07eb010a0e1d7513deeece76892eecabac4927f0c59a30d24b8b1c3c0807e25b

General

Target

201b0c58afbf0f366b2c932cd0f0f1b6.exe
Size

1.2MB
MD5

201b0c58afbf0f366b2c932cd0f0f1b6
SHA1

4d414d8a960a04ff63cfa859c3c49083b83ccfcd
SHA256

07eb010a0e1d7513deeece76892eecabac4927f0c59a30d24b8b1c3c0807e25b
SHA512

ce7fd701352c6adb45c945bf9d3e33f649aa15a8e50b191ef92b3144c0b27291f82632266ed0a39a0e40c155962e122bc8ac6e8d7a31dd76fbd70ed7e5e1cf2e
SSDEEP

24576:h9WC988bu6Coaypz82LE3XZK8mLE4EB/DXqSM0s14V4y:hB88TCoBpz82KXY8myDXHKyL

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/memory/4016-89-0x0000000073DC0000-0x0000000073DCA000-memory.dmp	acprotect
behavioral2/files/0x0007000000023238-81.dat	acprotect
behavioral2/files/0x000800000002313d-68.dat	acprotect
behavioral2/memory/4016-117-0x0000000073DC0000-0x0000000073DCA000-memory.dmp	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	201b0c58afbf0f366b2c932cd0f0f1b6.exe

Executes dropped EXE 1 IoCs

pid	Process
4016	030bInstaller.exe

Loads dropped DLL 14 IoCs

pid	Process
4016	030bInstaller.exe
4016	030bInstaller.exe
4016	030bInstaller.exe
4016	030bInstaller.exe
4016	030bInstaller.exe
4016	030bInstaller.exe
4016	030bInstaller.exe
4016	030bInstaller.exe
4016	030bInstaller.exe
4016	030bInstaller.exe
4016	030bInstaller.exe
4016	030bInstaller.exe
4016	030bInstaller.exe
4016	030bInstaller.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4016-89-0x0000000073DC0000-0x0000000073DCA000-memory.dmp	upx
behavioral2/files/0x0007000000023238-81.dat	upx
behavioral2/files/0x000800000002313d-68.dat	upx
behavioral2/memory/4016-117-0x0000000073DC0000-0x0000000073DCA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4948	201b0c58afbf0f366b2c932cd0f0f1b6.exe
4948	201b0c58afbf0f366b2c932cd0f0f1b6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4016	030bInstaller.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4016	4948	201b0c58afbf0f366b2c932cd0f0f1b6.exe	27
PID 4948 wrote to memory of 4016	4948	201b0c58afbf0f366b2c932cd0f0f1b6.exe	27
PID 4948 wrote to memory of 4016	4948	201b0c58afbf0f366b2c932cd0f0f1b6.exe	27

C:\Users\Admin\AppData\Local\Temp\201b0c58afbf0f366b2c932cd0f0f1b6.exe
"C:\Users\Admin\AppData\Local\Temp\201b0c58afbf0f366b2c932cd0f0f1b6.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\temp\030bInstaller.exe
  "C:\Users\Admin\AppData\Local\temp\030bInstaller.exe" /KEYWORD=030b "/PATHFILES=C:\Users\Admin\AppData\Local\temp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsf4854.tmp\ButtonEvent.dll

Filesize
4KB

MD5
55788069d3fa4e1daf80f3339fa86fe2

SHA1
d64e05c1879a92d5a8f9ff2fd2f1a53e1a53ae96

SHA256
d6e429a063adf637f4d19d4e2eb094d9ff27382b21a1f6dccf9284afb5ff8c7f

SHA512
d3b1eec76e571b657df444c59c48cad73a58d1a10ff463ce9f3acd07acce17d589c3396ad5bdb94da585da08d422d863ffe1de11f64298329455f6d8ee320616

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf4854.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf4854.tmp\ToolkitOffers.dll

Filesize
245KB

MD5
3c6a9490f32cf8aca12252188874dade

SHA1
4df69fe59c10f2cd6de472e5fc05eed5a489998b

SHA256
89ebab8d0675d7b79a3d0a455ec55d0b87aa0804cfd092e30f3d1142f0ce1109

SHA512
e8ce3378bb4cfb95cbe5ea0ad83fbf8e129cdfa0e724346b789c3f43c76b8a81d85b1c1b1c1c3fe7de0bf2b00e3c8fe485b2d784d8bbaf2221faa2ce20aa6be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf4854.tmp\nsArray.dll

Filesize
6KB

MD5
f8462e9d1d7fd39789afca89ab6d6046

SHA1
7e9a518e15b7490245d2bef11a73f209c8d8d59b

SHA256
48941e9f5c92a33f1e60a7a844d562dd77ce736fd31b5503c980b49679dfe85e

SHA512
57dee2253abd7d17d53811d5e95237f9434288518fb043645524a517786db2d8a91df86a6da732c620f12ad0e7ea30a923b8d5f3de386c65bd3ff240bc0dff69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf4854.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
memory/4016-113-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/4016-92-0x0000000003960000-0x000000000396C000-memory.dmp

Filesize
48KB

Download
memory/4016-91-0x0000000003960000-0x000000000396C000-memory.dmp

Filesize
48KB

Download
memory/4016-90-0x0000000003960000-0x000000000396C000-memory.dmp

Filesize
48KB

Download
memory/4016-112-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download
memory/4016-93-0x0000000003960000-0x000000000396C000-memory.dmp

Filesize
48KB

Download
memory/4016-89-0x0000000073DC0000-0x0000000073DCA000-memory.dmp

Filesize
40KB

Download
memory/4016-117-0x0000000073DC0000-0x0000000073DCA000-memory.dmp

Filesize
40KB

Download
memory/4016-119-0x0000000003960000-0x000000000396C000-memory.dmp

Filesize
48KB

Download
memory/4016-120-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing