Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 19:24
Static task
static1
Behavioral task
behavioral1
Sample
019e8796f26200e850444bfb248e977b.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
019e8796f26200e850444bfb248e977b.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
019e8796f26200e850444bfb248e977b.exe
-
Size
215KB
-
MD5
019e8796f26200e850444bfb248e977b
-
SHA1
afb464f06c49e7dde1641d007392679238be98e6
-
SHA256
6b8bb2e2462ecc377e7bc8efebfdb979b0b983543a8def350cca899a560760c8
-
SHA512
5eaac4a8bab03704c42154e48c0ce1de41c4de0d2104729bf4b00d6b712c04ed922e6333f9e74c2377324b98c62ed5c52c4e46e21aeab33636ca86d2b974b8e0
-
SSDEEP
6144:b8/NRY6t8mCWnhb2L2b3TbMsU2DdVVCJnN:b56tFJu+3PMsU2vVM
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys 019e8796f26200e850444bfb248e977b.exe File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys 360tay.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000400000001e96f-4.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 2888 360tay.exe -
Loads dropped DLL 4 IoCs
pid Process 3988 019e8796f26200e850444bfb248e977b.exe 3988 019e8796f26200e850444bfb248e977b.exe 2888 360tay.exe 2888 360tay.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\360tay.exe 019e8796f26200e850444bfb248e977b.exe File opened for modification C:\Windows\SysWOW64\360tay.exe 019e8796f26200e850444bfb248e977b.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3988 019e8796f26200e850444bfb248e977b.exe 3988 019e8796f26200e850444bfb248e977b.exe 3988 019e8796f26200e850444bfb248e977b.exe 3988 019e8796f26200e850444bfb248e977b.exe 2888 360tay.exe 2888 360tay.exe 2888 360tay.exe 2888 360tay.exe 2888 360tay.exe 2888 360tay.exe 2888 360tay.exe 2888 360tay.exe 2888 360tay.exe 2888 360tay.exe 2888 360tay.exe 2888 360tay.exe 2888 360tay.exe 2888 360tay.exe 2888 360tay.exe 2888 360tay.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3988 019e8796f26200e850444bfb248e977b.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3988 019e8796f26200e850444bfb248e977b.exe 2888 360tay.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3988 wrote to memory of 1376 3988 019e8796f26200e850444bfb248e977b.exe 98 PID 3988 wrote to memory of 1376 3988 019e8796f26200e850444bfb248e977b.exe 98 PID 3988 wrote to memory of 1376 3988 019e8796f26200e850444bfb248e977b.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\019e8796f26200e850444bfb248e977b.exe"C:\Users\Admin\AppData\Local\Temp\019e8796f26200e850444bfb248e977b.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\019E87~1.EXE > nul2⤵PID:1376
-
-
C:\Windows\SysWOW64\360tay.exeC:\Windows\SysWOW64\360tay.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2888
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
Filesize
215KB
MD5019e8796f26200e850444bfb248e977b
SHA1afb464f06c49e7dde1641d007392679238be98e6
SHA2566b8bb2e2462ecc377e7bc8efebfdb979b0b983543a8def350cca899a560760c8
SHA5125eaac4a8bab03704c42154e48c0ce1de41c4de0d2104729bf4b00d6b712c04ed922e6333f9e74c2377324b98c62ed5c52c4e46e21aeab33636ca86d2b974b8e0