04685173c15a1b90f447420d4a4dc3a5d25465cea3769fb9c160d03e0c655b52

Analysis

max time kernel
0s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fc90f8f3bab7c2cb2bb35fa6670cc10.exe
Size

1.8MB
MD5

0fc90f8f3bab7c2cb2bb35fa6670cc10
SHA1

63428b2774d414bbaa9b62dabab676e23f7647da
SHA256

04685173c15a1b90f447420d4a4dc3a5d25465cea3769fb9c160d03e0c655b52
SHA512

40bb475f7a153c8450821ca33a8029b106c833fcf1b5a555910352c12c8d882776905203f311ed23ca7091741e780f407621970a879002fea00f4c5a7fbb38dc
SSDEEP

24576:hrMM8BDlavjUEQElhcjUuS+kQ0LaSA8o19MNMeE5GKSL1TimWOFCYzfCADRXriJa:hrMMAlavoRkQb8CuMebMmUYR2ius9

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002313d-103.dat	acprotect
behavioral2/memory/1372-118-0x0000000002980000-0x000000000298A000-memory.dmp	acprotect
behavioral2/memory/1372-75-0x0000000002980000-0x000000000298A000-memory.dmp	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4716	RtHelp.exe

Loads dropped DLL 7 IoCs

pid	Process
1372	0fc90f8f3bab7c2cb2bb35fa6670cc10.exe
1372	0fc90f8f3bab7c2cb2bb35fa6670cc10.exe
4716	RtHelp.exe
4716	RtHelp.exe
4716	RtHelp.exe
4716	RtHelp.exe
4716	RtHelp.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002313d-103.dat	upx
behavioral2/memory/1372-118-0x0000000002980000-0x000000000298A000-memory.dmp	upx
behavioral2/memory/1372-75-0x0000000002980000-0x000000000298A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1680	1372	WerFault.exe	16
3336	1372	WerFault.exe	16
5072	2920	WerFault.exe	30
3108	5080	WerFault.exe	122

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 4716	1372	0fc90f8f3bab7c2cb2bb35fa6670cc10.exe	23
PID 1372 wrote to memory of 4716	1372	0fc90f8f3bab7c2cb2bb35fa6670cc10.exe	23
PID 1372 wrote to memory of 4716	1372	0fc90f8f3bab7c2cb2bb35fa6670cc10.exe	23

C:\Users\Admin\AppData\Local\Temp\0fc90f8f3bab7c2cb2bb35fa6670cc10.exe
"C:\Users\Admin\AppData\Local\Temp\0fc90f8f3bab7c2cb2bb35fa6670cc10.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\CAF9FA6E-5E96-F443-95A2-16385F57A26C\RtHelp.exe
  "C:\Users\Admin\AppData\Local\Temp\CAF9FA6E-5E96-F443-95A2-16385F57A26C\RtHelp.exe" --InstSupp --Supp 602 --Ver 179
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 888
  2⤵
  - Program crash
  PID:1680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 912
  2⤵
  - Program crash
  PID:3336
- C:\Users\Admin\AppData\Local\Temp\CAF9FA6E-5E96-F443-95A2-16385F57A26C\RtHelp.exe
  "C:\Users\Admin\AppData\Local\Temp\CAF9FA6E-5E96-F443-95A2-16385F57A26C\RtHelp.exe" --PreCheck 602 --Uid 2692D4AD298E6D42ADF8A849C6988CF1 --Ver 179
  2⤵
  PID:1848
- C:\Users\Admin\AppData\Local\Temp\nsc2236.tmp
  "C:\Users\Admin\AppData\Local\Temp\nsc2236.tmp" /S _?=C:\Users\Admin\AppData\Local\00C90B62-ED51-BA4A-B809-451BE1902AA9
  2⤵
  PID:5080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 612
    3⤵
    - Program crash
    PID:3108
- - C:\Users\Admin\AppData\Local\00C90B62-ED51-BA4A-B809-451BE1902AA9\Runner.exe
    "C:\Users\Admin\AppData\Local\00C90B62-ED51-BA4A-B809-451BE1902AA9\Runner.exe" --Uninstall
    3⤵
    PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1372 -ip 1372
1⤵
PID:3992

C:\Users\Admin\AppData\Local\00C90B62-ED51-BA4A-B809-451BE1902AA9\Runner.exe
"C:\Users\Admin\AppData\Local\00C90B62-ED51-BA4A-B809-451BE1902AA9\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADAAMABDADkAMABCADYAMgAtAEUARAA1ADEALQBCAEEANABBAC0AQgA4ADAAOQAtADQANQAxAEIARQAxADkAMAAyAEEAQQA5AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1372 -ip 1372
1⤵
PID:2624

C:\Users\Admin\AppData\Local\00C90B62-ED51-BA4A-B809-451BE1902AA9\Runner.exe
C:\Users\Admin\AppData\Local\00C90B62-ED51-BA4A-B809-451BE1902AA9\Runner.exe
1⤵
PID:2920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 476
  2⤵
  - Program crash
  PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2920 -ip 2920
1⤵
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5080 -ip 5080
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\00C90B62-ED51-BA4A-B809-451BE1902AA9\Modules\cdp.dll

Filesize
91KB

MD5
2f369f9928242f730d3cf48678158111

SHA1
f31361fb3ed6f6654ad921cdc59786df4c10885a

SHA256
a056ad6496931b0c0a9405cf4f7a34db68c3b78b30d4907f9472994b836ea022

SHA512
c22c479183f66b65e1cf5b7ed75e30f18db5fd7f6427c04385990d181c53216df33994f296ed235357cc0f22e4d437e97983f910ec67fc7e52fe48fafbbebabe

Download Submit
C:\Users\Admin\AppData\Local\00C90B62-ED51-BA4A-B809-451BE1902AA9\Modules\nvs.dll

Filesize
90KB

MD5
7a5c3cbc47f14e03586be3ecd62fd1c6

SHA1
d850757b84d691a9b0f2ad1be471688afb273a8f

SHA256
7832da957a8d0b60b4245c71b512a03d481835fa7620046c3c31c361e0a0ba5e

SHA512
f9a64e6fcadfa580a273a4611eec2fb96d94fc2dd066c652ed442e735e202bf5e56f5e838926f6cad42e2363776a3b8f7d06dac3397b5d1e5065d0df16f0be7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAF9FA6E-5E96-F443-95A2-16385F57A26C\Modules\clc.dll

Filesize
111KB

MD5
68ec32cf0860c9db2f668964a928c913

SHA1
3949cd9177b93bc4ad76fdaf8bc2eb2252802972

SHA256
f1107b54b4cbbfbd7a894226317918f5aadafd56c65ea255c81facdc539b88be

SHA512
267bf7498638c7a062e617b44b0eed61df441ea3ea4efb7cded47c062d903d084594797be5a9ccc783a5fd50f84799a2f33afda03cfff731b0e7c215b649f18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAF9FA6E-5E96-F443-95A2-16385F57A26C\Modules\crm.dll

Filesize
104KB

MD5
d925422843f1e14f6504456764219367

SHA1
493c1992685c7413a9497aab830175ba92b1f80e

SHA256
ec27c6987d403bb31df794b47060fe707bca85c058ecb62b8a6ec9ab35de2c06

SHA512
9a510d68428c05f63cad243ba43a954fd595f57e2e88dddd0bf79094d19fb80ef9a71803cf635160bc88f4632176c330dadfef04681cff24fdba67732d1f9a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAF9FA6E-5E96-F443-95A2-16385F57A26C\Modules\wis.dll

Filesize
42KB

MD5
875b93e5075b75fba8b080c578e9170c

SHA1
3e04baed759bafcf80a3edc7f16054739ceb1972

SHA256
3a942e2bfd313ecdbd48ebe05653b50d904f9b1dc30c86067446885a8d01dff7

SHA512
54c008a278de9fe898cc661393df22b62be9dddd31ab910e311a52ab7035b93949baeba7ff4fc40371061bdc6d9ac9ebc6dc5cd6e31050b44964e172162f6b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAF9FA6E-5E96-F443-95A2-16385F57A26C\RtHelp.exe

Filesize
334KB

MD5
cdda1f88ec6c73e0f71a4549121165f9

SHA1
b4736704971dd67d904d3664772c815888d60d03

SHA256
0946e5e56039b750820fad2169e66ffe31a5a0d93fc17734948c40f9ef147c43

SHA512
e72c718fe4f0786d171ebc2daf1402667cf380e88877b5675ac782ec22e1b643a4b19b39e193c9002674f2ced61d22de0a7a4f8db9a621fe61534be28fc28775

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAF9FA6E-5E96-F443-95A2-16385F57A26C\RtHelp.exe

Filesize
92KB

MD5
76ef62b8346de441889c6775bc69ad7f

SHA1
41c9a0bef201d449249238ec7b77be2cd07f3784

SHA256
4938a2eea4326bb2c6289aac28b7e5ebcb7144fba15b0eada61a83b1404e3abc

SHA512
90785a8e3800d18759b6dd437d0029e8dd67f776f20bfc79660dafb9634450f8a725a3818b6ac8e71a67234b0e840825cd2216a165ba606b759af412193bebdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAF9FA6E-5E96-F443-95A2-16385F57A26C\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAF9FA6E-5E96-F443-95A2-16385F57A26C\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy43EF.tmp\System.dll

Filesize
11KB

MD5
3e6bf00b3ac976122f982ae2aadb1c51

SHA1
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

SHA256
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

SHA512
1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy43EF.tmp\UpdHelper.dll

Filesize
130KB

MD5
bb40f596eab5c6598d320677b1731d62

SHA1
2c3f547355e07ba6585d955237a35e1125173028

SHA256
8b972cd7532648027a533330481a6fed08f70718b31396ddf6579519e862b169

SHA512
a2b6757d82bc9ad02516ab83b31c81c310cefc04ffe8ba1937febe44da2e9786a093fba21f6ed412403acde404a6684f7c2ad7f7696c03379fde9d3aee19b436

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy43EF.tmp\md5dll.dll

Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
memory/1372-167-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-182-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-116-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-110-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-118-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-108-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-120-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-119-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-75-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-121-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-183-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-189-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-188-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-187-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-186-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-185-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-184-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-111-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-181-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-180-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-179-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-178-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-177-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-176-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-175-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-173-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-172-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-174-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-171-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-170-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-169-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-168-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download
memory/1372-190-0x0000000002980000-0x000000000298A000-memory.dmp

Filesize
40KB

Download