Analysis
-
max time kernel
155s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
30/12/2023, 11:49
General
-
Target
178c932fda8413f172fdca259f474c00.exe
-
Size
223KB
-
MD5
178c932fda8413f172fdca259f474c00
-
SHA1
c4a3a55d8d842881e44353d750b7a5aeb2b37fd1
-
SHA256
02dd9a9848252b07f1b2609795beacf09432196d07d39aeed2dc1cf7b09febc3
-
SHA512
5e5e6b987a518205a158731151ec448a53680437ecdd142f5a370771e1c4da2484fea2d03900b8cff500b8e9d2c85e4b17217ed7e1eebf12f4a61ea29647346a
-
SSDEEP
6144:2j3ei0AHdlVi6g+ucvczrWDOHJFlw7ietdT4fbR:2SidlM6gdcWMOHJ/0tda
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 3 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\178c932fda8413f172fdca259f474c00.exe"C:\Users\Admin\AppData\Local\Temp\178c932fda8413f172fdca259f474c00.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is162616.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is162616.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\qoMffCvW.dll,a3⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\removalfile.bat "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is162616.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avast!.Antivirus.Professional.4.7.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avast!.Antivirus.Professional.4.7.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c-setup.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c-setup.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://hotvid44.com/bind2.php?id=39135814⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda5a246f8,0x7ffda5a24708,0x7ffda5a247185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,13112802743720938725,15843064655516475104,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2268,13112802743720938725,15843064655516475104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2268,13112802743720938725,15843064655516475104,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,13112802743720938725,15843064655516475104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,13112802743720938725,15843064655516475104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,13112802743720938725,15843064655516475104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,13112802743720938725,15843064655516475104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,13112802743720938725,15843064655516475104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,13112802743720938725,15843064655516475104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,13112802743720938725,15843064655516475104,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,13112802743720938725,15843064655516475104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,13112802743720938725,15843064655516475104,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,13112802743720938725,15843064655516475104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,13112802743720938725,15843064655516475104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:15⤵
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\iexp_f.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AVAST!~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AVAST!~1.EXE3⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x424 0x4a01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5eb20b5930f48aa090358398afb25b683
SHA14892c8b72aa16c5b3f1b72811bf32b89f2d13392
SHA2562695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35
SHA512d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5e97763d89849273627790c1f18ce2415
SHA16ce9998783c4348f218d13c9c9bb4f3377b23fa9
SHA256a11afd24d688e1be95f9e17f7894fa4fb709da1678dd1c730caff1dddc7b514c
SHA512cc2c54f528f237f139f944f164f0fa4e9760e89e24703b290284e9e75eb8e2cacfca9693c77e184faa1416f97c6bc3b2731d4442dea6af405358309ad7f37212
-
Filesize
5KB
MD519ab5b6675c1a6f15cd1259501c96679
SHA1e27cdab4f51880db63c570b6aa6d54d60c1174e3
SHA2564707c6c8deed5cfb0f1f18f46e0cea4befe8f517c5242036174ba9bf7cb608b8
SHA512e691fe43585f91ddc62e9fe5fdf399c56125b8bc360a5209e3b743ed9f93df293f16035622396f48c35998fcca41e9a485e704980f25d67b30dcce8bc59e1762
-
Filesize
24KB
MD52bbbdb35220e81614659f8e50e6b8a44
SHA17729a18e075646fb77eb7319e30d346552a6c9de
SHA25673f853ad74a9ac44bc4edf5a6499d237c940c905d3d62ea617fbb58d5e92a8dd
SHA51259c5c7c0fbe53fa34299395db6e671acfc224dee54c7e1e00b1ce3c8e4dfb308bf2d170dfdbdda9ca32b4ad0281cde7bd6ae08ea87544ea5324bcb94a631f899
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD559712ab64cbb28ccf86bf9d27ffc38a5
SHA1a8e5f2ca6cfdeacd05154aff12fa1a8e035a26aa
SHA256498539d8b9df7690a6c04862d5a9ed333e925022b0d7bb5c86111264e2db4a9a
SHA512ae03f8d3a070cccb43b3f3a2f3eb47098c3f9bb14be1ae825abcac858ae4fe64461e15122694c2203fa2ffb0c2f8bd7e40d1b8693ef5a81b0f63838739bd0a7b
-
Filesize
149KB
MD5d2442dac7189f2deaf4e017984f0c097
SHA120b1df4071ed8ed8c69d05110a6e371dfc007af3
SHA256a7b7ff9b6c27f4fe37b4ceca4d6fd936f2adb9e58d54c6d47a48ba7cc141a9b9
SHA5121536226ea89f8a398f4b2571c63897bab0de7c84304998450afef8496e8300107c99ecb8760a4b0d55ffb3737aeeaddd537fb6850ff3efd56fbefaf2b9c19602
-
Filesize
61KB
MD5bc137766a5d3b8c0f0322a0014f89151
SHA1c565f1f039cf333056a1c8b026d9fd5929414c93
SHA256dba2b115db4dbf15dfa6f4f5967a3b8abbed3473cd10629ce02b04878da7f3a6
SHA512fa04c8f062be0b18c1e38443197d8f05b828d58c2d897cc06912e0c548ae3bb9af9af02c4189a49207af77d3bcd8a2c4146a7b84d4ea81f8d92e6502c512c54e
-
Filesize
58KB
MD5052e76bef112e5bf9400eb40fe253745
SHA1601200f5328100727583252935e0bfd6e293fd5d
SHA25683f474c333ccec36ac6f59cefdb70e63c05fb1e5d16acacb0b6534b5fee65949
SHA51298f8e6931207daecedb0be058c4fe3f3c8c926057a0580095bbc8703a11e0e3c9ea7e84b36d107f83991fa1d6c484e78035e0f8244c0898b202f7c6f32dca131
-
Filesize
62KB
MD527bd2d1b218b93f435eccc948fcab162
SHA1a2f7a2e89cf7b7951090559d89d8894680c27c09
SHA2568a733667f1d62aa9714596a539af803a0ccaa8d707d9cf722e856fbcb0f11f17
SHA512cbb8a38c97540dc04c2761051b132034f25e49f1e700f63573093b551bb6a4a72a08eb628758c470c7090764b5c0375b3d20312e1e3678a264cd7fcd91473c30
-
Filesize
43B
MD59a7ef09167a6f4433681b94351509043
SHA1259b1375ed8e84943ca1d42646bb416325c89e12
SHA256d5739a0510d89da572eb0b0d394d4fb4dd361cd9ee0144b9b31c590df93c3be7
SHA51296b84cd88a0e4b7c1122af3ed6ce5edf0a9a4e9bf79575eadfac16b2c46f1278d57755d29f21d7c6dcb4403be24b7ac7da4837c6cc9c602342a8f2b8e54883df
-
Filesize
20KB
MD5b8cb34d1b759a2016bb2066092cf3ecc
SHA1cdf9382f61ad2df435d63225501f1e8014a6791e
SHA2568dc9f89156caa84c9974bb83f30787eff0dada234e12409023f193f73f4b1b64
SHA51214fd51b063c0328ec65a0942df96e792dea7046c47e640a56528e6412c561a0b44e3e58b014389b60ae1bf448a1cbe5a5984a2d53571a9fdd940eb5db4e3a486
-
Filesize
39KB
MD51f318e9c6aeee5911ca94c0bb9af70e6
SHA109e6f27173d52fa2b4aec46d02509d55b8803dc4
SHA2561af8ff13c052ac0c6ebfc80ab83a9fe4e8ddce5621ad0ab09e69950299508ed8
SHA51256c749f5c7e1e52d2b156500c623ebb0d5c7e5828bf1bd9683dd4654b940f2f2091ade4e6c3713a320482f2248cc36469c85bbb1a9de11ad5d9b8287fd11fadb
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
80KB
-
Filesize
75KB
-
Filesize
75KB
-
Filesize
75KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
75KB
-
Filesize
32KB
-
Filesize
80KB
-
Filesize
80KB