24aea40d932529f598b842f4ea121fce95424b966034f16798dbe8807db1afa4

General

Target

vkfiles.exe
Size

8.3MB
MD5

1df524bd18c791b57652672d62d6bba9
SHA1

751deb43726f3541064153d3b8fb1cf266e178b5
SHA256

412ff8e5213ae3829466eebb6a06318371335a978577aa073d4fc3608432a772
SHA512

88aaf03e297cd4e76e92b648a45d0fc4eb9f98549a449192c54633cf75d0e89d759c36bc73a9da41477836e6300093059efa8650798c064b3ffecc6d82016a8d
SSDEEP

98304:47gJaOZRQAM8RS51ppZZSZNH66gxhIjElI4nqUj6nkGrlowGO0f:47MZR7M8RSzpFeZUgjHaqUj6TAx

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002320e-9.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
3960	vkfiles.exe
3960	vkfiles.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002320e-9.dat	upx
behavioral2/memory/3960-11-0x00000000050E0000-0x000000000513B000-memory.dmp	upx
behavioral2/memory/3960-60-0x00000000050E0000-0x000000000513B000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 3960	2364	vkfiles.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3960	vkfiles.exe
3960	vkfiles.exe
3960	vkfiles.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96
PID 2364 wrote to memory of 3960	2364	vkfiles.exe	96

C:\Users\Admin\AppData\Local\Temp\vkfiles.exe
"C:\Users\Admin\AppData\Local\Temp\vkfiles.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\vkfiles.exe
  "C:\Users\Admin\AppData\Local\Temp\vkfiles.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{4DBC61CD-65D9-4493-9816-04C0D9849CD5}.dll

Filesize
120KB

MD5
c9f333d1ff898672a34805f94a265329

SHA1
2deaac66698fb2e9b3868d23034c3211c508b739

SHA256
07e546811635574c77edfda126b0e5f5292b4ea13f35158eddedcfc3cbf74b6b

SHA512
048c71e48e2def0bfc69ebfb69b834d650a9377082782333f50728fdfd6675df8093d0c87e606022e55d09f81549d4ca3b640bcdd33b9ddc9aace03ee1466add

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zm_{313FBB2C-D025-402F-AC61-BE61409EAE17}\css\style.css

Filesize
435B

MD5
084e5106247df179675832e604b6fdb4

SHA1
99251e5d1acea608b5c7b9d4562eafc8aa4d831a

SHA256
c329401e50e3874130637abe653b3956ca9b9c4cb7edfe29940a6d043cd50118

SHA512
872ea0e6a5ba079618b9185e2ac1d8d4a101888aa96545281aaf5c833303ab5b9af7665c9028a62ee5272ad52092ec41668962923abb1ed30efc7a1213939f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zm_{313FBB2C-D025-402F-AC61-BE61409EAE17}\index.html

Filesize
1KB

MD5
f686f7e42db106cb9febf34f6af2381c

SHA1
f83719505d2f1fb1ad47b9e2ea7499c2def4ad84

SHA256
e56769d8c3a415552ec65f87fb51e41d81f00a78e680d8ec673c9cd578872c55

SHA512
44ad87abd73e908c6b56eae62175ec4a5ef64f3bec13988042c03efdbfecc3e44f609842f09ba8bdccf95a65a789b79ea215d027e0c07b489b2b6db14c35a2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zm_{313FBB2C-D025-402F-AC61-BE61409EAE17}\js\lang.js

Filesize
632B

MD5
f3ca8504fe38798d402ada65acc0923e

SHA1
8f9930721e2a559be8e4379cb6e9dc9ffd71ef52

SHA256
f4b4d8d4bb78d970a3fcf6dc8ee0353776801ef373b54d839cd8853c1481a378

SHA512
ab1324ec6f5dcd034efadb6eef3224244de5eb328a4c28e4646a7a182d6af2ec60dad50f52b1e8aedbe18e3eb6a03a4705949763746952492e9abb0f9e01bec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zm_{313FBB2C-D025-402F-AC61-BE61409EAE17}\js\unitpngfix.js

Filesize
959B

MD5
997b4c4553a419650ec27b7f53cd94ef

SHA1
13a577fe4669412ef3d54bd761ff7878876079c1

SHA256
a044dffe80c9ce80d2364681836b7835fdc1c49f30ba83192231e5089973c9a4

SHA512
5f423448c03f1f79b4cc326125e27e60a57bf54c9c834c6be6b848712a814c71376a2def86bb5bbe20c4856798ee88560222f9ff60a9e81a5ece1110d7ef76c7

Download Submit
memory/3960-3-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3960-60-0x00000000050E0000-0x000000000513B000-memory.dmp

Filesize
364KB

Download
memory/3960-11-0x00000000050E0000-0x000000000513B000-memory.dmp

Filesize
364KB

Download
memory/3960-0-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3960-1-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3960-2-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3960-103-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3960-105-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3960-106-0x00000000050E0000-0x000000000513B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing