23d4ef79cb7a0dc60087b708116ec4a629ecb41ae503a3b64a2ffa30a99f3997

Analysis

max time kernel
175s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36dc8ff07e4101fd729b5ee605b1cada.exe
Size

1.1MB
MD5

36dc8ff07e4101fd729b5ee605b1cada
SHA1

2782e22b1e686dd5dfe949604f07a43fd30a0709
SHA256

23d4ef79cb7a0dc60087b708116ec4a629ecb41ae503a3b64a2ffa30a99f3997
SHA512

f7e11eab04d2d07d5dd7a233ac7aa32454e2fca79dd3f7df35c60fea9722ab5deb3723bc5ddd5a9c66ce33c6a5f73514cf0a585f972d2ed907abe3960372bd3b
SSDEEP

24576:+9WC988bu6CocrIn8Ez82LEeb1wk/h48Ocb/B/w3248ULF:+B88TCoyEz821BVlA

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0009000000023266-86.dat	acprotect
behavioral2/memory/1872-91-0x0000000073B50000-0x0000000073B5A000-memory.dmp	acprotect
behavioral2/files/0x0006000000023267-93.dat	acprotect
behavioral2/memory/1872-130-0x0000000073B50000-0x0000000073B5A000-memory.dmp	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	36dc8ff07e4101fd729b5ee605b1cada.exe

Executes dropped EXE 1 IoCs

pid	Process
1872	cb8dInstaller.exe

Loads dropped DLL 14 IoCs

pid	Process
1872	cb8dInstaller.exe
1872	cb8dInstaller.exe
1872	cb8dInstaller.exe
1872	cb8dInstaller.exe
1872	cb8dInstaller.exe
1872	cb8dInstaller.exe
1872	cb8dInstaller.exe
1872	cb8dInstaller.exe
1872	cb8dInstaller.exe
1872	cb8dInstaller.exe
1872	cb8dInstaller.exe
1872	cb8dInstaller.exe
1872	cb8dInstaller.exe
1872	cb8dInstaller.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023266-86.dat	upx
behavioral2/memory/1872-91-0x0000000073B50000-0x0000000073B5A000-memory.dmp	upx
behavioral2/files/0x0006000000023267-93.dat	upx
behavioral2/memory/1872-104-0x00000000037D0000-0x00000000037DC000-memory.dmp	upx
behavioral2/memory/1872-130-0x0000000073B50000-0x0000000073B5A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002322d-21.dat	nsis_installer_1
behavioral2/files/0x000700000002322d-21.dat	nsis_installer_2
behavioral2/files/0x000700000002322d-24.dat	nsis_installer_1
behavioral2/files/0x000700000002322d-24.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1704	36dc8ff07e4101fd729b5ee605b1cada.exe
1704	36dc8ff07e4101fd729b5ee605b1cada.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1872	cb8dInstaller.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1872	1704	36dc8ff07e4101fd729b5ee605b1cada.exe	93
PID 1704 wrote to memory of 1872	1704	36dc8ff07e4101fd729b5ee605b1cada.exe	93
PID 1704 wrote to memory of 1872	1704	36dc8ff07e4101fd729b5ee605b1cada.exe	93

C:\Users\Admin\AppData\Local\Temp\36dc8ff07e4101fd729b5ee605b1cada.exe
"C:\Users\Admin\AppData\Local\Temp\36dc8ff07e4101fd729b5ee605b1cada.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\temp\cb8dInstaller.exe
  "C:\Users\Admin\AppData\Local\temp\cb8dInstaller.exe" /KEYWORD=cb8d "/PATHFILES=C:\Users\Admin\AppData\Local\temp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cb8dInstaller.exe

Filesize
770KB

MD5
5401ab2ce579794fa3f41208d513fbfc

SHA1
04fc7652dfbb8aafe4e272f43493e854f87603e7

SHA256
6a70aae0fa0a64135e97310b4a217f8c764788d1c79d01483ffb62bde46d61db

SHA512
8bcbc940cb1a6b253aa26276485af61d01d75b3b5aa29eec64e365942b8fd559f486273f4b4289cc99788f00389f2d87c6a530d81384b6388f1213cd05231dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy409F.tmp\ButtonEvent.dll

Filesize
4KB

MD5
55788069d3fa4e1daf80f3339fa86fe2

SHA1
d64e05c1879a92d5a8f9ff2fd2f1a53e1a53ae96

SHA256
d6e429a063adf637f4d19d4e2eb094d9ff27382b21a1f6dccf9284afb5ff8c7f

SHA512
d3b1eec76e571b657df444c59c48cad73a58d1a10ff463ce9f3acd07acce17d589c3396ad5bdb94da585da08d422d863ffe1de11f64298329455f6d8ee320616

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy409F.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy409F.tmp\ToolkitOffers.dll

Filesize
245KB

MD5
3c6a9490f32cf8aca12252188874dade

SHA1
4df69fe59c10f2cd6de472e5fc05eed5a489998b

SHA256
89ebab8d0675d7b79a3d0a455ec55d0b87aa0804cfd092e30f3d1142f0ce1109

SHA512
e8ce3378bb4cfb95cbe5ea0ad83fbf8e129cdfa0e724346b789c3f43c76b8a81d85b1c1b1c1c3fe7de0bf2b00e3c8fe485b2d784d8bbaf2221faa2ce20aa6be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy409F.tmp\ToolkitOffers.dll

Filesize
118KB

MD5
84d094b89639b2f8cef30b6d0673d000

SHA1
db71b2ac0895c43c12b20d0bafdb129dff873cfe

SHA256
788f44a9368c05e8e32b4a6f8b7aeb2735b23faf2f888551f68647c25feac7a9

SHA512
f094d07c2fa89e8b83e4fdf57d2b9532a2137bc5c1ad7c3525474c56114cfde24e5c3a47830d5399670b297ca3f53b6d843fcb0fc35d382dd04ce1c072fa0fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy409F.tmp\ToolkitOffers.dll

Filesize
99KB

MD5
ca526b26eb46395883f208fa268fa35e

SHA1
d99020b5575d7183d4748ef7af3be95e5e33d218

SHA256
814a15d3e8b957b54b4d724dc17d48d20ee7be89086a9d1d31b16b30a9a429cc

SHA512
3eaa52e006604941e50ce987c826337539e5e1b416150ac3bb3a881b9d4f2169e1af8b22163c44a6c656f8eafa3d0d5e22bd352897fd4d3fb7b34c6d508bd1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy409F.tmp\ToolkitOffers.dll

Filesize
54KB

MD5
01572a0498679c7b3fa985e87f59a79e

SHA1
d6455027f70380bd7fba11b2d0e9b45bebb18fac

SHA256
542019c2c2a2361fab669e0bf5f9f2f608a0b99c0485f43aacaad34762211cfd

SHA512
82ca70dfa568a841273b6b8c868cdf3e376a91532934ca168f18d9529d3ebeee03c54bf57286c31b8026607eab0393e6ae07c4b22de62ddef342e58aa931bb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy409F.tmp\nsArray.dll

Filesize
6KB

MD5
f8462e9d1d7fd39789afca89ab6d6046

SHA1
7e9a518e15b7490245d2bef11a73f209c8d8d59b

SHA256
48941e9f5c92a33f1e60a7a844d562dd77ce736fd31b5503c980b49679dfe85e

SHA512
57dee2253abd7d17d53811d5e95237f9434288518fb043645524a517786db2d8a91df86a6da732c620f12ad0e7ea30a923b8d5f3de386c65bd3ff240bc0dff69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy409F.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy409F.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
C:\Users\Admin\AppData\Local\temp\cb8dInstaller.exe

Filesize
685KB

MD5
8997288f6819b166821d34ff9b025345

SHA1
92d68d8d21a4b579fb8c21884b851d72ab4ebcd1

SHA256
8efe9f90a825af8a864acbdabe67c0cbe05b5a37caa8ed71e4620e45ad891854

SHA512
04e3ea691d8d8d4b009af627f05e4c6ad824d8728b58629836f8b56482affc53de6be12f73e542782002932b122203f617c7c4e043e7a5d0746e1ff4998fed94

Download Submit
C:\Users\Admin\AppData\Local\temp\cb8dfondo.bmp

Filesize
206KB

MD5
d0b7e8cacf76c6503800f519b46e9f70

SHA1
7709edfa68be23c7937a03edebe5391ebdaa5ffc

SHA256
0a816ba46242b56cef98e153568cd10e456c04f35890cab580ded5c8d4bce09b

SHA512
89c6bb1a0eddf0e05cd74aea41d2beb580242cdd511eeaf2c528f2f6c92d408f4d5fca4eff27a4805563cc514384cfda5715429a1055c6eac819f9291da5f193

Download Submit
C:\Users\Admin\AppData\Local\temp\cb8dheader.bmp

Filesize
25KB

MD5
d35054894c38a5d1534690be1b484668

SHA1
95479f9db28c78838804b9c3fdb7dea3a8c986d1

SHA256
aff56aa9247fda0ee53914fe4ee3cbb0bf14d3eb2656f456fd749496416cf973

SHA512
b6c57cbc037e3bed8f5da8da8dce853f2ce701ed8a4b98bf6c4e18ab76bab46bd940874a6974bf47e0205dbbcfbabba8546bca630f1493729130fe3f465e7585

Download Submit
C:\Users\Admin\AppData\Local\temp\cb8dinstaller.ini

Filesize
451B

MD5
6fbf86076ae704f2339cf7dff1116567

SHA1
133f768a06db7e016b9e2a666086c908bb36e149

SHA256
9d373e183daa209f9d72743fcb2be680a2a468a16004f47e45a4d92458a03cef

SHA512
e19c3bfad09186080362337486cad1f6f730b266fecd8425277a274f8b0d1ab9eba4de093df3a57cb146336dd440226a1fecc79ff5c5b443ff34e4ae36aa8ceb

Download Submit
memory/1872-110-0x00000000037D0000-0x00000000037DC000-memory.dmp

Filesize
48KB

Download
memory/1872-104-0x00000000037D0000-0x00000000037DC000-memory.dmp

Filesize
48KB

Download
memory/1872-112-0x00000000037D0000-0x00000000037DC000-memory.dmp

Filesize
48KB

Download
memory/1872-130-0x0000000073B50000-0x0000000073B5A000-memory.dmp

Filesize
40KB

Download
memory/1872-132-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/1872-133-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1872-111-0x00000000037D0000-0x00000000037DC000-memory.dmp

Filesize
48KB

Download
memory/1872-91-0x0000000073B50000-0x0000000073B5A000-memory.dmp

Filesize
40KB

Download
memory/1872-138-0x00000000037D0000-0x00000000037DC000-memory.dmp

Filesize
48KB

Download
memory/1872-140-0x00000000037D0000-0x00000000037DC000-memory.dmp

Filesize
48KB

Download
memory/1872-139-0x00000000037D0000-0x00000000037DC000-memory.dmp

Filesize
48KB

Download
memory/1872-141-0x00000000037D0000-0x00000000037DC000-memory.dmp

Filesize
48KB

Download
memory/1872-143-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download