2412523a24c46311eb73b02fa8c01c486bd2e5fee2cacf8706e9fba9eddd5091

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/01/2024, 02:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

57c51cd3f760c2138e45c587c6cf8791.exe
Size

454KB
MD5

57c51cd3f760c2138e45c587c6cf8791
SHA1

80ffb404e8b1916555a9945404694213f15c875e
SHA256

2412523a24c46311eb73b02fa8c01c486bd2e5fee2cacf8706e9fba9eddd5091
SHA512

b23eaac1e7bfde188be3360701664cf9b230abddcb0de1fd4e5ed6bf6107e890d79d19b5fe4059f35664a2ecf480f1094c9937ae7c4ee7747ab89ba42943f387
SSDEEP

12288:ZkPSYMNrDdQ1s15Ap/G/8g3D0Fw/tN8dkmLtpHHHrh7K:ZYPMk6j8gz0FmcLbH1K

Score

9^/10

evasion upx

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b0000000146b8-71.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	57c51cd3f760c2138e45c587c6cf8791.exe

Loads dropped DLL 40 IoCs

pid	Process
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe
2348	57c51cd3f760c2138e45c587c6cf8791.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000146b8-71.dat	upx
behavioral1/memory/2348-83-0x0000000074720000-0x000000007472A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	57c51cd3f760c2138e45c587c6cf8791.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	57c51cd3f760c2138e45c587c6cf8791.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1720	powershell.exe
848	powershell.exe
2360	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1720	2348	57c51cd3f760c2138e45c587c6cf8791.exe	30
PID 2348 wrote to memory of 1720	2348	57c51cd3f760c2138e45c587c6cf8791.exe	30
PID 2348 wrote to memory of 1720	2348	57c51cd3f760c2138e45c587c6cf8791.exe	30
PID 2348 wrote to memory of 1720	2348	57c51cd3f760c2138e45c587c6cf8791.exe	30
PID 2348 wrote to memory of 848	2348	57c51cd3f760c2138e45c587c6cf8791.exe	33
PID 2348 wrote to memory of 848	2348	57c51cd3f760c2138e45c587c6cf8791.exe	33
PID 2348 wrote to memory of 848	2348	57c51cd3f760c2138e45c587c6cf8791.exe	33
PID 2348 wrote to memory of 848	2348	57c51cd3f760c2138e45c587c6cf8791.exe	33
PID 2348 wrote to memory of 2360	2348	57c51cd3f760c2138e45c587c6cf8791.exe	35
PID 2348 wrote to memory of 2360	2348	57c51cd3f760c2138e45c587c6cf8791.exe	35
PID 2348 wrote to memory of 2360	2348	57c51cd3f760c2138e45c587c6cf8791.exe	35
PID 2348 wrote to memory of 2360	2348	57c51cd3f760c2138e45c587c6cf8791.exe	35

C:\Users\Admin\AppData\Local\Temp\57c51cd3f760c2138e45c587c6cf8791.exe
"C:\Users\Admin\AppData\Local\Temp\57c51cd3f760c2138e45c587c6cf8791.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -InputFormat None -NoProfile -NoLogo -Command "& {$vpns = @('ok^'); Get-WmiObject Win32_SystemDriver -Filter \"DisplayName like 'TAP-Win%'\" | ForEach-Object {$vpns += 'OpenVPN'}; if (@([System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveTcpConnections() | Where-Object {$_.RemoteEndPoint.Port -eq 1723}).Count) {$vpns += 'PPTP'} if (@([System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveUDPListeners() | Where-Object {$_.Port -eq 1701}).Count) {$vpns += 'L2TP'}; $vpns -join '|';} "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -inputformat none -NoProfile -NoLogo -Command "Write-Host ($PSVersionTable.psversion)"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS^|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)^|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)^|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)^|$($_.productState)\"};} Write-Host ($avlist -join \"^*\")}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst61A.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst61A.tmp\NSISEncrypt.dll

Filesize
129KB

MD5
ef03569d976e59fbb23f5802ee8bd855

SHA1
ba8b56d58eb0adcedef071afa24fdbef4fa7f111

SHA256
99c715f84a8bc77538ac31cffe034a244d361729778fc7e7b3853e02dfbb2030

SHA512
fc1a0b99298e5c06612d17f4cff6e2c40eaf4ea81b3993b0a65f6be840aaba6f3bbd4a125cca5eb47038566d1a1c1c8f153a8e9a2d88e2f334101a7f806982df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst61A.tmp\WmiInspector.dll

Filesize
93KB

MD5
cd390387039d7d2928e297b3d23edbc8

SHA1
9d6fb8ca71214be21a0a57ed5abdffde71870549

SHA256
6a91606c5b6de503e35d30112368ed5fdf30eaeabe0f0ecef8b50b08c4ca1870

SHA512
f96711484dd1730c6b1108ec0356aeb3b8f0a3aabe8b13c09ce8c1454dc7b0d64859ac0b8eadedecf8a1a21d43e29576c779625b6571202f7469bf74e1c86483

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CWNLV5OGAFJ6QN0HCQM0.temp

Filesize
7KB

MD5
4176f323660317af0420329a62b995c4

SHA1
aa7cd223ea2c71e9c1043da104f5706a9b6b9d1f

SHA256
63599b36227043d40d7bf5e5d550aa8329e71130f3e7cc6b73945c41551ae1b4

SHA512
a4d3a0aadf73590aa08bc325b8bfddb6f26a10d80ef95395c7d27c0dd2b03195e1a12dff03d21ae70037a9c61e52ce73a68466441add7b4757b0313c17610f6c

Download Submit
\Users\Admin\AppData\Local\Temp\nst61A.tmp\NSISEncrypt.dll

Filesize
37KB

MD5
0c77f116e6470de3cb13b40842dbd277

SHA1
c28df189fada954116aca410739841fb91551010

SHA256
9609a14a492c40261d369d766bb1f7a2301d812ff9a587388c5de7a8899fb807

SHA512
e245083903202fd12dce69f24c1ff2cfd1f4b084f638321d51a5f1e6c2f65e611379b7b3886dad6ecd6b34fe7a8e93e9e31773eab4079bae27092f5ec01b644b

Download Submit
\Users\Admin\AppData\Local\Temp\nst61A.tmp\NSISEncrypt.dll

Filesize
92KB

MD5
0c45eac82bfffdac39f32796c1ebfdbb

SHA1
88c227d2d23bc2ce3269242a5e3bc132e8419794

SHA256
d1f937df6a9900037b75c765e320ab502d4ab33a88ef8244d63297caf60c0de8

SHA512
c332a0d64584c1b094407382e56fc7f9a6b29eff7d4f03fe4cd534c08e405d3607b8ef563950d3b062949c28d87398567b6307f285b2984e91506424c805bcd4

Download Submit
\Users\Admin\AppData\Local\Temp\nst61A.tmp\NSISEncrypt.dll

Filesize
45KB

MD5
18bf32f30665a3accee570c380590540

SHA1
ec5e21e00512894082156b03459d6ed2d6891097

SHA256
a666eb96ee8e5300ae9f723152e359a979624390878aecae679a2dfe75469c79

SHA512
8c008fc56c2506eef94cb4c2e4131daad7c20878b1706ddb5a3d6ec6fdaa1cf19e4f684620ea48dc343e3528a6043044b7a74325b4b467c7d3c3715ad97d52aa

Download Submit
\Users\Admin\AppData\Local\Temp\nst61A.tmp\NSISEncrypt.dll

Filesize
62KB

MD5
0f2181d59dd19bfa549c3ceb26dbd555

SHA1
e9bd0be315e45672b5ce6556fbdaf47b9d432dd0

SHA256
3db794d8682e3e0cc4ff8da8149a9d3090fe072f328c8818a7881addd458ba15

SHA512
c88a86723456e45af52580adc7e5ae85783e7d503699d39e0ff44c19726b6be796755114fef13a7b07ea76fd563a7ea5e7bbb5c423544eb405b541942a80e744

Download Submit
\Users\Admin\AppData\Local\Temp\nst61A.tmp\NSISEncrypt.dll

Filesize
30KB

MD5
b057e2d2935e2bcceeaa40ed5f40b08d

SHA1
dc375d86c0f79c2159526ea8a2aa46272fc3209d

SHA256
25d024445c2f38a424a506dbae52cf43e2cbac1fbe1842cc811fdb228a17547b

SHA512
5634e94469f10facba917d3b2cedbd2cba1287a1f59388c162ac48d8686f423378953dc6cee2f72a79a69a55b73851ba78ae728870914f33f727c200d7bac7bb

Download Submit
\Users\Admin\AppData\Local\Temp\nst61A.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nst61A.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nst61A.tmp\inetc.dll

Filesize
20KB

MD5
e541458cfe66ef95ffbea40eaaa07289

SHA1
caec1233f841ee72004231a3027b13cdeb13274c

SHA256
3bce87b66d9272c82421920c34b0216e12c57a437d1955c36f23c74c1a01d420

SHA512
0bf6313e4cb7bbdcfba828fb791540b630adc58c43aa4b5ba77790367d0f34f76077cd84cc62e2a2c98c788a88547f32a11e549873d172c5aa2753124847cd0c

Download Submit
\Users\Admin\AppData\Local\Temp\nst61A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst61A.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
memory/848-132-0x0000000072FD0000-0x000000007357B000-memory.dmp

Filesize
5.7MB

Download
memory/848-131-0x00000000029C0000-0x0000000002A00000-memory.dmp

Filesize
256KB

Download
memory/848-130-0x0000000072FD0000-0x000000007357B000-memory.dmp

Filesize
5.7MB

Download
memory/848-133-0x0000000072FD0000-0x000000007357B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-95-0x0000000073580000-0x0000000073B2B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-93-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/1720-94-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/1720-92-0x0000000073580000-0x0000000073B2B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-91-0x0000000073580000-0x0000000073B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2348-83-0x0000000074720000-0x000000007472A000-memory.dmp

Filesize
40KB

Download
memory/2348-14-0x0000000000530000-0x0000000000556000-memory.dmp

Filesize
152KB

Download
memory/2360-143-0x0000000073580000-0x0000000073B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-144-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2360-147-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2360-148-0x0000000073580000-0x0000000073B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-146-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2360-145-0x0000000073580000-0x0000000073B2B000-memory.dmp

Filesize
5.7MB

Download