33a4527a3c4cc0010fa6b31d5189fb820f11d86772916a14dfc35a62a24d01c1

General

Target

460c38cca54d04b90b48c9b1ff679496.exe
Size

123KB
MD5

460c38cca54d04b90b48c9b1ff679496
SHA1

959d6d09551a017fb6ce8cb591b8fcd05d222578
SHA256

33a4527a3c4cc0010fa6b31d5189fb820f11d86772916a14dfc35a62a24d01c1
SHA512

85129f2d0834f55f1e494c9f490c8456914663cf9afc753e3aeb239da3df5c50fd67c48571c372ac86faf81f26aa6b35ee65fb3051ef6b0ea21004647090446d
SSDEEP

3072:OeSQ41MZrrOwzrq5Ss9eYfphfFQkUcot3EpeBWLLcP7df:OVYrJrOSsRwcp6Pxf

Score

8^/10

upx

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\goicfboogidikkejccmclpieicihhlpo jimddp = "electronic-group"	iaccess32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c	regedit.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000015e90-32.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2296	iaccess32.exe

Loads dropped DLL 3 IoCs

pid	Process
2772	regsvr32.exe
2296	iaccess32.exe
2296	iaccess32.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2164-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000d0000000122a5-5.dat	upx
behavioral1/memory/2164-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2772-33-0x0000000010000000-0x0000000010047000-memory.dmp	upx
behavioral1/files/0x0006000000015e90-32.dat	upx
behavioral1/memory/2296-79-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2164-80-0x00000000003B0000-0x00000000003DE000-memory.dmp	upx
behavioral1/memory/2296-81-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-82-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-84-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-85-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-86-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-88-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-89-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-90-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-91-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-92-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-93-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-94-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-95-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-96-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\egaccess4_1071.dll	iaccess32.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Instant Access\Multi\20100713190735\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713190735\medias\p2e_logo_2.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713190735\medias\p2e.ico	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713190735\medias\p2e_2_3.gif	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Multi\20100713190735\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713190735\instant access.exe	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713190735\Common\module.php	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713190735\medias\p2e_1_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713190735\medias\p2e_3_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713190735\medias\p2e_go_3.gif	iaccess32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\dialexe.epk	iaccess32.exe
File created	C:\Windows\dialerexe.ini	iaccess32.exe
File created	C:\Windows\egdhtm_pack.epk	iaccess32.exe
File created	C:\Windows\iaccess32.exe	460c38cca54d04b90b48c9b1ff679496.exe
File created	C:\Windows\tmlpcert2007	iaccess32.exe
File created	C:\Windows\dialexe.zl	iaccess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iaccess32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	iaccess32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iaccess32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Runs regedit.exe 1 IoCs

pid	Process
2668	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2164	460c38cca54d04b90b48c9b1ff679496.exe
2296	iaccess32.exe
2296	iaccess32.exe
2296	iaccess32.exe
2296	iaccess32.exe
2296	iaccess32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2296	2164	460c38cca54d04b90b48c9b1ff679496.exe	28
PID 2164 wrote to memory of 2296	2164	460c38cca54d04b90b48c9b1ff679496.exe	28
PID 2164 wrote to memory of 2296	2164	460c38cca54d04b90b48c9b1ff679496.exe	28
PID 2164 wrote to memory of 2296	2164	460c38cca54d04b90b48c9b1ff679496.exe	28
PID 2296 wrote to memory of 2668	2296	iaccess32.exe	29
PID 2296 wrote to memory of 2668	2296	iaccess32.exe	29
PID 2296 wrote to memory of 2668	2296	iaccess32.exe	29
PID 2296 wrote to memory of 2668	2296	iaccess32.exe	29
PID 2296 wrote to memory of 2772	2296	iaccess32.exe	30
PID 2296 wrote to memory of 2772	2296	iaccess32.exe	30
PID 2296 wrote to memory of 2772	2296	iaccess32.exe	30
PID 2296 wrote to memory of 2772	2296	iaccess32.exe	30
PID 2296 wrote to memory of 2772	2296	iaccess32.exe	30
PID 2296 wrote to memory of 2772	2296	iaccess32.exe	30
PID 2296 wrote to memory of 2772	2296	iaccess32.exe	30

C:\Users\Admin\AppData\Local\Temp\460c38cca54d04b90b48c9b1ff679496.exe
"C:\Users\Admin\AppData\Local\Temp\460c38cca54d04b90b48c9b1ff679496.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\iaccess32.exe
  C:\Windows\iaccess32.exe
  2⤵
  - Manipulates Digital Signatures
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
    3⤵
    - Manipulates Digital Signatures
    - Runs regedit.exe
    PID:2668
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\Multi\20100713190735\dialerexe.ini

Filesize
587B

MD5
b761c02598b6324568cce34615b382dc

SHA1
09b893906ebe85ead893869264435a2214a102c5

SHA256
0d554ae71b905da641005dab195d578e7fb6ea168bf93d144a58f27914249131

SHA512
99bd70da44c690fe45f42d9b9fdb89877f716c5ee860a763655cb25f7ca6269ba835e0889849c44ca58479da1361b37947dfdf8febe33e7f2b49ac12c8b6a081

Download Submit
C:\Users\Public\Desktop\NOCREDITCARD.lnk

Filesize
2KB

MD5
5e67b2ff94ab8e61c65d35ab121b1c40

SHA1
d06958a6c86bd51c323ffedf09f09efe5da93be6

SHA256
324346e2b8320d2ab9670cdeff38506328335e5fa8c7b0058f33ca95b8ac48da

SHA512
f101befa62f8975fa70a5ba461d2a456abd9a9c42476cb8d0e46086babae59e7ff226e2ef7083321f3a0a73b1c3c47bf3822b2f8cb6de2d27dcbe0bbfcd9ab0e

Download Submit
C:\Windows\iaccess32.exe

Filesize
123KB

MD5
902123b642d68566872550363f5426f6

SHA1
9c6c166ba6572f32c1f5ca4b8186c12ad5137170

SHA256
d2a4c6b93bc5d87d3a197b06f418778a2713187b0fc646a79cb9129614729819

SHA512
cbc65ee23a25cd12621ec68d50a3935bb94e14e58f8427ea24a9e64342441dd158320a03e9c3ed7aace58bbaa63d06fa45a6b7d289698c643fb5f0add647253a

Download Submit
C:\Windows\tmlpcert2007

Filesize
6KB

MD5
b103757bc3c714123b5efa26ff96a915

SHA1
991d6694c71736b59b9486339be44ae5e2b66fef

SHA256
eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48

SHA512
d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1

Download Submit
\Windows\SysWOW64\egaccess4_1071.dll

Filesize
76KB

MD5
b83f652ffa76451ae438954f89c02f62

SHA1
b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd

SHA256
f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f

SHA512
965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83

Download Submit
memory/2164-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2164-7-0x00000000003B0000-0x00000000003DE000-memory.dmp

Filesize
184KB

Download
memory/2164-9-0x00000000003B0000-0x00000000003DE000-memory.dmp

Filesize
184KB

Download
memory/2164-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2164-80-0x00000000003B0000-0x00000000003DE000-memory.dmp

Filesize
184KB

Download
memory/2296-88-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-85-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-46-0x0000000001F80000-0x0000000001F90000-memory.dmp

Filesize
64KB

Download
memory/2296-79-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-96-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-81-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-82-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-83-0x0000000001F80000-0x0000000001F90000-memory.dmp

Filesize
64KB

Download
memory/2296-84-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-56-0x0000000001F80000-0x0000000001F90000-memory.dmp

Filesize
64KB

Download
memory/2296-86-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-89-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-90-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-91-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-92-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-93-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-94-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-95-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2772-33-0x0000000010000000-0x0000000010047000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing