109b3e3dac155ed27e2b79b9f9f1fce6732d5f17177676ef79590b1e89a9671e

Analysis

max time kernel
0s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02e5afbfe7cf9338cd2ca3680ad19489.exe
Size

91KB
MD5

02e5afbfe7cf9338cd2ca3680ad19489
SHA1

f0bbc2efc11c9121c9926010d9bcaf01319b6044
SHA256

109b3e3dac155ed27e2b79b9f9f1fce6732d5f17177676ef79590b1e89a9671e
SHA512

0e5fc2edfeabe3fb9ef6fd91a08b93dee93d174b8eed95d6be93c4c8020d7383f80c953210e4880c468d22cdd2abec710698a62773e7d73bf8373636ca20be3c
SSDEEP

1536:MSLuq39X6jiYbrVjxwYxFxyl5rUW/kdvqT1+vp7KHRV86ElZlbC2AX4i:MEuI6jiO7wYxnyl6ckCJe6ElZdoB

Score

8^/10

evasion persistence trojan upx

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	02e5afbfe7cf9338cd2ca3680ad19489.exe

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002314d-10.dat	acprotect
behavioral2/files/0x000800000002314d-28.dat	acprotect
behavioral2/files/0x0006000000023202-53.dat	acprotect
behavioral2/files/0x0006000000023202-52.dat	acprotect
behavioral2/files/0x00080000000231ff-49.dat	acprotect
behavioral2/files/0x0006000000023202-43.dat	acprotect

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4560-0-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/files/0x000800000002314d-10.dat	upx
behavioral2/files/0x00070000000231fd-20.dat	upx
behavioral2/memory/4560-21-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/files/0x00070000000231fd-19.dat	upx
behavioral2/memory/3488-16-0x0000000010000000-0x0000000010010000-memory.dmp	upx
behavioral2/files/0x000800000002314d-28.dat	upx
behavioral2/files/0x0006000000023202-53.dat	upx
behavioral2/memory/3052-55-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral2/files/0x0006000000023202-52.dat	upx
behavioral2/files/0x00080000000231ff-49.dat	upx
behavioral2/memory/2396-48-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral2/files/0x0006000000023202-43.dat	upx
behavioral2/files/0x0008000000023200-37.dat	upx
behavioral2/memory/2396-60-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2396-63-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2396-64-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2396-67-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2396-70-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2396-73-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2396-76-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2396-79-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2396-82-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2396-85-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2396-88-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2396-91-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2396-94-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2396-101-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	02e5afbfe7cf9338cd2ca3680ad19489.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	02e5afbfe7cf9338cd2ca3680ad19489.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1848	ping.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4560	02e5afbfe7cf9338cd2ca3680ad19489.exe
4560	02e5afbfe7cf9338cd2ca3680ad19489.exe
4560	02e5afbfe7cf9338cd2ca3680ad19489.exe
4560	02e5afbfe7cf9338cd2ca3680ad19489.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 1524	4560	02e5afbfe7cf9338cd2ca3680ad19489.exe	23
PID 4560 wrote to memory of 1524	4560	02e5afbfe7cf9338cd2ca3680ad19489.exe	23
PID 4560 wrote to memory of 1524	4560	02e5afbfe7cf9338cd2ca3680ad19489.exe	23

C:\Users\Admin\AppData\Local\Temp\02e5afbfe7cf9338cd2ca3680ad19489.exe
"C:\Users\Admin\AppData\Local\Temp\02e5afbfe7cf9338cd2ca3680ad19489.exe"
1⤵
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c echo ok
  2⤵
  PID:1524
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
  2⤵
  PID:3984
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
  2⤵
  PID:3488
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
  2⤵
  PID:2308
- C:\Windows\SysWOW64\com\lsass.exe
  "C:\Windows\system32\com\lsass.exe"
  2⤵
  PID:2396
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\com\smss.exe
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q "C:\Windows\system32\com\netcfg.dll"
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q "C:\Windows\system32\com\netcfg.000"
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\ping.exe
    ping.exe -f -n 1 www.baidu.com
    3⤵
    - Runs ping.exe
    PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
1⤵
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\037589.log

Filesize
31KB

MD5
13428ec86cbeb60692c63170e0dcce77

SHA1
86ad96e9d2ea0f25660582912348662730bd0cf3

SHA256
f49b3d6c257590fbc267ecf3f6fb07ec799f7bcf67acec2a1cb6ce52a80b8282

SHA512
889e9b7200bbc3302c21d97a83fb7da6f1fe894185aa6d5bf0ddf58a3a5ac5173da79e152c3b98c780f8da45c9fc2d50db426aca8d34f928e03072300368f42e

Download Submit
C:\Windows\SysWOW64\Com\lsass.exe

Filesize
28KB

MD5
7bdbbee4d35ebf56fcec322707c1cc97

SHA1
8c9115dccf259bc6081629d41c3ac1f7afdbb2af

SHA256
83d52add23e75d6b1fd71848eb5659cede37763f8f9c2c569a6b5b88aafda03d

SHA512
acd9b1961a753822106d23f4843cedeafe0d5eb75ac8d3a8b9321fb723167cda98bf75c4edd1fcbc3865252ea0cf72594c52351b3ad17da6b1f550937061ad22

Download Submit
C:\Windows\SysWOW64\Com\netcfg.000

Filesize
16KB

MD5
d1f6b9273cbb2e23aeed11346d0072c5

SHA1
0d012a7c7b37082dcbd5e1688f72eeade705f825

SHA256
dfb2d7cdc6ea056948d09fe139255af2dcc58f3581f4a50f4e5ee0f5a03c39fc

SHA512
4c3ab878131ad38a54d04cf0d268430ab98a67df474a18ee7858c62561d90ec14c34ed63dd973fdf24115ebf17ef65a6a9fc9ac612c247903e881e584dc3b77e

Download Submit
C:\Windows\SysWOW64\Com\smss.exe

Filesize
24KB

MD5
ce789028263dcab1d7303d28d941bb85

SHA1
996a0c2dd9d27489385eb62484c93d7b6e1f3cb3

SHA256
75c12807fee39db419fc844d1e747dc373ad0d9b20f8c75f9e8ea161aba8e409

SHA512
a611465ea6b77b78037161182e211d884e3d86eb7401c63ea77a704db8040f24a2aacf6d34a1ad527aab987c433e2614b979157c1f850252ffaf038f2098b421

Download Submit
C:\Windows\SysWOW64\Com\smss.exe

Filesize
33KB

MD5
06bfdb7120d12fc18546c041fb31555d

SHA1
c3dff816027bf86df7556d41588b8fd1fe558c0f

SHA256
9f2325ef2f5cb69dd850fece78e44011821c97a594bb182f4ac7c3c4fbb254d1

SHA512
84fff20267ef610c12d6058930eec937c49b64c6fa3d380ba8f3ef524c16e1976a703020f7ed969d130dc1528483f0845eb31b26f86d84ea3eb9fed1bdbe64c4

Download Submit
C:\Windows\SysWOW64\com\lsass.exe

Filesize
26KB

MD5
6d2b951c9aa43b769c870517047a3dc4

SHA1
120c5d82c7cc833733313c9cbd32b2d3d16d5435

SHA256
1d68c39f5c7623b4372996388407a81d24587536b4bc76564ee758d82c2d9e45

SHA512
2f56fff193708d203b4a555adca78db6129140cf12ff055d8ca01d1115002b1f98a50ad9df1b1fbfec207c78aa5e4621b9f38a39d7d3ed010ffc9203fcad8ba1

Download Submit
C:\Windows\SysWOW64\com\netcfg.000

Filesize
12KB

MD5
354b946c9baddc04bb53603e6ea6cc36

SHA1
7135bbe5608fe47be6ddb6482554e0ff2bcf663e

SHA256
104cc59fe47e5ecb7a5bd6a224eeb44f83f8300cbda42cd111ba644bcc1c907f

SHA512
5a965805fff441c16735e7b7a1d7550a0c1c4b19cce675c76c9b2468e55ed62ccf72c4196acd5d7980d339e92d342f053a2a668f24a77cf36b7f7edd116773d2

Download Submit
C:\Windows\SysWOW64\com\netcfg.dll

Filesize
1KB

MD5
11e8d0bb4b81c496d31c0d13d8ff482b

SHA1
94dfd2035e82aa2a9a08ea67e6a4e609e7931b99

SHA256
211e219c94ad2b3c8e94b44ab41d3be8f140fbb3caea009ef7dfcd6ef450bdb4

SHA512
ac0bcfee539ee8add24b57616729da7e5bf6964ff8db4047203f3c5e43d6bdef0b81f522dc8bfcb52d0db0517f72d6d981afea194edc3bf4ad66a28ce1c7b7aa

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
1KB

MD5
188e46f3c29b4d4651310fa11f79cbfe

SHA1
616b882e984ab374143cccba653371e7cf1640ab

SHA256
93aafa259a0f9af9fd8ac9fdd4c771b52bd33cfe7493dd533dcd1bb91a65becf

SHA512
d9a0a896867ec87664f0bbfceba9d2d63f729e0478df98d5703f2f0ae0acac692567107766413aee5cca90b64765de82182a6548fbe631bccaaa9708759d2057

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
25KB

MD5
29d70aa961ff0a821e86dfeda1a1d0ec

SHA1
f7e1ef5d01db9b02a873fdd41772442b7855baf0

SHA256
dfc009003a21d6f176622a34afa7dff7810904e83ecea1d85c0948497c667d94

SHA512
484c3284b79f673645abca2e0fb7626423ebf89821c1b7918f9769c321ab63f47622acf3a74071e291b9fa17271096fe2b253eb4c35743979ed8f32e7642443b

Download Submit
C:\Windows\SysWOW64\dnsq.dll

Filesize
10KB

MD5
9a55cc3e60457dfd91175f3f2c239802

SHA1
b1784924d02895a24371e948668ad9e9e4d406cd

SHA256
c628a6e0121f3b67920dfdbaf09c3bdd9dd84f72d1ecca57ac9c33cb52bfca28

SHA512
51e6c8312dd04b37c06ee4443397440f5ee530cdbc8731bc865fe8ad7f2eb22efc400d5728cb2e17eafcb4357ed36f160d7c0712193cda8dc0731242eed0ea3e

Download Submit
C:\Windows\SysWOW64\dnsq.dll

Filesize
31KB

MD5
43afc709415b0dfb297dab1209d993b4

SHA1
41c01847c7533aa848ae3f1b82535385857693ed

SHA256
70a6d9489cbb1d3384780f0529c9b32e537e24bdf13c315d7b8e6b3d9d14fc8f

SHA512
a84cade3177e0d1b0672082faebca2a728f69f97750b080bd43a1567307e3b253b48e102adb7fb20ca48d882cb7094a8e1a7a0f816def1acca6072f3a21aaa91

Download Submit
C:\Windows\SysWOW64\dnsq.dll

Filesize
27KB

MD5
80e323d6c3ee17034c3bde444aad359b

SHA1
5abbd9ce47e15727fe759cfe15aaaaad97ca9315

SHA256
bf9d021e88a5fa00992fce160379a73a12dbc0f115c0c53b70d2eb98d15eabcf

SHA512
9288bdfa014e0723ac727a9e94a19300e6c5392a6a92b639a334a3e469bbc6c4cbdf85337a43a80ef6b03333b8df71712f97293dbab5a6cee57f99c07e28a4c8

Download Submit
memory/2396-85-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2396-79-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2396-101-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2396-94-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2396-91-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2396-88-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2396-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2396-63-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2396-67-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2396-48-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2396-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2396-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2396-70-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2396-64-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2396-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3052-55-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/3488-16-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4292-54-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4560-21-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4560-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads