eca1230c4759c29f36e2db6d7568e05eded2a2a76093c1f384cf82b5bb617d70

General

Target

526ff56eeb5285d9cbe54a4406503525.exe
Size

949KB
MD5

526ff56eeb5285d9cbe54a4406503525
SHA1

fc553df69adc8e44b3bd66be87600f63376131fb
SHA256

eca1230c4759c29f36e2db6d7568e05eded2a2a76093c1f384cf82b5bb617d70
SHA512

bdd2887c8426d3372a1a5f26dfa6709734c3d554db6c668e955e8b87e67f902c775f363e3323accdcfb7dd7a4183853365d729f8107b2cf92544606cde7b74c9
SSDEEP

24576:wwKjUe+5/w7ZSi5ifzYotKyxUQ+E/B7Z5:ww6+N+ALK++odf

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/memory/1596-5-0x00000000748F0000-0x00000000748F9000-memory.dmp	acprotect
behavioral2/files/0x000a0000000231fb-2.dat	acprotect

Deletes itself 1 IoCs

pid	Process
3792	explorer.exe

Loads dropped DLL 6 IoCs

pid	Process
1596	526ff56eeb5285d9cbe54a4406503525.exe
1596	526ff56eeb5285d9cbe54a4406503525.exe
1596	526ff56eeb5285d9cbe54a4406503525.exe
1596	526ff56eeb5285d9cbe54a4406503525.exe
1596	526ff56eeb5285d9cbe54a4406503525.exe
1596	526ff56eeb5285d9cbe54a4406503525.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1596-5-0x00000000748F0000-0x00000000748F9000-memory.dmp	upx
behavioral2/files/0x000a0000000231fb-2.dat	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1596 set thread context of 3792	1596	526ff56eeb5285d9cbe54a4406503525.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\WOW6432Node\CLSID	526ff56eeb5285d9cbe54a4406503525.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\WOW6432Node\CLSID\tst_key = "test_ok"	526ff56eeb5285d9cbe54a4406503525.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1596	526ff56eeb5285d9cbe54a4406503525.exe
1596	526ff56eeb5285d9cbe54a4406503525.exe
1596	526ff56eeb5285d9cbe54a4406503525.exe
1596	526ff56eeb5285d9cbe54a4406503525.exe
1596	526ff56eeb5285d9cbe54a4406503525.exe
1596	526ff56eeb5285d9cbe54a4406503525.exe
1596	526ff56eeb5285d9cbe54a4406503525.exe
1596	526ff56eeb5285d9cbe54a4406503525.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 3792	1596	526ff56eeb5285d9cbe54a4406503525.exe	91
PID 1596 wrote to memory of 3792	1596	526ff56eeb5285d9cbe54a4406503525.exe	91
PID 1596 wrote to memory of 3792	1596	526ff56eeb5285d9cbe54a4406503525.exe	91
PID 1596 wrote to memory of 3792	1596	526ff56eeb5285d9cbe54a4406503525.exe	91

C:\Users\Admin\AppData\Local\Temp\526ff56eeb5285d9cbe54a4406503525.exe
"C:\Users\Admin\AppData\Local\Temp\526ff56eeb5285d9cbe54a4406503525.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  - Deletes itself
  PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nss4E5F.tmp\SelfDel.dll

Filesize
4KB

MD5
7cff7fe2caea5184d98c147e7e263132

SHA1
21f39d3d0dd5f7198d67ef30e95d10ae3460093e

SHA256
281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101

SHA512
fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4E5F.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4E5F.tmp\mdimixutnad.dll

Filesize
175KB

MD5
8e99e3835ee6141775edbfeef1a04881

SHA1
c0608c34be9ac252d9952bfa18e7db4e94ec6780

SHA256
e6ff3469c398e05794ac33d4e39a4f5c3eaf5cd5fede6b2cef5656cd071213f1

SHA512
a2a5c0151bf83fc81a461a648335286b1ee214907becfb9d43b52b79e5ba686b0ea89e1846ed12fc86591f74071a35d3503bf9e339b4a69552d071248a8402e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4E5F.tmp\mdimixutnad.dll

Filesize
226KB

MD5
1da54f40198be7b83be94a9acc2eb216

SHA1
078d18320ac2082b5acfe8d5df608359c11cfa16

SHA256
487238e81ec6ff27c1db6c18ae05c470d4616803d390b766fb3905dc9e9decf8

SHA512
d6d446db2a19ffed0969d3111af4299dc6962bf8a9cb02df8425a23e5403dc367b52ed511d7ba5c47ea90484c1f06118f5ab23f1a54043f86b5a0fd3d3e808c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4E5F.tmp\mdimixutnad.dll

Filesize
176KB

MD5
529f01391d54c31d909e47a7e37192a2

SHA1
ed698763b08ffbcdbffa9dfd83943f9f3363a91d

SHA256
186fc72edbe1a532c4e2f844352e948bdcfa0bb1cf4dbb5e406649cf367b26c9

SHA512
e4fee3eddaf697dfff8dbeea2530cb8ece2d2db3b75265f926077280af726ad74ee871e4a34ef9c6a1d5f76469f908fed380f0620bbec2c8f9c0568fc1faa384

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4E5F.tmp\nsProcEx.dll

Filesize
32KB

MD5
ed7ba4dc1df007a788f0ef3dd65f95be

SHA1
62f88e158a03ff1bc70ac6e3cb993d91ff4e000c

SHA256
e7a1c7da9b1d9f483b572e00aa9586c46fbc480dbc2accee5703ac223eea7071

SHA512
3f9f0a00b848dcc49af1c5c8b34e63452d448eb3626a5501be1b3207961c0ae9297010394b7e3cea3c27319d09dc3ae7731eb5d112fe9bacd30ae92cc8340bb0

Download Submit
memory/1596-5-0x00000000748F0000-0x00000000748F9000-memory.dmp

Filesize
36KB

Download
memory/1596-26-0x00000000028E0000-0x000000000296A000-memory.dmp

Filesize
552KB

Download
memory/3792-22-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing