1ea1ea1a5b028860f88a3046c9b5500dd0e32a139d40291bda1451d07612d6e2

General

Target

15df9d2cab5c11c0f3e329eecd05f471.exe
Size

84KB
MD5

15df9d2cab5c11c0f3e329eecd05f471
SHA1

a0b4ea69a63814e10c0d4bbd3d05658f6c49be78
SHA256

1ea1ea1a5b028860f88a3046c9b5500dd0e32a139d40291bda1451d07612d6e2
SHA512

2d0cd1bc95d6b30fcbb3c9bce4c40d6d8a601a43ad39effb59713f1a75098a19266d474c6c3a6edb0862867abb1712105ab28e5d6eb73e52d8acda715ec4b124
SSDEEP

1536:eeWWUFIDHAHfxLu56kqnwPOBb/o+c2Snlq91VPlZa9fXM532VkiSid34:z9UCDgk56q0b/oX/lq91fZa9fM5GVkEu

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002320b-11.dat	acprotect

Deletes itself 1 IoCs

pid	Process
4684	aba.exe

Executes dropped EXE 2 IoCs

pid	Process
4684	aba.exe
772	aba.exe

Loads dropped DLL 3 IoCs

pid	Process
1364	15df9d2cab5c11c0f3e329eecd05f471.exe
1364	15df9d2cab5c11c0f3e329eecd05f471.exe
772	aba.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1364-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000700000002320b-11.dat	upx
behavioral2/memory/1364-13-0x0000000010000000-0x0000000010042000-memory.dmp	upx
behavioral2/files/0x0006000000023212-19.dat	upx
behavioral2/files/0x0006000000023212-20.dat	upx
behavioral2/files/0x0006000000023212-21.dat	upx
behavioral2/memory/1364-26-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4684-27-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/772-28-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/772-29-0x0000000010000000-0x0000000010042000-memory.dmp	upx
behavioral2/memory/772-30-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ietgc.log	15df9d2cab5c11c0f3e329eecd05f471.exe
File opened for modification	C:\Windows\SysWOW64\ietgc.log	15df9d2cab5c11c0f3e329eecd05f471.exe
File created	C:\Windows\SysWOW64\winol.dll	15df9d2cab5c11c0f3e329eecd05f471.exe
File opened for modification	C:\Windows\SysWOW64\winol.dll	15df9d2cab5c11c0f3e329eecd05f471.exe
File opened for modification	C:\Windows\SysWOW64\aba.dlx	15df9d2cab5c11c0f3e329eecd05f471.exe
File created	C:\Windows\SysWOW64\aba.dll	15df9d2cab5c11c0f3e329eecd05f471.exe
File opened for modification	C:\Windows\SysWOW64\aba.dll	15df9d2cab5c11c0f3e329eecd05f471.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1364	15df9d2cab5c11c0f3e329eecd05f471.exe
1364	15df9d2cab5c11c0f3e329eecd05f471.exe
772	aba.exe
772	aba.exe
772	aba.exe
772	aba.exe
772	aba.exe
772	aba.exe
772	aba.exe
772	aba.exe
772	aba.exe
772	aba.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
1364	15df9d2cab5c11c0f3e329eecd05f471.exe
660	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1364	15df9d2cab5c11c0f3e329eecd05f471.exe
Token: SeDebugPrivilege	772	aba.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 4684	1364	15df9d2cab5c11c0f3e329eecd05f471.exe	90
PID 1364 wrote to memory of 4684	1364	15df9d2cab5c11c0f3e329eecd05f471.exe	90
PID 1364 wrote to memory of 4684	1364	15df9d2cab5c11c0f3e329eecd05f471.exe	90

C:\Users\Admin\AppData\Local\Temp\15df9d2cab5c11c0f3e329eecd05f471.exe
"C:\Users\Admin\AppData\Local\Temp\15df9d2cab5c11c0f3e329eecd05f471.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\aba.exe
  C:\Windows\SYSTEM32\aba.exe -r "C:\Users\Admin\AppData\Local\Temp\15df9d2cab5c11c0f3e329eecd05f471.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4684

C:\Windows\SysWOW64\aba.exe
C:\Windows\SysWOW64\aba.exe -u
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\aba.dll

Filesize
66KB

MD5
d83be8518a4e10639128ef7b8f52e227

SHA1
a77962c70e73d8f2f8cae4df9d5b7db576554a57

SHA256
207b03c20fc50c0047a9ec76c239c23441fb884cfa2c64bd7126baef5afa9e55

SHA512
3d3d917032a4a882fd68fbeafef7a23ae5677fbc84370396b366b93516dc9d0d374f8d455dbef62d18a9ea802a47ca144ace10957c26b61f833b250a0fc3a13d

Download Submit
C:\Windows\SysWOW64\aba.dlx

Filesize
47B

MD5
bbcdbb68e3207cd91ee9ca3ed4c441ad

SHA1
f8d11f1b4d6234255787808692f90b09d8f5890d

SHA256
a04f10b27c1b6858bb97e3b3ce26ec1023e52915ec3c2bcd9cfc1cc2b8fb28c5

SHA512
303138d13300b679f27f3e65054594ebe4a0f8adf40d3ffeff95cf03acf8c77d6a845c1d1b8ad3af2bf6694d57c360c0796aac3d0672849cb01d6e23c72bb31f

Download Submit
C:\Windows\SysWOW64\aba.exe

Filesize
54KB

MD5
009bca920284420c479109bb388e259e

SHA1
4460442424f25070798d0d735e9896d930fe8f0c

SHA256
18798c303df00e312469c099537c6b1ecfc8adb7d11aa7e42e3a36ea1f4f5e61

SHA512
64a6dde28cf95e02f1fa9f644bbdc3af330d3defde0e2009615b830b153b4dd9e8f861685d9faaec0591595c74cf13d70de9012ac4eb45f302af471c347a361a

Download Submit
C:\Windows\SysWOW64\aba.exe

Filesize
14KB

MD5
281eaa96d280f3f7feddfc4caff3805b

SHA1
a424f2039520b92ffd62ecf3e0c17f2d0ded5f70

SHA256
bd5e1c8a7c0221c43e62c85098f50932b3d6207b2c518be60a24503e34a66993

SHA512
df40c36aa08ef86a7543cbb2d2af7f50bb59837ad87013399219ce02de07e5e9f3a31cd54947c5b50d8f7208120f1b8a76295e9530cc74bd72e3e72d5737f6ef

Download Submit
C:\Windows\SysWOW64\aba.exe

Filesize
84KB

MD5
15df9d2cab5c11c0f3e329eecd05f471

SHA1
a0b4ea69a63814e10c0d4bbd3d05658f6c49be78

SHA256
1ea1ea1a5b028860f88a3046c9b5500dd0e32a139d40291bda1451d07612d6e2

SHA512
2d0cd1bc95d6b30fcbb3c9bce4c40d6d8a601a43ad39effb59713f1a75098a19266d474c6c3a6edb0862867abb1712105ab28e5d6eb73e52d8acda715ec4b124

Download Submit
memory/772-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/772-30-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/772-29-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/1364-18-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/1364-26-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1364-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1364-13-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/4684-27-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing