eb065579378f04e903c23fe185d1f38fb0627fa34f7ae7f9d660b2f15cc2eed0

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48acc010b209323240e80238063b8164.exe
Size

108KB
MD5

48acc010b209323240e80238063b8164
SHA1

db8c5fe801534cc103a5519a9389f82be4b028b7
SHA256

eb065579378f04e903c23fe185d1f38fb0627fa34f7ae7f9d660b2f15cc2eed0
SHA512

467b6f80f5e80f911c7ab2002968d6b2300d040d8801272d695b0fbf0d565d5010351235b801b5f0094cb44976995e9edbaf8a55569349c7330a94a7137e608f
SSDEEP

1536:mjLaMv3xnCwNz0DxkJ0PpKtzz0imm6g5ckJUD1LZ38hqiDsIxI9He2q0T6ow4U6:meYBCwqDxkJKpqjoOklZ4DzI02DHwa

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\szwtvt64.sys	Setup.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000014ba6-13.dat	acprotect
behavioral1/files/0x0007000000014b5b-20.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2036	Setup.exe

Loads dropped DLL 12 IoCs

pid	Process
1652	48acc010b209323240e80238063b8164.exe
2036	Setup.exe
2036	Setup.exe
2036	Setup.exe
2036	Setup.exe
2036	Setup.exe
2460	regsvr32.exe
2292	rundll32.exe
2292	rundll32.exe
2292	rundll32.exe
2292	rundll32.exe
1652	48acc010b209323240e80238063b8164.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000014ba6-13.dat	upx
behavioral1/files/0x0007000000014b5b-20.dat	upx
behavioral1/memory/2460-25-0x0000000010000000-0x0000000010017000-memory.dmp	upx
behavioral1/memory/2292-33-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/1652-35-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/2292-36-0x0000000010000000-0x000000001001E000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wintvt64.dll	Setup.exe
File opened for modification	C:\Windows\SysWOW64\wintvt64.dll	Setup.exe
File created	C:\Windows\SysWOW64\szwtvt64.dll	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2120	2460	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2292	rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2292	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2292	rundll32.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2036	1652	48acc010b209323240e80238063b8164.exe	28
PID 1652 wrote to memory of 2036	1652	48acc010b209323240e80238063b8164.exe	28
PID 1652 wrote to memory of 2036	1652	48acc010b209323240e80238063b8164.exe	28
PID 1652 wrote to memory of 2036	1652	48acc010b209323240e80238063b8164.exe	28
PID 1652 wrote to memory of 2036	1652	48acc010b209323240e80238063b8164.exe	28
PID 1652 wrote to memory of 2036	1652	48acc010b209323240e80238063b8164.exe	28
PID 1652 wrote to memory of 2036	1652	48acc010b209323240e80238063b8164.exe	28
PID 2036 wrote to memory of 2460	2036	Setup.exe	29
PID 2036 wrote to memory of 2460	2036	Setup.exe	29
PID 2036 wrote to memory of 2460	2036	Setup.exe	29
PID 2036 wrote to memory of 2460	2036	Setup.exe	29
PID 2036 wrote to memory of 2460	2036	Setup.exe	29
PID 2036 wrote to memory of 2460	2036	Setup.exe	29
PID 2036 wrote to memory of 2460	2036	Setup.exe	29
PID 2460 wrote to memory of 2120	2460	regsvr32.exe	30
PID 2460 wrote to memory of 2120	2460	regsvr32.exe	30
PID 2460 wrote to memory of 2120	2460	regsvr32.exe	30
PID 2460 wrote to memory of 2120	2460	regsvr32.exe	30
PID 2460 wrote to memory of 2120	2460	regsvr32.exe	30
PID 2460 wrote to memory of 2120	2460	regsvr32.exe	30
PID 2460 wrote to memory of 2120	2460	regsvr32.exe	30
PID 2036 wrote to memory of 2292	2036	Setup.exe	31
PID 2036 wrote to memory of 2292	2036	Setup.exe	31
PID 2036 wrote to memory of 2292	2036	Setup.exe	31
PID 2036 wrote to memory of 2292	2036	Setup.exe	31
PID 2036 wrote to memory of 2292	2036	Setup.exe	31
PID 2036 wrote to memory of 2292	2036	Setup.exe	31
PID 2036 wrote to memory of 2292	2036	Setup.exe	31

C:\Users\Admin\AppData\Local\Temp\48acc010b209323240e80238063b8164.exe
"C:\Users\Admin\AppData\Local\Temp\48acc010b209323240e80238063b8164.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\hostA\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\hostA\Setup.exe" 48acc010b209323240e80238063b8164 /s
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\system32\wintvt64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 292
      4⤵
      Program crash
      PID:2120
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Windows\system32\szwtvt64.dll",StartByHostEx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hostA\A\a.sys

Filesize
12KB

MD5
f0ed35df7868e035ef4d24f4ed2275df

SHA1
0311ced9b0fc9d48cbca3c82a20e6a69ad634224

SHA256
c29aacebd737d8dc4a04ede748feb2015653e5be849df503116579be877c4a1f

SHA512
9996bcc542e42b44c77a0577710320330781499a82a75f1d2a485c12426e6662266f1cf350b899ed346509f3949e97734fdc0847703c41eeecc8c707200ccc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hostA\A\staA.dll

Filesize
31KB

MD5
dc7a726988c0fd975c6289f4a10f7f4a

SHA1
6d1ac62e4cf452e750e8280e52a0289815a91fe0

SHA256
2590fbb815f0ff0ad462d97bc888ec444d3f96f33b8b9b03d3201d4c5d19117e

SHA512
282c052261341e0523a2424784b2fafa32250fce2b8bdc4a399bf52ddf3f3fe00a6f29b9098e8c3362cc073c7498a368ebf4b5c1725fbb195372c369afe7b7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hostA\A\winA.dll

Filesize
32KB

MD5
4b9c0a72a21e2302499f9205691d4d97

SHA1
c832ead6f4e0e8850246072920ed05891d8adcfc

SHA256
7dea44ae86ac4217c78a6ce3a662dc74c26a5b7ed8dfcb381acb7f70629def40

SHA512
989ddca552974b919d892d3fb7b30ff252dac55e06a9f6dd173982537fb48ea581ba96f40d099f8f9149b294ff7444ba245f11deabf60ca2b65cf2199b049827

Download Submit
\Users\Admin\AppData\Local\Temp\hostA\Setup.exe

Filesize
44KB

MD5
662efb61c90b91e9bccc9b88c47b8514

SHA1
49bf37470ffe9ee5beb66a872212a533365d5b1b

SHA256
58bedb0c116624d77201fa0d6baf6211da9c7071ea239ce1e6040d1026f3005a

SHA512
4bf7e8634fcc8f153392d08704ce22f48720321d724a8efbd3c35be63d5c2842fca94163c1e156a03606c4ec6c801deaed5982ff7487b38c54b289a715511939

Download Submit
memory/1652-35-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2036-19-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2036-21-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2036-26-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2036-27-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2292-33-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2292-36-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2460-25-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download