SHA256

210208179e5b58d849558ed55409a45dbc276935a4da1b5e53ec4745c7eb831c
SHA512

5bcc15d139987691f797fc51e59bb7749ac605247137a56ed351404b01b07c34a4b7b09554a62485bd1194c13376c7442138f64fd33f1fd2d72806dda3100067
SSDEEP

3072:94URpNUUX6z/DBXJfo/wGP2z5hS9u5rO+IpemPQ+Qir+2v:94SUjhto00HemPJrv

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000016ead-15.dat	acprotect
behavioral1/memory/1616-254-0x0000000074800000-0x0000000074809000-memory.dmp	acprotect
behavioral1/memory/1616-12-0x0000000074830000-0x0000000074839000-memory.dmp	acprotect

Loads dropped DLL 16 IoCs

pid	Process
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe
1616	11b33f7d609534d8b66f5a0822e4de3e.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016ead-15.dat	upx
behavioral1/memory/1616-254-0x0000000074800000-0x0000000074809000-memory.dmp	upx
behavioral1/memory/1616-12-0x0000000074830000-0x0000000074839000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1616	11b33f7d609534d8b66f5a0822e4de3e.exe

C:\Users\Admin\AppData\Local\Temp\11b33f7d609534d8b66f5a0822e4de3e.exe
"C:\Users\Admin\AppData\Local\Temp\11b33f7d609534d8b66f5a0822e4de3e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd203E.tmp\c03lbdler.ini

Filesize
2KB

MD5
90b689658ec8d6db4d705caf76c6efdd

SHA1
39c02cd73da9c5070a00064f5728325df3228dcf

SHA256
b15f919ac3a34e28587e5f418a0ebe1767fe88440e9e83c510d82e3e5ee73257

SHA512
7a7f574c2d6f07b7d63b4a91e2caa857e5bee34b5b6e9d08abd506f6ab6fa704a8dbc06de14b76f0bacf311d40c1ada599339f946d7daea1d04cc06554831a03

Download Submit
\Users\Admin\AppData\Local\Temp\nsd203E.tmp\InstallOptions.dll

Filesize
14KB

MD5
34466cab38abcbc09ffac768d526f896

SHA1
2684f5f6c2b005cba812fc8cc1157777554fa3a3

SHA256
8b4a1e7bf076c20240eb0a46cbdc8b835cfd89265fb78a3c1c5339ab820d2c1c

SHA512
5c6ae996a81f0fd9d3efe4e61c8683eb833cb203a476772c06eadb48e10e34d05a8fc2c837cf663dcc3a37713bd86694c8eb251868aa5bb42c4b21ba8c8e8fc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd203E.tmp\nsResize.dll

Filesize
4KB

MD5
aa849e7407cf349021812f62c001e097

SHA1
4cbb55b1d1dd95dcb7a36b5a44121ad4934539af

SHA256
29b0e5792679756a79d501e3a9b317971b08e876fac1c2476180d0ae83b77ba5

SHA512
4556baa49e8182d72e29e8d809635312142eb127039f5803ca0bf011b4359f0b584a670a3bd26a9969165a332cfa14a39abeaeae0b4d90519f91fdea755c54de

Download Submit
memory/1616-255-0x0000000074830000-0x0000000074839000-memory.dmp

Filesize
36KB

Download
memory/1616-12-0x0000000074830000-0x0000000074839000-memory.dmp

Filesize
36KB

Download
memory/1616-257-0x0000000074800000-0x0000000074809000-memory.dmp

Filesize
36KB

Download
memory/1616-254-0x0000000074800000-0x0000000074809000-memory.dmp

Filesize
36KB

Download
memory/1616-253-0x0000000074830000-0x0000000074839000-memory.dmp

Filesize
36KB

Download
memory/1616-252-0x0000000074800000-0x0000000074809000-memory.dmp

Filesize
36KB

Download
memory/1616-76-0x0000000074830000-0x0000000074839000-memory.dmp

Filesize
36KB

Download
memory/1616-258-0x0000000074830000-0x0000000074839000-memory.dmp

Filesize
36KB

Download
memory/1616-37-0x0000000074800000-0x0000000074809000-memory.dmp

Filesize
36KB

Download
memory/1616-256-0x0000000074830000-0x0000000074839000-memory.dmp

Filesize
36KB

Download
memory/1616-259-0x0000000074800000-0x0000000074809000-memory.dmp

Filesize
36KB

Download
memory/1616-266-0x0000000074800000-0x0000000074809000-memory.dmp

Filesize
36KB

Download
memory/1616-267-0x0000000074830000-0x0000000074839000-memory.dmp

Filesize
36KB

Download
memory/1616-265-0x0000000074830000-0x0000000074839000-memory.dmp

Filesize
36KB

Download
memory/1616-264-0x0000000074830000-0x0000000074839000-memory.dmp

Filesize
36KB

Download
memory/1616-263-0x0000000074830000-0x0000000074839000-memory.dmp

Filesize
36KB

Download
memory/1616-262-0x0000000074800000-0x0000000074809000-memory.dmp

Filesize
36KB

Download
memory/1616-261-0x0000000074830000-0x0000000074839000-memory.dmp

Filesize
36KB

Download
memory/1616-260-0x0000000074830000-0x0000000074839000-memory.dmp

Filesize
36KB

Download
memory/1616-268-0x0000000074800000-0x0000000074809000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing