134a2d6078fe68ee4a8d9bdf5337997332737534ea00d80415811c47de164593

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14931fb37de312d3c98cd938891a7ec6.exe
Size

273KB
MD5

14931fb37de312d3c98cd938891a7ec6
SHA1

a9fb867106c5103f774dcbcfd4f44f032a840250
SHA256

134a2d6078fe68ee4a8d9bdf5337997332737534ea00d80415811c47de164593
SHA512

a8c14c0a9826b6287d9b05ba165260792f0eb5317a86999d31ad910ba577ded20861ece8323ec70208fa8c367098d03d533a0aefad301a5c51b8021cb0b3665f
SSDEEP

6144:l4qMZvK7bFvUeTC6vCj1SMYtDi2BNgzUU+dsWgHiuQ0:d0qBv1LG1L7/UU+2WgHDQ0

Score

8^/10

persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023201-2.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	14931fb37de312d3c98cd938891a7ec6.exe

Loads dropped DLL 4 IoCs

pid	Process
1540	14931fb37de312d3c98cd938891a7ec6.exe
1540	14931fb37de312d3c98cd938891a7ec6.exe
5100	14931fb37de312d3c98cd938891a7ec6.exe
5100	14931fb37de312d3c98cd938891a7ec6.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4868	sc.exe
404	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\System32\ndfapi.dll,-40001 = "Windows Network Diagnostics"	14931fb37de312d3c98cd938891a7ec6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1540	14931fb37de312d3c98cd938891a7ec6.exe
5100	14931fb37de312d3c98cd938891a7ec6.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 832	1540	14931fb37de312d3c98cd938891a7ec6.exe	91
PID 1540 wrote to memory of 832	1540	14931fb37de312d3c98cd938891a7ec6.exe	91
PID 1540 wrote to memory of 832	1540	14931fb37de312d3c98cd938891a7ec6.exe	91
PID 832 wrote to memory of 404	832	cmd.exe	93
PID 832 wrote to memory of 404	832	cmd.exe	93
PID 832 wrote to memory of 404	832	cmd.exe	93
PID 832 wrote to memory of 4868	832	cmd.exe	94
PID 832 wrote to memory of 4868	832	cmd.exe	94
PID 832 wrote to memory of 4868	832	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\14931fb37de312d3c98cd938891a7ec6.exe
"C:\Users\Admin\AppData\Local\Temp\14931fb37de312d3c98cd938891a7ec6.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "sc create "14931fb37de312d3c98cd938891a7ec6" binPath= "C:\Users\Admin\AppData\Local\Temp\14931fb37de312d3c98cd938891a7ec6.exe" start= auto && sc start "14931fb37de312d3c98cd938891a7ec6" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\SysWOW64\sc.exe
    sc create "14931fb37de312d3c98cd938891a7ec6" binPath= "C:\Users\Admin\AppData\Local\Temp\14931fb37de312d3c98cd938891a7ec6.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:404
- - C:\Windows\SysWOW64\sc.exe
    sc start "14931fb37de312d3c98cd938891a7ec6"
    3⤵
    - Launches sc.exe
    PID:4868

C:\Users\Admin\AppData\Local\Temp\14931fb37de312d3c98cd938891a7ec6.exe
C:\Users\Admin\AppData\Local\Temp\14931fb37de312d3c98cd938891a7ec6.exe
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dki6A24.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
memory/1540-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1540-7-0x00000000021B0000-0x0000000002223000-memory.dmp

Filesize
460KB

Download
memory/1540-8-0x00000000021B0000-0x0000000002223000-memory.dmp

Filesize
460KB

Download
memory/1540-18-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1540-17-0x00000000021B0000-0x0000000002223000-memory.dmp

Filesize
460KB

Download
memory/5100-9-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5100-15-0x0000000000D80000-0x0000000000DF3000-memory.dmp

Filesize
460KB

Download
memory/5100-16-0x0000000000D80000-0x0000000000DF3000-memory.dmp

Filesize
460KB

Download
memory/5100-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download