23d4ef79cb7a0dc60087b708116ec4a629ecb41ae503a3b64a2ffa30a99f3997

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 12:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

36dc8ff07e4101fd729b5ee605b1cada.exe
Size

1.1MB
MD5

36dc8ff07e4101fd729b5ee605b1cada
SHA1

2782e22b1e686dd5dfe949604f07a43fd30a0709
SHA256

23d4ef79cb7a0dc60087b708116ec4a629ecb41ae503a3b64a2ffa30a99f3997
SHA512

f7e11eab04d2d07d5dd7a233ac7aa32454e2fca79dd3f7df35c60fea9722ab5deb3723bc5ddd5a9c66ce33c6a5f73514cf0a585f972d2ed907abe3960372bd3b
SSDEEP

24576:+9WC988bu6CocrIn8Ez82LEeb1wk/h48Ocb/B/w3248ULF:+B88TCoyEz821BVlA

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00050000000195a3-92.dat	acprotect
behavioral1/memory/2792-94-0x00000000748A0000-0x00000000748AA000-memory.dmp	acprotect
behavioral1/files/0x00050000000195a7-98.dat	acprotect
behavioral1/memory/2792-100-0x00000000008C0000-0x00000000008CC000-memory.dmp	acprotect
behavioral1/memory/2792-132-0x00000000748A0000-0x00000000748AA000-memory.dmp	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2792	cb8dInstaller.exe

Loads dropped DLL 14 IoCs

pid	Process
828	36dc8ff07e4101fd729b5ee605b1cada.exe
828	36dc8ff07e4101fd729b5ee605b1cada.exe
828	36dc8ff07e4101fd729b5ee605b1cada.exe
2792	cb8dInstaller.exe
2792	cb8dInstaller.exe
2792	cb8dInstaller.exe
2792	cb8dInstaller.exe
2792	cb8dInstaller.exe
2792	cb8dInstaller.exe
2792	cb8dInstaller.exe
2792	cb8dInstaller.exe
2792	cb8dInstaller.exe
2792	cb8dInstaller.exe
2792	cb8dInstaller.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000195a3-92.dat	upx
behavioral1/memory/2792-94-0x00000000748A0000-0x00000000748AA000-memory.dmp	upx
behavioral1/files/0x00050000000195a7-98.dat	upx
behavioral1/memory/2792-100-0x00000000008C0000-0x00000000008CC000-memory.dmp	upx
behavioral1/memory/2792-132-0x00000000748A0000-0x00000000748AA000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000c000000015c1b-19.dat	nsis_installer_1
behavioral1/files/0x000c000000015c1b-19.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
828	36dc8ff07e4101fd729b5ee605b1cada.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2792	cb8dInstaller.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 2792	828	36dc8ff07e4101fd729b5ee605b1cada.exe	28
PID 828 wrote to memory of 2792	828	36dc8ff07e4101fd729b5ee605b1cada.exe	28
PID 828 wrote to memory of 2792	828	36dc8ff07e4101fd729b5ee605b1cada.exe	28
PID 828 wrote to memory of 2792	828	36dc8ff07e4101fd729b5ee605b1cada.exe	28
PID 828 wrote to memory of 2792	828	36dc8ff07e4101fd729b5ee605b1cada.exe	28
PID 828 wrote to memory of 2792	828	36dc8ff07e4101fd729b5ee605b1cada.exe	28
PID 828 wrote to memory of 2792	828	36dc8ff07e4101fd729b5ee605b1cada.exe	28

C:\Users\Admin\AppData\Local\Temp\36dc8ff07e4101fd729b5ee605b1cada.exe
"C:\Users\Admin\AppData\Local\Temp\36dc8ff07e4101fd729b5ee605b1cada.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\temp\cb8dInstaller.exe
  "C:\Users\Admin\AppData\Local\temp\cb8dInstaller.exe" /KEYWORD=cb8d "/PATHFILES=C:\Users\Admin\AppData\Local\temp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\temp\cb8dfondo.bmp

Filesize
206KB

MD5
d0b7e8cacf76c6503800f519b46e9f70

SHA1
7709edfa68be23c7937a03edebe5391ebdaa5ffc

SHA256
0a816ba46242b56cef98e153568cd10e456c04f35890cab580ded5c8d4bce09b

SHA512
89c6bb1a0eddf0e05cd74aea41d2beb580242cdd511eeaf2c528f2f6c92d408f4d5fca4eff27a4805563cc514384cfda5715429a1055c6eac819f9291da5f193

Download Submit
C:\Users\Admin\AppData\Local\temp\cb8dheader.bmp

Filesize
25KB

MD5
d35054894c38a5d1534690be1b484668

SHA1
95479f9db28c78838804b9c3fdb7dea3a8c986d1

SHA256
aff56aa9247fda0ee53914fe4ee3cbb0bf14d3eb2656f456fd749496416cf973

SHA512
b6c57cbc037e3bed8f5da8da8dce853f2ce701ed8a4b98bf6c4e18ab76bab46bd940874a6974bf47e0205dbbcfbabba8546bca630f1493729130fe3f465e7585

Download Submit
C:\Users\Admin\AppData\Local\temp\cb8dinstaller.ini

Filesize
451B

MD5
6fbf86076ae704f2339cf7dff1116567

SHA1
133f768a06db7e016b9e2a666086c908bb36e149

SHA256
9d373e183daa209f9d72743fcb2be680a2a468a16004f47e45a4d92458a03cef

SHA512
e19c3bfad09186080362337486cad1f6f730b266fecd8425277a274f8b0d1ab9eba4de093df3a57cb146336dd440226a1fecc79ff5c5b443ff34e4ae36aa8ceb

Download Submit
\Users\Admin\AppData\Local\Temp\cb8dInstaller.exe

Filesize
770KB

MD5
5401ab2ce579794fa3f41208d513fbfc

SHA1
04fc7652dfbb8aafe4e272f43493e854f87603e7

SHA256
6a70aae0fa0a64135e97310b4a217f8c764788d1c79d01483ffb62bde46d61db

SHA512
8bcbc940cb1a6b253aa26276485af61d01d75b3b5aa29eec64e365942b8fd559f486273f4b4289cc99788f00389f2d87c6a530d81384b6388f1213cd05231dfe

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8E5C.tmp\ButtonEvent.dll

Filesize
4KB

MD5
55788069d3fa4e1daf80f3339fa86fe2

SHA1
d64e05c1879a92d5a8f9ff2fd2f1a53e1a53ae96

SHA256
d6e429a063adf637f4d19d4e2eb094d9ff27382b21a1f6dccf9284afb5ff8c7f

SHA512
d3b1eec76e571b657df444c59c48cad73a58d1a10ff463ce9f3acd07acce17d589c3396ad5bdb94da585da08d422d863ffe1de11f64298329455f6d8ee320616

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8E5C.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8E5C.tmp\ToolkitOffers.dll

Filesize
245KB

MD5
3c6a9490f32cf8aca12252188874dade

SHA1
4df69fe59c10f2cd6de472e5fc05eed5a489998b

SHA256
89ebab8d0675d7b79a3d0a455ec55d0b87aa0804cfd092e30f3d1142f0ce1109

SHA512
e8ce3378bb4cfb95cbe5ea0ad83fbf8e129cdfa0e724346b789c3f43c76b8a81d85b1c1b1c1c3fe7de0bf2b00e3c8fe485b2d784d8bbaf2221faa2ce20aa6be5

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8E5C.tmp\nsArray.dll

Filesize
6KB

MD5
f8462e9d1d7fd39789afca89ab6d6046

SHA1
7e9a518e15b7490245d2bef11a73f209c8d8d59b

SHA256
48941e9f5c92a33f1e60a7a844d562dd77ce736fd31b5503c980b49679dfe85e

SHA512
57dee2253abd7d17d53811d5e95237f9434288518fb043645524a517786db2d8a91df86a6da732c620f12ad0e7ea30a923b8d5f3de386c65bd3ff240bc0dff69

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8E5C.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8E5C.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
memory/2792-110-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/2792-127-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/2792-128-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2792-100-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/2792-94-0x00000000748A0000-0x00000000748AA000-memory.dmp

Filesize
40KB

Download
memory/2792-132-0x00000000748A0000-0x00000000748AA000-memory.dmp

Filesize
40KB

Download
memory/2792-134-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/2792-135-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/2792-136-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download