4023c71c012e71b35499842d17f3eaa3866a6a47a341da1d2b1e564e6c77ede1

Analysis

max time kernel
145s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 18:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c6c55029bf90ea607deff9b3b88c832c.exe
Size

1.2MB
MD5

c6c55029bf90ea607deff9b3b88c832c
SHA1

9cd2c8676e147b9c113bc46269e42489724e2d27
SHA256

4023c71c012e71b35499842d17f3eaa3866a6a47a341da1d2b1e564e6c77ede1
SHA512

fb535ea1fe898eb9e966246bbec6d73b3fd4e52d8cf11b3ac5746943f9818e03e24c2e9bf5f71bc57fdac8234548419619c320fb74ac2a57e7c15446e8d32e49
SSDEEP

24576:W6fyswyyyyxyyyyyyygYYYYjYYYYYYjYYrYYYYYYjYYYYYYYrYYjYYYYYYjYYYY4:xfyswyyyyxyyyyyyyO+u+5isA8xDukIR

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a00000001225b-2.dat	acprotect
behavioral1/files/0x000a00000001225b-26.dat	acprotect
behavioral1/files/0x000a00000001225b-24.dat	acprotect
behavioral1/files/0x000a00000001225b-23.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2476	RegCool.exe

Loads dropped DLL 5 IoCs

pid	Process
2212	c6c55029bf90ea607deff9b3b88c832c.exe
2856	c6c55029bf90ea607deff9b3b88c832c.exe
2856	c6c55029bf90ea607deff9b3b88c832c.exe
2856	c6c55029bf90ea607deff9b3b88c832c.exe
2476	RegCool.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2212-0-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2212-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x000a00000001225b-2.dat	upx
behavioral1/files/0x000a00000001225b-26.dat	upx
behavioral1/memory/2856-28-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2856-25-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/files/0x000a00000001225b-24.dat	upx
behavioral1/files/0x0006000000016051-31.dat	upx
behavioral1/files/0x000600000001604a-29.dat	upx
behavioral1/files/0x000600000001604a-32.dat	upx
behavioral1/files/0x000600000001604a-33.dat	upx
behavioral1/memory/2476-35-0x000000013F730000-0x000000013FD73000-memory.dmp	upx
behavioral1/files/0x000a00000001225b-23.dat	upx
behavioral1/memory/2212-61-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2212-60-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2856-63-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2476-64-0x000000013F730000-0x000000013FD73000-memory.dmp	upx
behavioral1/memory/2856-62-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2212-67-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2212-74-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2212-81-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2212-93-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2212-100-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2212-107-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	c6c55029bf90ea607deff9b3b88c832c.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	c6c55029bf90ea607deff9b3b88c832c.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	c6c55029bf90ea607deff9b3b88c832c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2212	c6c55029bf90ea607deff9b3b88c832c.exe
2212	c6c55029bf90ea607deff9b3b88c832c.exe
2212	c6c55029bf90ea607deff9b3b88c832c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2476	RegCool.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	c6c55029bf90ea607deff9b3b88c832c.exe
Token: SeDebugPrivilege	2856	c6c55029bf90ea607deff9b3b88c832c.exe
Token: SeTakeOwnershipPrivilege	2476	RegCool.exe
Token: SeRestorePrivilege	2476	RegCool.exe
Token: SeSecurityPrivilege	2476	RegCool.exe
Token: SeBackupPrivilege	2476	RegCool.exe
Token: 33	2476	RegCool.exe
Token: SeIncBasePriorityPrivilege	2476	RegCool.exe
Token: 33	2476	RegCool.exe
Token: SeIncBasePriorityPrivilege	2476	RegCool.exe
Token: 33	2476	RegCool.exe
Token: SeIncBasePriorityPrivilege	2476	RegCool.exe
Token: 33	2476	RegCool.exe
Token: SeIncBasePriorityPrivilege	2476	RegCool.exe
Token: 33	2476	RegCool.exe
Token: SeIncBasePriorityPrivilege	2476	RegCool.exe
Token: 33	2476	RegCool.exe
Token: SeIncBasePriorityPrivilege	2476	RegCool.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2856	2212	c6c55029bf90ea607deff9b3b88c832c.exe	29
PID 2212 wrote to memory of 2856	2212	c6c55029bf90ea607deff9b3b88c832c.exe	29
PID 2212 wrote to memory of 2856	2212	c6c55029bf90ea607deff9b3b88c832c.exe	29
PID 2212 wrote to memory of 2856	2212	c6c55029bf90ea607deff9b3b88c832c.exe	29
PID 2856 wrote to memory of 2476	2856	c6c55029bf90ea607deff9b3b88c832c.exe	28
PID 2856 wrote to memory of 2476	2856	c6c55029bf90ea607deff9b3b88c832c.exe	28
PID 2856 wrote to memory of 2476	2856	c6c55029bf90ea607deff9b3b88c832c.exe	28
PID 2856 wrote to memory of 2476	2856	c6c55029bf90ea607deff9b3b88c832c.exe	28

C:\Users\Admin\AppData\Local\Temp\c6c55029bf90ea607deff9b3b88c832c.exe
"C:\Users\Admin\AppData\Local\Temp\c6c55029bf90ea607deff9b3b88c832c.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\c6c55029bf90ea607deff9b3b88c832c.exe
  "C:\Users\Admin\AppData\Local\Temp\c6c55029bf90ea607deff9b3b88c832c.exe" -sfxwaitall:0 "RegCool.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2856

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegCool.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegCool.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegCool.exe

Filesize
157KB

MD5
a732868af68279361c5633abe615eac5

SHA1
e20c8dda4078178cf90d7d5b6023c4edbddd4815

SHA256
65572e50d8bb648a0df89b6dcba9cb666a4bb45f67399c07da4f26e0eee0d9aa

SHA512
c4692e20faa5ccd3797591d21f7eea8a3a125e4edf32b0164171a1cf0d849bc9ca1d3bd79c94b9ed6718429e2744bd2353213805c0d0e074c42ce9eef5974f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegCool.exe

Filesize
121KB

MD5
1d0178e7d2d03f6f368cd1d03ce0c734

SHA1
714d8aedc2dcaf23503426ac83063468011bae0d

SHA256
99963554b6c7bc05525e4749b0172d8ea677333cbed20dae20aab36fca8480d9

SHA512
e01dc09fa61927c6c3def20dad1fee306b044b68339b9381ac8d3ecbc10ae35a7e261f897f0129e6bf18af06cfdcfa63f64f392727f533bbc0924484a7cf97e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Settings\inifile.ini

Filesize
1KB

MD5
da6911d58e6b7989220fa50488c01311

SHA1
820bec2f1191eed372bb90432218b50d23ef6e72

SHA256
c910078bdf14d75afa5f405f2e43c8c56a00078d3edb73231cbc49a96da2db5b

SHA512
32dd3451d7779f5311215f90e8ed3249287b3c89cbda7dd68693faf687ce816d58fdca4c811969a27f988447e7addcf3f22dab446b1c0c5598b18b4ae102c3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Settings\inifile.ini

Filesize
1KB

MD5
999aef827f11f92713995347437ebe40

SHA1
4e13b15b06bdfea4b4b08a074f5d12656cda3796

SHA256
97b739e6812889b203cd9bfef2da307cd700a4d110aad93052599beb9965dd21

SHA512
81320766d3680940ab882d3be01c1d7f157a884070ee4908560faf9a400d6b836589adaa0bef4cd1ca1e6acc85f5f90bf098ba88ea5ac280b84c4385e18e9557

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\Updater.exe

Filesize
45KB

MD5
46f9b6d19e5cadb57459da75b93b988f

SHA1
956876beceb1b494eaf9748fe8d96533ee090829

SHA256
b837f586b617e3b0a3e5970d7df9ad2c2218cea647ae6666cea4ab7b05e85834

SHA512
a4cc2440c2b564c0ab0109df5366cb802f89df11291c934155b6b79ac3b4a5016d11b6f2a71aa065edb9513977fd08832f6156086839f05a61da757a0a93238f

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\offreg.dll

Filesize
38KB

MD5
43da9878c2a9fde22a153e2ed776b914

SHA1
a0ece8ba85efb1faa890b35534c9fe0f4b690cc8

SHA256
3b46b98b7fac6f0fa9d976fa04c028c1f1515b8323f7870597a9e6e67cba5cd1

SHA512
b532ddd1adb5108cca0ae702a415c1c7a8d18e8a90ace27833129f7155489410062a98b0764aaf4030cb5997b85fdb4f34166351b974f62be7dc2451b4179692

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
28KB

MD5
b82aa7ddaade35c1af0264f21880941c

SHA1
8148a165ae13cbdd3985804d208f0f27e9067e87

SHA256
a52eca8f691a4cfed3bae1f8102ff3c143a452ff9f04fa60ab395a6a01d8c160

SHA512
dc3ae24c9e94f2ba3e0a3b472f5d11b74ecfd57a621cbca8c076e6b5fe5c3149917342daaf063681e2c9e84fcc891ed811df7a4138ebcc8ee9b335963b2671b6

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
45KB

MD5
4c6ecee31b6359ca266f81f715f24480

SHA1
0281366b640156357e7f1b575983ab2abdd4532f

SHA256
f79ee2af637ddb53d64dd155fd40af37f32288228ef1ff2f8b5a042fbc02a9bb

SHA512
f659bd8161ca711986725f5577cd3fc941422c5c43540a3d5b0ec0d35ad6c33e210de2e976e74db021aaa83b25a972f0b5a7ceeb0b4d1f97a2f11ef70a0a07d4

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
32KB

MD5
7b35eee9eb9a8fa57d551779f4d4dc38

SHA1
2da898c4b91c35c0120a02665785b6bb3dbc5e7c

SHA256
e0e7727f6343f9a52765e686dca0d8b54ee7e65e7fc121161d24d54dc56f24fa

SHA512
e078c4702b168720b019cdc62844472b36b92dd6a49384963863fea91686ef1114785fdaca60a112df516bb333d9a6e2cf8cb3650df1476c8345a77588bd11e5

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegCool.exe

Filesize
79KB

MD5
6d4af8a5c0ecd1c423d260c17d49a495

SHA1
c37e470f9523d189f5d228351c41b3aa05f912e3

SHA256
a5808cfdc34b66158c8ddcf54bebbade5594ee248f2d1561c787ec4ea91ff431

SHA512
332dd297d411003ee2034f56d645a1a6d6da119df87f9edaea577cbac04968329f048a0638df96ca7a743eebe8608297628de960bbda2bc1452717020c38eca4

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\offreg.dll

Filesize
55KB

MD5
a8890ffdea66fb5d4235d98d9d9b83c3

SHA1
d8efb114f2328c901138a1b9dcf8880445e0b2e5

SHA256
d23a3390de8d6f90605867cf86f966c98649da1cd204acd18c3a39df66ef9085

SHA512
0be9870fe08cb991f9afae8842d8bd4085a64ee21c4e79f077d0b540b6732916e29681b2cf6197a6b8ef539ff917c8a5288b2411b0413b96dc49d361cfcfef54

Download Submit
memory/2212-61-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2212-107-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2212-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2212-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2212-100-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2212-74-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2212-60-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2212-93-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2212-81-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2212-65-0x0000000075470000-0x00000000754A5000-memory.dmp

Filesize
212KB

Download
memory/2212-67-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2476-35-0x000000013F730000-0x000000013FD73000-memory.dmp

Filesize
6.3MB

Download
memory/2476-64-0x000000013F730000-0x000000013FD73000-memory.dmp

Filesize
6.3MB

Download
memory/2856-28-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2856-68-0x0000000002AA0000-0x00000000030E3000-memory.dmp

Filesize
6.3MB

Download
memory/2856-62-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2856-63-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2856-34-0x0000000002AA0000-0x00000000030E3000-memory.dmp

Filesize
6.3MB

Download
memory/2856-27-0x00000000002F0000-0x0000000000320000-memory.dmp

Filesize
192KB

Download
memory/2856-25-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download