132cb6059a9d22905405b754535d72a8bd03d1d1c5cd1419034919f7ecbf2d5e

General

Target

2c3285ff73241b51c95e7a003d5fd223.exe
Size

711KB
MD5

2c3285ff73241b51c95e7a003d5fd223
SHA1

7174bcf713b66b13dc6f574bd71c9cb60e15fcc8
SHA256

132cb6059a9d22905405b754535d72a8bd03d1d1c5cd1419034919f7ecbf2d5e
SHA512

44bc7b93f65ac652e7537dc0229320e19da8fcc840d83142573efb35b4deee2c3b85d3d978496aba7e96796d3ef1323bad9129ec9be95b57b4d747c43b44c536
SSDEEP

12288:07mlXFD+sU5hGegIGZ7nW7EiRoCrYhYDUlYeWS6KOjr45oRMoBaOmYckAXMIOtor:07mlXFD+PPGZQloCrYmDNej6J8ZolW8G

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000002321f-31.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
60	winrsz.exe

Loads dropped DLL 10 IoCs

pid	Process
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
60	winrsz.exe
60	winrsz.exe
60	winrsz.exe
60	winrsz.exe
60	winrsz.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002321f-31.dat	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nrwsers.sys	2c3285ff73241b51c95e7a003d5fd223.exe
File created	C:\Windows\SysWOW64\winrsz.exe	2c3285ff73241b51c95e7a003d5fd223.exe
File opened for modification	C:\Windows\SysWOW64\winrsz.exe	2c3285ff73241b51c95e7a003d5fd223.exe
File created	C:\Windows\SysWOW64\srvany.exe	winrsz.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\winadd.tnt	2c3285ff73241b51c95e7a003d5fd223.exe
File opened for modification	C:\Windows\Fonts\winadd.tnt	2c3285ff73241b51c95e7a003d5fd223.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
4732	2c3285ff73241b51c95e7a003d5fd223.exe
60	winrsz.exe
60	winrsz.exe
60	winrsz.exe
60	winrsz.exe
60	winrsz.exe
60	winrsz.exe
60	winrsz.exe
60	winrsz.exe
60	winrsz.exe
60	winrsz.exe
60	winrsz.exe
60	winrsz.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 60	4732	2c3285ff73241b51c95e7a003d5fd223.exe	93
PID 4732 wrote to memory of 60	4732	2c3285ff73241b51c95e7a003d5fd223.exe	93
PID 4732 wrote to memory of 60	4732	2c3285ff73241b51c95e7a003d5fd223.exe	93

C:\Users\Admin\AppData\Local\Temp\2c3285ff73241b51c95e7a003d5fd223.exe
"C:\Users\Admin\AppData\Local\Temp\2c3285ff73241b51c95e7a003d5fd223.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\SysWOW64\winrsz.exe
  C:\Windows\system32\winrsz.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\Exmlrpc.fne

Filesize
88KB

MD5
d48a2f492576ee9a2490729f9ff9c2f7

SHA1
165b2e1ce2ef9d8f077f53d5c7a846399103fa75

SHA256
176466611c43ff942d8d66baa928d8c15bd40816fe2d9f62dd66ce558e7e5e75

SHA512
f37d6eb6155694ded6df79dce57aa77fe6b71875fd63608952f3dbf33a791137c171ff54331cc01d200250340da01f47dac384e2f5f814c43052d89c873c034f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
124KB

MD5
92044aa003c045ce5ba6f3095515218e

SHA1
8c261feba60d1b3a69d583b17d12f21029b9daa0

SHA256
570f270a2528011596be10fa9d0ee96d9b1255c82e61c0a3b9ed3a71474ea896

SHA512
4156f2ebf8c770368265f3a30051b0825fd9494a6d8c848a87210f82f022a8dbc51c6b648b65414212e4a19effc5d054a6c7de859ff1b97f3a49362f441c8085

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\ijl11.dll

Filesize
69KB

MD5
2ad44db3f0317eb9c2155fa79c3c5d61

SHA1
00937065002d0ceb35484f6794721be00c7cd7c2

SHA256
14e45a995ea7985f2971ce280a7eeed728d0d839abf07505f765027097644361

SHA512
a1e2312db3533f2002353f9a28e8a5a68745dd0cd61125b232f0bae0f2da09deda85b5e5bab8410d81ee5aac0cd9da2ee6e6b9c37699b9ac7970174abd4d4b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
92KB

MD5
6e9d501d45f453dbda7b31785c02ea28

SHA1
dfaaa0692306a735bbff9bb8de61b5f1bf00e567

SHA256
7f757451591a8457cf74e0f523e3304e670328a81ca12135bb48b998edbdb1e1

SHA512
42256d5dc30e2ef478a93205f820e452df0750910717a26d27fcd7989d96128888f0542bb791200991f7fb22d095997382c2fcdd1fb1f4ab573c42006fdcd611

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
377KB

MD5
037f9dcf60cdbd7557d1a9899c21dc00

SHA1
b3b2aab8cca56095aed536f715d4669e59d787c4

SHA256
60730fe84396d5be519be1755d934512d470430cf3248d7267f81da536ccd88c

SHA512
e07ea584ea93e736567394c8941acdb43d813c74d1bd0ea903c966df77cddd57ad21cc4ec99a6eadcd5b0831f7acf213b5ee4251c7d767b1ba0fe3f31ac17e4f

Download Submit
C:\Windows\SysWOW64\winrsz.exe

Filesize
711KB

MD5
2c3285ff73241b51c95e7a003d5fd223

SHA1
7174bcf713b66b13dc6f574bd71c9cb60e15fcc8

SHA256
132cb6059a9d22905405b754535d72a8bd03d1d1c5cd1419034919f7ecbf2d5e

SHA512
44bc7b93f65ac652e7537dc0229320e19da8fcc840d83142573efb35b4deee2c3b85d3d978496aba7e96796d3ef1323bad9129ec9be95b57b4d747c43b44c536

Download Submit
memory/60-40-0x00000000020D0000-0x00000000020EA000-memory.dmp

Filesize
104KB

Download
memory/60-48-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/60-62-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/60-61-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/60-60-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/60-58-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/60-41-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/60-45-0x0000000002130000-0x0000000002151000-memory.dmp

Filesize
132KB

Download
memory/60-57-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/60-36-0x0000000002070000-0x0000000002072000-memory.dmp

Filesize
8KB

Download
memory/60-35-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/60-56-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/60-55-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/60-54-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/60-50-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/60-51-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/60-53-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/4732-20-0x00000000023C0000-0x00000000023E1000-memory.dmp

Filesize
132KB

Download
memory/4732-46-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/4732-47-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4732-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4732-6-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/4732-9-0x0000000010000000-0x0000000010122000-memory.dmp

Filesize
1.1MB

Download
memory/4732-10-0x0000000002170000-0x0000000002172000-memory.dmp

Filesize
8KB

Download
memory/4732-14-0x00000000021C0000-0x00000000021DA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing