76fcb1973015c7aee9410460db403cb59bf42fbf4914e30393922eb9d2ca0793

Analysis

max time kernel
153s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 22:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3ffefd64237bb69a508ac3de79ee761f.exe
Size

544KB
MD5

3ffefd64237bb69a508ac3de79ee761f
SHA1

5ee242f97f6ef929c041ec3bc060234803edbccc
SHA256

76fcb1973015c7aee9410460db403cb59bf42fbf4914e30393922eb9d2ca0793
SHA512

9b1914012757cf6f42789f1d003337c14d939c9b458cb1beef1f0ba4fb3f2728f72b91da3cbca5d47cd787b1458f723f2c4a2990379208c7c08984117aae8e00
SSDEEP

12288:6g9qnCL/S98NgY7U5mxSI+UcpJKvqGVM3:UnQ698NwrI/cT

Score

7^/10

spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 10 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000002321b-61.dat	acprotect
behavioral2/files/0x000600000002321a-62.dat	acprotect
behavioral2/memory/4228-69-0x0000000060220000-0x0000000060229000-memory.dmp	acprotect
behavioral2/files/0x0006000000023217-58.dat	acprotect
behavioral2/files/0x000600000002321b-63.dat	acprotect
behavioral2/files/0x0006000000023218-55.dat	acprotect
behavioral2/files/0x0006000000023219-60.dat	acprotect
behavioral2/files/0x0006000000023217-57.dat	acprotect
behavioral2/files/0x0006000000023219-56.dat	acprotect
behavioral2/files/0x0006000000023218-54.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	3ffefd64237bb69a508ac3de79ee761f.exe

Executes dropped EXE 3 IoCs

pid	Process
4780	1.exe
1764	2.exe
4228	Firefox.exe

Loads dropped DLL 5 IoCs

pid	Process
4228	Firefox.exe
4228	Firefox.exe
4228	Firefox.exe
4228	Firefox.exe
4228	Firefox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002321b-61.dat	upx
behavioral2/files/0x000600000002321a-62.dat	upx
behavioral2/memory/4228-69-0x0000000060220000-0x0000000060229000-memory.dmp	upx
behavioral2/memory/4228-72-0x0000000060260000-0x00000000602BF000-memory.dmp	upx
behavioral2/memory/4228-70-0x0000000060210000-0x000000006021A000-memory.dmp	upx
behavioral2/memory/4228-68-0x0000000060140000-0x000000006016D000-memory.dmp	upx
behavioral2/memory/4228-67-0x0000000060140000-0x000000006016D000-memory.dmp	upx
behavioral2/memory/4780-75-0x0000000000A10000-0x0000000000A20000-memory.dmp	upx
behavioral2/memory/4228-66-0x0000000060260000-0x00000000602BF000-memory.dmp	upx
behavioral2/memory/4228-65-0x0000000060210000-0x000000006021A000-memory.dmp	upx
behavioral2/memory/4228-64-0x0000000060170000-0x00000000601D7000-memory.dmp	upx
behavioral2/files/0x0006000000023217-58.dat	upx
behavioral2/files/0x000600000002321b-63.dat	upx
behavioral2/files/0x0006000000023218-55.dat	upx
behavioral2/files/0x0006000000023219-60.dat	upx
behavioral2/files/0x0006000000023217-57.dat	upx
behavioral2/files/0x0006000000023219-56.dat	upx
behavioral2/files/0x0006000000023218-54.dat	upx

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	2.exe
File created	C:\Windows\assembly\Desktop.ini	2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	BackgroundTransferHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	BackgroundTransferHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BackgroundTransferHost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	BackgroundTransferHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	BackgroundTransferHost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	2.exe
Token: 33	1764	2.exe
Token: SeIncBasePriorityPrivilege	1764	2.exe
Token: SeBackupPrivilege	1352	BackgroundTransferHost.exe
Token: SeBackupPrivilege	1352	BackgroundTransferHost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 4780	4572	3ffefd64237bb69a508ac3de79ee761f.exe	92
PID 4572 wrote to memory of 4780	4572	3ffefd64237bb69a508ac3de79ee761f.exe	92
PID 4572 wrote to memory of 1764	4572	3ffefd64237bb69a508ac3de79ee761f.exe	93
PID 4572 wrote to memory of 1764	4572	3ffefd64237bb69a508ac3de79ee761f.exe	93
PID 1764 wrote to memory of 672	1764	2.exe	98
PID 1764 wrote to memory of 672	1764	2.exe	98
PID 672 wrote to memory of 4228	672	cmd.exe	95
PID 672 wrote to memory of 4228	672	cmd.exe	95
PID 672 wrote to memory of 4228	672	cmd.exe	95
PID 1764 wrote to memory of 1352	1764	2.exe	109
PID 1764 wrote to memory of 1352	1764	2.exe	109

C:\Users\Admin\AppData\Local\Temp\3ffefd64237bb69a508ac3de79ee761f.exe
"C:\Users\Admin\AppData\Local\Temp\3ffefd64237bb69a508ac3de79ee761f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 984
    3⤵
    PID:1352
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\Firefox.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:672

C:\Users\Admin\AppData\Local\Temp\Firefox.exe
C:\Users\Admin\AppData\Local\Temp\Firefox.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4228

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
46KB

MD5
4be917889893ce3a520107ffc0fb9c2a

SHA1
c7183d70486f56d043c1ac05a5644df6aaae0f68

SHA256
683ad847eff83c2a1f45f16a5dfb34b0b819ae9538214cc327f147f2383fc20f

SHA512
0e3b2cf04b71981aa629a2dec0ccd7ffc3067d02db5bc45a06b2893059111f68d7d279f6fc4ce041bc636c716bc4a3ece13f50f79bba687f4bc080807452a5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
45KB

MD5
94ce2967c92363d80be11b0a7ee850c8

SHA1
31cff42bdb071a3a2c08a9ac7e1ec7f5cf8e7811

SHA256
0a19bb57ac7ec2fa81fd2cf0ba2135746c324339ca2d85bcbf00168f8dd811e1

SHA512
30ff29debaad4657e575ea82b8a1a01ebfe44f402f5bccd5c23cbf7263a39920ab1ba6cd78185b04cb2ab918b4c3557a94ec7d5d99c138c72ebf7147b42813d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
48KB

MD5
8a6dc378f9e98afbf9bbe11b36315da1

SHA1
04927ac76dddc0ee6f3a2e47a9ab5861980999f4

SHA256
ade4a34061eb41c3012745a021cc4671d02472577802f1f90b97fa39b7644475

SHA512
7d0094f9e588f9cdf6d25fd17228db7206258ff96f532e5af0a137cf3353ab76284b4982b46af96318f9c62bc6c8d1ef6486f1e99b1ff7436b6ddf1d938a6370

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
50KB

MD5
19cdc105f039614deb7dbdeb5ae4d823

SHA1
025566fb38540cdccc1f4094174d5a6d980f62a2

SHA256
d2ce33896d204a1e193975f588d1890a003223cd1c1efc8d86fb940b90cdddb8

SHA512
1b0f04d4b2adfb8f4f182a204b231e263723097b7d46f5ceab49c822ae373964a9c683c497e60a297c6836e6bb3c4defcba708e02b20d84a6865989493d8e424

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firefox.exe

Filesize
34KB

MD5
10b23c892d04544bb6140aadf9dcdf49

SHA1
7dda00b4b7695565284b58aa1173ca7b14572170

SHA256
946f1f0559aa0435c77e4211336c3d4a1b699b67e617e235e4fa811bd258dfeb

SHA512
c575c352f1497f45229e4d420c779b27004cc8739c9a5927ddd5dabfc8106bf5163ca5c45f08571c30a04adc1b132cb0ad8897809f6728ad015ee405ae71cf12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firefox.exe

Filesize
43KB

MD5
58356ef605e65db02ec6041234716eea

SHA1
3bd641ab6518f0ace86fde5a868887092395df86

SHA256
920842734e593f6b11746ce557556a1def641cb653e215d4cfbb7fa0eef90e5b

SHA512
6a82c4347b6d560bf032108210d3ddf3c73d2bcdfc4d55ad7382d99de2c36a3eb80d194140145b81aded88ab84b39ffa9ede35a592bb96ac7852aaa7b8b44cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspr4.dll

Filesize
72KB

MD5
72414dfb0b112c664d2c8d1215674e09

SHA1
50a1e61309741e92fe3931d8eb606f8ada582c0a

SHA256
69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71

SHA512
41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspr4.dll

Filesize
35KB

MD5
2f3dcb888b2ad02e43a282c5d4da4019

SHA1
edd6fb6a571565d337b971bd60990e45531a6c03

SHA256
106a1c219364dcfcb63e547d11f39d91976bd0eef6b37b6f51520374bf6d682b

SHA512
367dd26e9914246a22b7ee5bb3f9b51200bc31d34e3af6d0f79585608fba4b6e16b5e22feb64b5dbe2353bb08ca8e5b971bd6d03b35d19a26dec0b045f2ba198

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3.dll

Filesize
138KB

MD5
5bb0b14f4d459dc4c3d213f885ab58a2

SHA1
b2d34d6408ed15993c28ad078750c29305fb8dfc

SHA256
a1ab17d9d62141c5ec5f4a7a8d26580ded8129750daade41fef90fe018d284fb

SHA512
bacdd55eb859bb20fcf8268a92d3314378ae330857b01a16b6e342662e7cc5893344e7f1e4ca26393125cbe79cdd20c50813b016cf3846997814e5badd6cec86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3.dll

Filesize
35KB

MD5
6b04fcbc40b9e77000783d68cfeb78f6

SHA1
0e18fca10510cc2b838e563e884a712bf13d0747

SHA256
43af31b628db96c1eea4227e06951a54bbc754e69731218da5881a84fceabdbc

SHA512
dd2ea67398d15cbf1360456fe062a6f5ce9bed8610a58dfdfd46daa3208af8e7c24774ab7680c362e48c7c2c2cbfed61724406e165131a87aff1223f28d7612b

Download Submit
C:\Users\Admin\AppData\Local\Temp\plc4.dll

Filesize
8KB

MD5
c73ec58b42e66443fafc03f3a84dcef9

SHA1
5e91f467fe853da2c437f887162bccc6fd9d9dbe

SHA256
2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7

SHA512
6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\plc4.dll

Filesize
5KB

MD5
e012b9976d831cf488c6231599059ba8

SHA1
34e08f036c06753d95e72c1359ddd2bdb458f29b

SHA256
d9e8e5a837a5d771b983613ad6eb73a32c473fc5ebe66ff7d7f1c69896073f9f

SHA512
776aa740ed825df322a62510e17551bf8cc7566917f898b2fd57c7bd7bfefa7f43aa7f45c0848b67da9490aee6be9b20ba4d6be127f0287fa7f7b972c2125296

Download Submit
C:\Users\Admin\AppData\Local\Temp\plds4.dll

Filesize
6KB

MD5
ee44d5d780521816c906568a8798ed2f

SHA1
2da1b06d5de378cbfc7f2614a0f280f59f2b1224

SHA256
50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc

SHA512
634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\softokn3.dll

Filesize
49KB

MD5
ffb517139ee50b8a70a74cbf0f1781bc

SHA1
ac3c8a25b97efcb80d0b879345efccd8b78eac3c

SHA256
42a9ecacaba3ba83af0cbd839a3ff62b3b2a4497e6f2ea6ce00e62b0fb695342

SHA512
dad3779635e01a73be7b067c89644244c4425b71ec70c0e3b1a07f1b4d3035aa7ee9a9fd64c1d9fc27e404625dc10b4a9e4390f0ee54f7d2a5dd0681f499ccb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\softokn3.dll

Filesize
56KB

MD5
41645cbb51db2035f70f09a5e36ed328

SHA1
774d1844e7895160087813f1c4cc4b364a5b677a

SHA256
88c0f14b034edd5a9e9585b6856e624bf1402913273cae9833da251037f6c9e9

SHA512
365b0e560aeafb2ef72f161407c39e55837edc62d29bb700470e571f6847bfb3c3c7433962a5bd25930cf7ab7eae9998bb9d07437222d962c9e388a358b83aed

Download Submit
memory/1764-80-0x00007FF9174B0000-0x00007FF917E51000-memory.dmp

Filesize
9.6MB

Download
memory/1764-33-0x00007FF9174B0000-0x00007FF917E51000-memory.dmp

Filesize
9.6MB

Download
memory/1764-41-0x000000001C710000-0x000000001C790000-memory.dmp

Filesize
512KB

Download
memory/1764-34-0x00007FF9174B0000-0x00007FF917E51000-memory.dmp

Filesize
9.6MB

Download
memory/4228-69-0x0000000060220000-0x0000000060229000-memory.dmp

Filesize
36KB

Download
memory/4228-72-0x0000000060260000-0x00000000602BF000-memory.dmp

Filesize
380KB

Download
memory/4228-70-0x0000000060210000-0x000000006021A000-memory.dmp

Filesize
40KB

Download
memory/4228-68-0x0000000060140000-0x000000006016D000-memory.dmp

Filesize
180KB

Download
memory/4228-67-0x0000000060140000-0x000000006016D000-memory.dmp

Filesize
180KB

Download
memory/4228-66-0x0000000060260000-0x00000000602BF000-memory.dmp

Filesize
380KB

Download
memory/4228-65-0x0000000060210000-0x000000006021A000-memory.dmp

Filesize
40KB

Download
memory/4228-64-0x0000000060170000-0x00000000601D7000-memory.dmp

Filesize
412KB

Download
memory/4572-29-0x00007FF9174B0000-0x00007FF917E51000-memory.dmp

Filesize
9.6MB

Download
memory/4572-1-0x00007FF9174B0000-0x00007FF917E51000-memory.dmp

Filesize
9.6MB

Download
memory/4572-0-0x00007FF9174B0000-0x00007FF917E51000-memory.dmp

Filesize
9.6MB

Download
memory/4572-2-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/4780-32-0x000000001BF00000-0x000000001BF9C000-memory.dmp

Filesize
624KB

Download
memory/4780-26-0x000000001B3C0000-0x000000001B466000-memory.dmp

Filesize
664KB

Download
memory/4780-31-0x00007FF9174B0000-0x00007FF917E51000-memory.dmp

Filesize
9.6MB

Download
memory/4780-28-0x000000001B940000-0x000000001BE0E000-memory.dmp

Filesize
4.8MB

Download
memory/4780-35-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

Filesize
32KB

Download
memory/4780-30-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/4780-27-0x00007FF9174B0000-0x00007FF917E51000-memory.dmp

Filesize
9.6MB

Download
memory/4780-42-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/4780-75-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/4780-36-0x000000001C060000-0x000000001C0AC000-memory.dmp

Filesize
304KB

Download
memory/4780-81-0x00007FF9174B0000-0x00007FF917E51000-memory.dmp

Filesize
9.6MB

Download
memory/4780-82-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/4780-83-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/4780-84-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads