24d5f819742b619260f8c78daa236c0d2a299557a26a6217b0ab5db57c71c4c6

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55689ea3dfa71b1d248b13f454ac9b3c.exe
Size

3.4MB
MD5

55689ea3dfa71b1d248b13f454ac9b3c
SHA1

11543e332deb0b253ba7482e7e4241e319add456
SHA256

24d5f819742b619260f8c78daa236c0d2a299557a26a6217b0ab5db57c71c4c6
SHA512

c46923eb7161fc6e0aacf284ff06572915ce04f37e23b8a2681d0594224dbd77314d2bc39cecd4a668857b22ade6e55208cd78ad2c6307037cef54723bfefe2e
SSDEEP

98304:AsxdCUnH2B3h4pnLAEIDpY0e8+QGtwXHQ4475no:VXCUWthMrIDpYTwXHQW

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023232-87.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	55689ea3dfa71b1d248b13f454ac9b3c.exe

Executes dropped EXE 1 IoCs

pid	Process
3688	b908Installer.exe

Loads dropped DLL 16 IoCs

pid	Process
3688	b908Installer.exe
3688	b908Installer.exe
3688	b908Installer.exe
3688	b908Installer.exe
3688	b908Installer.exe
3688	b908Installer.exe
3688	b908Installer.exe
3688	b908Installer.exe
3688	b908Installer.exe
3688	b908Installer.exe
3688	b908Installer.exe
3688	b908Installer.exe
3688	b908Installer.exe
3688	b908Installer.exe
3688	b908Installer.exe
3688	b908Installer.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3688-90-0x0000000073BC0000-0x0000000073BCA000-memory.dmp	upx
behavioral2/files/0x0006000000023232-87.dat	upx
behavioral2/memory/3688-138-0x0000000073BC0000-0x0000000073BCA000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4832	55689ea3dfa71b1d248b13f454ac9b3c.exe
4832	55689ea3dfa71b1d248b13f454ac9b3c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3688	b908Installer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 3688	4832	55689ea3dfa71b1d248b13f454ac9b3c.exe	91
PID 4832 wrote to memory of 3688	4832	55689ea3dfa71b1d248b13f454ac9b3c.exe	91
PID 4832 wrote to memory of 3688	4832	55689ea3dfa71b1d248b13f454ac9b3c.exe	91

C:\Users\Admin\AppData\Local\Temp\55689ea3dfa71b1d248b13f454ac9b3c.exe
"C:\Users\Admin\AppData\Local\Temp\55689ea3dfa71b1d248b13f454ac9b3c.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\temp\b908Installer.exe
  "C:\Users\Admin\AppData\Local\temp\b908Installer.exe" /KEYWORD=b908 "/PATHFILES=C:\Users\Admin\AppData\Local\temp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b908Installer.exe

Filesize
1024KB

MD5
f9fdb57d6099d5ae947ca54bb6f1f145

SHA1
fd5c86d3c9dad0e6bc446eebd738180caab55d42

SHA256
d14db7b5f1dbef6d2572b49d92ef5f88c8f89d997d69307391cdf4f1a0d2e575

SHA512
84926f94e34e2254682e84376ab304ded2d8bfd7fa0799f24a325c6c61db11a0791f75128d70eeaea7e116d6e4dc72e350c4089afaa6192fe4b93bf006bed214

Download Submit
C:\Users\Admin\AppData\Local\Temp\b908Installer.exe

Filesize
99KB

MD5
19fead2b07f34f6c5c18ab08531ecfca

SHA1
2a5d598f123adf6ab9f6c547163872b13afe8c08

SHA256
12821226b50ef24a69aaa37d0dcb4ddf92f58d9430cbe36f87828762afc6aa87

SHA512
2db5e54df7167defd9a7095135ddb0ef36fa94bea4a627f700f130fd220c1197efe2e527f3b5e97578244a7aee004f6232773a436a3696cb323c9e9068198a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\ToolkitOffers.dll

Filesize
92KB

MD5
ba87eacce7993129bfeab279729cdd39

SHA1
5c9dfe1b729e10fe38135a384e5b5df8ef03cae6

SHA256
b65bafb462c18f60a781bb013bc46184c4025da94c1ff5ca1f6e92a9a59231d5

SHA512
8f2367e3b1350d45fc2fc4100509570b4d61de1525129164b99a9fd1910ca7e1e1c4485fad5f36bcffc18881e7990b302d59b7c7c544b4bc4a7925c5262b7ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\ToolkitOffers.dll

Filesize
101KB

MD5
42a8741421956716b7b582bd70a13a8a

SHA1
f23d0d7978f3f82a737e1797fbd31ccb795d48e1

SHA256
969542ea2f51eb15e36299dc6402f8558361b7917ab5e3967d4b0353c798832a

SHA512
a7229cc9d32ab7986ee4b8628c2918fa666a8ea9674a7140cfebd197de905a469c830936e89071295fe0377b510b074883138c739e59304c070fa74d586a1666

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\ToolkitOffers.dll

Filesize
287KB

MD5
42f5e64589bf6e1b18533764574ce476

SHA1
726feb1a79354bb26ad5dac3b9af637f79aeb40f

SHA256
d88a6ef56a71857b771bf2e554fc473f4ce242ec6f2ebb0ba8a53f222ad58ccf

SHA512
d2f510540b7e4b5e58538f86b1fa4e1a5e9e1a862517e443c409ebe611f905e89f3cc7b45f669420869f049e2464c082758d49834bfd1502534de4e2307ca1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsArray.dll

Filesize
6KB

MD5
6585fc9e20b149a15e4dbb8aab03dbf6

SHA1
d3839b1694341ad494b0f92e4e3c6cc1c18e2333

SHA256
08e298c9a25208730f165660af4eec21e9fbd8021c34bce12a020d27e51843d4

SHA512
234f98317ba3a0cad5954a261610e0c851f3ae01d8213267bf4c06b259b57f1cc629c81b10e0778755065973381be33496a2f2ed82fea6c92540a389d7126476

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
C:\Users\Admin\AppData\Local\temp\b908Installer.exe

Filesize
1.4MB

MD5
1935b160c05b80ce66e0456a4beefde4

SHA1
4c418b361dd32703799a2b3c5f9b6bc2a26ef16a

SHA256
4c21e310373ea6aaa4bca9a70db51c61101517a9a060406a537557cf966f44ef

SHA512
e1515baa09c9e4eb23880df2b98d4aae4214994ede53d87ff7d1158fe93b6673f903c5e3d047ce8c4d90527c6c73953d6b0220542feaa055130eaff9e7ed27aa

Download Submit
C:\Users\Admin\AppData\Local\temp\b908fondo.bmp

Filesize
206KB

MD5
874872f37064142f57bf65b4d4e76b7c

SHA1
c0ac89fdefeb0f058a9eaf3a3ffe6e4106e33bbc

SHA256
809553991e838eee365810e522b42d3ee961e75badd285fd5ed4fcab2e785828

SHA512
c8af043ebc39a203e6f65de86205dedb95623321548fac525f86a56f28815678d53774e80ad72a2c3723a8fcc4c01799b4c00013a11c15508793b101557470c9

Download Submit
C:\Users\Admin\AppData\Local\temp\b908header.bmp

Filesize
25KB

MD5
7850a97d419560dea92408a29e58a917

SHA1
eaa154c0e76161bbe2138803776f734885ece051

SHA256
885bf610ddf6f2b4bd392f892c62595be99487a552a949f8111bc179e87cb8dd

SHA512
77684a3c616943139bc56e51a4030b154687a82542053bcd9b09cda8fa84bab6d499916850db95b9b28cf84cc99af9b748b5eca9bb13c4ddcf9f099c077a5863

Download Submit
memory/3688-145-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/3688-138-0x0000000073BC0000-0x0000000073BCA000-memory.dmp

Filesize
40KB

Download
memory/3688-90-0x0000000073BC0000-0x0000000073BCA000-memory.dmp

Filesize
40KB

Download
memory/3688-152-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download