39a867c9577b630dba0faeacecefab805c5f0900c4bfd948c09b2abeca337b37

Analysis

max time kernel
0s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43c890dd552a388b19fa9878f6f40600.exe
Size

123KB
MD5

43c890dd552a388b19fa9878f6f40600
SHA1

7c9eedaa64c1de8b80767c0146dcdcfd85706203
SHA256

39a867c9577b630dba0faeacecefab805c5f0900c4bfd948c09b2abeca337b37
SHA512

905cc8a8170d3ee6b0b12c178c0cb34888962eb8fc1f03d8c83d520d4b264273dd92716ab8802c84617aac31355a0b329c58e2a16ecd10893c3a845e6b5ca93c
SSDEEP

3072:OeSQ41MZrrOwzrq5Ss9eYfphfFQkUcot3EpeBWLLUnz0:OVYrJrOSsRwcpCI

Score

8^/10

upx

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\goicfboogidikkejccmclpieicihhlpo jimddp = "electronic-group"	iaccess32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c	regedit.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000142bc-31.dat	acprotect
behavioral1/files/0x00060000000142bc-30.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1444	iaccess32.exe

Loads dropped DLL 1 IoCs

pid	Process
2276	regsvr32.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1444-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x00070000000141f1-51.dat	upx
behavioral1/files/0x00070000000141f1-43.dat	upx
behavioral1/memory/2276-32-0x0000000010000000-0x0000000010047000-memory.dmp	upx
behavioral1/files/0x00060000000142bc-31.dat	upx
behavioral1/files/0x00060000000142bc-30.dat	upx
behavioral1/files/0x000a0000000126af-11.dat	upx
behavioral1/files/0x000a0000000126af-8.dat	upx
behavioral1/memory/2948-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000a0000000126af-6.dat	upx
behavioral1/memory/2948-3-0x00000000002A0000-0x00000000002CE000-memory.dmp	upx
behavioral1/memory/2948-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1444-86-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\egaccess4_1071.dll	iaccess32.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Instant Access\Multi\20100713110702\medias\p2e_2_3.gif	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Multi\20100713110702\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713110702\instant access.exe	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713110702\Common\module.php	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713110702\medias\p2e_logo_2.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713110702\medias\p2e_1_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713110702\medias\p2e_go_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713110702\medias\p2e_3_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713110702\medias\p2e.ico	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100713110702\dialerexe.ini	iaccess32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\egdhtm_pack.epk	iaccess32.exe
File created	C:\Windows\iaccess32.exe	43c890dd552a388b19fa9878f6f40600.exe
File created	C:\Windows\tmlpcert2007	iaccess32.exe
File created	C:\Windows\dialexe.zl	iaccess32.exe
File created	C:\Windows\dialexe.epk	iaccess32.exe
File created	C:\Windows\dialerexe.ini	iaccess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Runs regedit.exe 1 IoCs

pid	Process
2872	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2948	43c890dd552a388b19fa9878f6f40600.exe
1444	iaccess32.exe
1444	iaccess32.exe
1444	iaccess32.exe
1444	iaccess32.exe
1444	iaccess32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 1444	2948	43c890dd552a388b19fa9878f6f40600.exe	19
PID 2948 wrote to memory of 1444	2948	43c890dd552a388b19fa9878f6f40600.exe	19
PID 2948 wrote to memory of 1444	2948	43c890dd552a388b19fa9878f6f40600.exe	19
PID 2948 wrote to memory of 1444	2948	43c890dd552a388b19fa9878f6f40600.exe	19
PID 1444 wrote to memory of 2872	1444	iaccess32.exe	16
PID 1444 wrote to memory of 2872	1444	iaccess32.exe	16
PID 1444 wrote to memory of 2872	1444	iaccess32.exe	16
PID 1444 wrote to memory of 2872	1444	iaccess32.exe	16
PID 1444 wrote to memory of 2276	1444	iaccess32.exe	17
PID 1444 wrote to memory of 2276	1444	iaccess32.exe	17
PID 1444 wrote to memory of 2276	1444	iaccess32.exe	17
PID 1444 wrote to memory of 2276	1444	iaccess32.exe	17
PID 1444 wrote to memory of 2276	1444	iaccess32.exe	17
PID 1444 wrote to memory of 2276	1444	iaccess32.exe	17
PID 1444 wrote to memory of 2276	1444	iaccess32.exe	17

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
1⤵
- Manipulates Digital Signatures
- Runs regedit.exe
PID:2872

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
1⤵
- Loads dropped DLL
- Modifies registry class
PID:2276

C:\Windows\iaccess32.exe
C:\Windows\iaccess32.exe
1⤵
- Manipulates Digital Signatures
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\43c890dd552a388b19fa9878f6f40600.exe
"C:\Users\Admin\AppData\Local\Temp\43c890dd552a388b19fa9878f6f40600.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\Multi\20100713110702\dialerexe.ini

Filesize
587B

MD5
6b0793b050af5e5cd85f722faa56842a

SHA1
0ec6597581b8526f97e40fd33a64bedd7598377c

SHA256
e7c2d2ab0c3963dfe758d1ab748e9dd9d5ed2369492fa41c9863bbcd9ec14518

SHA512
24a3af5439750712ea591b51fc548a1efb925c8b5cc76efefb07702e7fb625628825851c541b788e356ab6e99502ba9db66e5f67e13d3eadea10d1c16f43df8c

Download Submit
C:\Users\Public\Desktop\NOCREDITCARD.lnk

Filesize
2KB

MD5
418148b3214b65c31d222ef89035afbb

SHA1
f046dbb31858177b9c19ceae90e07f5a31971379

SHA256
3afc0736b2c4924ca22b8097f8af32fca88c199a5adae40b20d92928b076bdc3

SHA512
6ead79bdad26a11b0183de4d6f480130fd9b08b50610c06f3e01a20290c070e8c581e0b08c6ee9562d3de8e8176c8c717c4115d70d2644b2f29b32d905c9f258

Download Submit
C:\Windows\SysWOW64\egaccess4_1071.dll

Filesize
18KB

MD5
6f6537f3f271ea9e9c68fd48e13a4c8e

SHA1
35b1505fb65f670bc3dd9791ba122dd5991e088f

SHA256
356185c84104e97fdc5838d2659895a7420b22dc6ecd39187f0b4fc59a706be1

SHA512
bdf49ed6b67fa24cbf952fcae6374b4de7e09b8c3115812f457a426e9c1094c0fcf32da030fd5cd25ae9e3db4d367b6c5f5f94b360090a7fd342387cf1beea66

Download Submit
C:\Windows\iaccess32.exe

Filesize
13KB

MD5
edfaab0c1f36aa609d61a73bb5f7be3c

SHA1
a8d8503a01bc73b99c7f57f298e0c6532408b0b8

SHA256
ed2d39c6e29175b23ece03899cd912da7483cbc9a9031673113b71b88b7e22f3

SHA512
4980778e03f79f521dfa7232d139d1db2762d9c67b482b8cbac0be28f6e819dbe392fa676fd5220108c45e4d2e9c6e02f2f5780975e5f419320e9b27e664d0f1

Download Submit
C:\Windows\iaccess32.exe

Filesize
58KB

MD5
bfe2cad99f6417f9e726d028d63a3c0f

SHA1
248fa9e7fe2ce770aa75862415abbdfda8f2ac6b

SHA256
04508fd71d93c4c14ff0dd477c4c71bb9fe3cbf8788b059440e73d2311ed28df

SHA512
d716b9e669bdf13009002f3fdd902a315363a20fde35df9adece412caf77261fb095c2df3ffcead3f59278f2b25c1e94fc5868967ddf78908260329cbe4750f7

Download Submit
C:\Windows\tmlpcert2007

Filesize
5KB

MD5
8d097b317d6e4aacd0ea9addca5ef291

SHA1
c161ba6fd9ec5eba1924ffa25141783ecadf53a9

SHA256
99bf870eb0e5a1f7bd68bcc2d046f3810f81bb82217247756ecd27fd006c8794

SHA512
27b5e20371768c8f46a3ceb860bcfd91953db318ec77be208edb21d65390de2adac680f7242733a908d33a88b7f49d6e6179e7e844562b0829e512b6400d95fe

Download Submit
\??\c:\windows\iaccess32.exe

Filesize
29KB

MD5
4c7b3b30ba4e7f00fb57eb8bfe07e6dc

SHA1
0847cee00b3e2a9a915468bba86860573d0eb5d4

SHA256
e5fb0524fa6b31ec2714c6bb8a57abe260d29afce0578ca46a05b24b7ee38d3f

SHA512
242a96a895b7874ef1b33d16ef6e538f7cb6fe647797d4c05c464d0f3376503ef003aaa0d85a78fcf6266ac1032e2ba2c56b501edcc3ce68a417c3a140cd93f0

Download Submit
\Program Files (x86)\Instant Access\Multi\20100713110702\instant access.exe

Filesize
1KB

MD5
6040b1dd431aefe5a915b1401f6b44e8

SHA1
72140d40d5162b23bc6eb38c0a965ec1479d8d7a

SHA256
559c864cc707fcce923d32975464ff9a53cfae447c6a5d30d0b5de1315cfb697

SHA512
104473c0297e7b555deb85486604b05682e90356bd39c56c69beb6d1dc0312098bc48ea55c9ac87f16a79d81d267be5348d1fb9bb69b09c0413b90ad7f0dfdb9

Download Submit
\Program Files (x86)\Instant Access\Multi\20100713110702\instant access.exe

Filesize
12KB

MD5
e4906f60b4fbc103ea326e6acdde6e9c

SHA1
f662e7a1f9515e9d3cdf15ead33369da61d133f2

SHA256
846a4e75dd685e518c086885cc0c6b6a66d4480349b7a9e83a64c01d30c5a690

SHA512
db9932256d71149ab40412f8f9a408a63c29a2eab4d29401fc302e3455467d79b75c46d547246b146dbfe7677c64c1238d6e8cc0291265dc076cf7c2e80f0f96

Download Submit
\Windows\SysWOW64\egaccess4_1071.dll

Filesize
32KB

MD5
55d36db08c888cd8207d3f3d56ab9462

SHA1
f3eddbca7b45b3d8b7fe4925cc219b46620cb66d

SHA256
9453fcbadf6f0c45822f1965734c91b54256d8841f9924845c71770a3c637370

SHA512
d742c9dec2e05d64da90220b779fc9781f610e12b10d94db45243611bd4f945095aca7a85a52dceeefa681c294a2657a7564e7b60715e09d02d33a8bc9f5c8ff

Download Submit
memory/1444-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1444-56-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/1444-57-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/1444-86-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1444-88-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/2276-32-0x0000000010000000-0x0000000010047000-memory.dmp

Filesize
284KB

Download
memory/2948-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2948-3-0x00000000002A0000-0x00000000002CE000-memory.dmp

Filesize
184KB

Download
memory/2948-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download