6af6c46ca733bfbce769a89a625b3c699d90a8876cf509b6757d0d49e6b206cb

General

Target

451c2ccd160c615e916013b70d4ab8d3.exe
Size

123KB
MD5

451c2ccd160c615e916013b70d4ab8d3
SHA1

670a8e414ebfd8482eca3cf588d42824ef6d24c7
SHA256

6af6c46ca733bfbce769a89a625b3c699d90a8876cf509b6757d0d49e6b206cb
SHA512

71178a582290ae84fb214d1d5d54a510f5593ced87f9071079b3ae72ee28d34cd7b383bead546bc9e4b1b54832d3c4d253bfed732082bf9c19334ccaca59232b
SSDEEP

3072:OeSQ41MZrrOwzrq5Ss9eYfphfFQkUcot3EpeBWLLwEl0:OVYrJrOSsRwcp+

Score

8^/10

upx

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c	regedit.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023212-26.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	iaccess32.exe

Executes dropped EXE 1 IoCs

pid	Process
1728	iaccess32.exe

Loads dropped DLL 1 IoCs

pid	Process
2040	regsvr32.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1272-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x000400000001e716-3.dat	upx
behavioral2/files/0x000400000001e716-4.dat	upx
behavioral2/memory/1728-5-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1272-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x0006000000023212-26.dat	upx
behavioral2/memory/2040-28-0x0000000010000000-0x0000000010047000-memory.dmp	upx
behavioral2/files/0x0007000000023211-40.dat	upx
behavioral2/memory/1728-54-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1728-55-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1728-60-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\egaccess4_1071.dll	iaccess32.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Instant Access\Multi\20100712220743\Common\module.php	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100712220743\medias\p2e_3_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100712220743\medias\p2e_1_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100712220743\instant access.exe	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100712220743\medias\p2e_logo_2.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100712220743\medias\p2e_2_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100712220743\medias\p2e_go_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100712220743\medias\p2e.ico	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100712220743\dialerexe.ini	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Multi\20100712220743\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk	iaccess32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\dialexe.epk	iaccess32.exe
File created	C:\Windows\dialerexe.ini	iaccess32.exe
File created	C:\Windows\egdhtm_pack.epk	iaccess32.exe
File created	C:\Windows\iaccess32.exe	451c2ccd160c615e916013b70d4ab8d3.exe
File created	C:\Windows\tmlpcert2007	iaccess32.exe
File created	C:\Windows\dialexe.zl	iaccess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iaccess32.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\IESettingSync	iaccess32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	iaccess32.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iaccess32.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\À	iaccess32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32	regsvr32.exe

Runs regedit.exe 1 IoCs

pid	Process
1636	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1272	451c2ccd160c615e916013b70d4ab8d3.exe
1728	iaccess32.exe
1728	iaccess32.exe
1728	iaccess32.exe
1728	iaccess32.exe
1728	iaccess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 1728	1272	451c2ccd160c615e916013b70d4ab8d3.exe	88
PID 1272 wrote to memory of 1728	1272	451c2ccd160c615e916013b70d4ab8d3.exe	88
PID 1272 wrote to memory of 1728	1272	451c2ccd160c615e916013b70d4ab8d3.exe	88
PID 1728 wrote to memory of 1636	1728	iaccess32.exe	92
PID 1728 wrote to memory of 1636	1728	iaccess32.exe	92
PID 1728 wrote to memory of 1636	1728	iaccess32.exe	92
PID 1728 wrote to memory of 2040	1728	iaccess32.exe	93
PID 1728 wrote to memory of 2040	1728	iaccess32.exe	93
PID 1728 wrote to memory of 2040	1728	iaccess32.exe	93

C:\Users\Admin\AppData\Local\Temp\451c2ccd160c615e916013b70d4ab8d3.exe
"C:\Users\Admin\AppData\Local\Temp\451c2ccd160c615e916013b70d4ab8d3.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\iaccess32.exe
  C:\Windows\iaccess32.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
    3⤵
    - Manipulates Digital Signatures
    - Runs regedit.exe
    PID:1636
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\Multi\20100712220743\instant access.exe

Filesize
123KB

MD5
b4255288e15427b89ab0a65538bbd73c

SHA1
05a1f4d40d1ca1a03a4746d76e7c3a752d4ce672

SHA256
1d384091755d782fe1411cbd90c0b0f103079c65c0b474f27c21048899999710

SHA512
edcdecfbe0c1e08ef094e745a0564b54d3a38e3df8733fc6716c753c50a99a6899f64cd40e91b1aa95731719bbdd7db53ee1eb29d9ceac8e9b489511c1952a9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NOCREDITCARD.lnk

Filesize
2KB

MD5
91b7d99b1b9a33e8afb2660b2b6aa9be

SHA1
f19dfeaa3d2ce397075cc241cac9c4cea0aa6fc8

SHA256
66b7499559c17a7f50533eabe35f384584ce6ddad97beacebd51ad54356b55ac

SHA512
06a14ec04a23f068d6b1aa0e116458cba6a31c37764c939a6868ba6b67051dd5f70fe032a73f0b782e53a4bc6aa636f6b1e428190832cda4f6c05bcf9a2ffa29

Download Submit
C:\Users\Public\Desktop\NOCREDITCARD.lnk

Filesize
2KB

MD5
53c0f39f958621ef06937fc0d36e683b

SHA1
6ecd769beb1ad257acf7ae8de2515734344f9516

SHA256
9c538fcbfb83ab6703f515e68197eeb3163f4db740108f4069443c9530657d42

SHA512
6447c14252dd1393ab3d2a8c5315c5466b014eafc98b9b35966991460fd9ec1e13b6ffe48262b81ed1d85a41d4539f2591c75f9316af459966f37d759b733ffc

Download Submit
C:\Windows\SysWOW64\egaccess4_1071.dll

Filesize
76KB

MD5
b83f652ffa76451ae438954f89c02f62

SHA1
b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd

SHA256
f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f

SHA512
965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83

Download Submit
C:\Windows\dialerexe.ini

Filesize
587B

MD5
d23755dea36c771d73b8b48e41e018a7

SHA1
43498c995c23b81fb75834787fe3cfb3dba49cc8

SHA256
dc7e555066d62e6712dbaafdf928aa44b21fb6b9fa033b530dfe336acae18bc7

SHA512
dbe3cc35580ef24488d052e5208555364c0926e9e569b8e02472ef0ddf26410532050636d882c6f731e9317f1ed1f9e0575161b675b0907f9126eb64bd531375

Download Submit
C:\Windows\iaccess32.exe

Filesize
97KB

MD5
879fb4b2d894e186af896e8e3c5b5c79

SHA1
d01cfa6d83f84c09c467ed3d97baa9b3ca2668ae

SHA256
b83a86d87a341fc066ae16e503cfaa6293a4897cbde614cc0236ec8328f14cb7

SHA512
7e6c3e03ffcb0d44eb7a1a7ffc7dd29c6f7e5b29fea227ba6028eb41833cc32c80a120fcc161a8434fade332b88bc9aced9c977cd820aee510ebabd7e6820938

Download Submit
C:\Windows\iaccess32.exe

Filesize
88KB

MD5
94d0e7478bcd99f2a34504db14335d64

SHA1
84d218533c5530c13c61730a2a909e4b91821e60

SHA256
c24fcd060b803366ef42a700adc94884c6d35d129a775adffe31fda287343dfa

SHA512
77868e40891dc5ba0b9ab8352626560b92ed8224901e11a3ea83417ba948582d7396a2626a689de58039f50505a519f5835c1a12f59b6e4d2df421d5f536e6dc

Download Submit
C:\Windows\tmlpcert2007

Filesize
6KB

MD5
b103757bc3c714123b5efa26ff96a915

SHA1
991d6694c71736b59b9486339be44ae5e2b66fef

SHA256
eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48

SHA512
d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1

Download Submit
memory/1272-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1272-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1728-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1728-54-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1728-55-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1728-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2040-28-0x0000000010000000-0x0000000010047000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing