Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 23:38
Behavioral task
behavioral1
Sample
7329a0cfd3568b9213614de6b0ebada6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7329a0cfd3568b9213614de6b0ebada6.exe
Resource
win10v2004-20231215-en
General
-
Target
7329a0cfd3568b9213614de6b0ebada6.exe
-
Size
27KB
-
MD5
7329a0cfd3568b9213614de6b0ebada6
-
SHA1
2bc6f547a3d11a5dbb4f545f82d8d932168bf3d7
-
SHA256
9d7b0479d5a3282d36de5550ac701dcc326d9cf66913b89123660d9a1d4f76b5
-
SHA512
9766d9dfd7375b04c94f42c6306255c5bb1433c2da5301901a67251ed10cb13c43117afe69f16742d7392d6e4c2078dd21291d26f751a0153982ec0321986844
-
SSDEEP
768:88blrPTb8+UvVX6mIwhyWay3BZsFmndzG2V/E:dR78n6hwM+A0dzGgE
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000b00000001562f-4.dat acprotect -
Deletes itself 1 IoCs
pid Process 2316 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 840 7329a0cfd3568b9213614de6b0ebada6.exe -
resource yara_rule behavioral1/memory/840-3-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/files/0x000b00000001562f-4.dat upx behavioral1/memory/840-6-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/840-8-0x0000000010000000-0x0000000010012000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\CJPtNyJ6HWTgWWJdUe.dll 7329a0cfd3568b9213614de6b0ebada6.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\fOnts\SubDRs4ZdZYuXb.Ttf 7329a0cfd3568b9213614de6b0ebada6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID 7329a0cfd3568b9213614de6b0ebada6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{349F9B06-D92F-4AF9-AE96-6730A16821F9} 7329a0cfd3568b9213614de6b0ebada6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{349F9B06-D92F-4AF9-AE96-6730A16821F9}\InprocServer32 7329a0cfd3568b9213614de6b0ebada6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{349F9B06-D92F-4AF9-AE96-6730A16821F9}\InprocServer32\ = "C:\\Windows\\SysWow64\\CJPtNyJ6HWTgWWJdUe.dll" 7329a0cfd3568b9213614de6b0ebada6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{349F9B06-D92F-4AF9-AE96-6730A16821F9}\InprocServer32\ThreadingModel = "Apartment" 7329a0cfd3568b9213614de6b0ebada6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{349F9B06-D92F-4AF9-AE96-6730A16821F9}\InprocServer32 7329a0cfd3568b9213614de6b0ebada6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 7329a0cfd3568b9213614de6b0ebada6.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 840 7329a0cfd3568b9213614de6b0ebada6.exe 840 7329a0cfd3568b9213614de6b0ebada6.exe 840 7329a0cfd3568b9213614de6b0ebada6.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe Token: SeDebugPrivilege 840 7329a0cfd3568b9213614de6b0ebada6.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 840 7329a0cfd3568b9213614de6b0ebada6.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 840 wrote to memory of 2316 840 7329a0cfd3568b9213614de6b0ebada6.exe 28 PID 840 wrote to memory of 2316 840 7329a0cfd3568b9213614de6b0ebada6.exe 28 PID 840 wrote to memory of 2316 840 7329a0cfd3568b9213614de6b0ebada6.exe 28 PID 840 wrote to memory of 2316 840 7329a0cfd3568b9213614de6b0ebada6.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\7329a0cfd3568b9213614de6b0ebada6.exe"C:\Users\Admin\AppData\Local\Temp\7329a0cfd3568b9213614de6b0ebada6.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\7329A0~1.EXE >> NUL2⤵
- Deletes itself
PID:2316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5e2cbae5be653c750498839e4a54e3b39
SHA1c84093789f783bf2a0ba22826b5ddd33a8a788b4
SHA2560658f34e865da3fbba79e191ec71c3a68c6dafeba4e8bd1960054bab44d80059
SHA512b477b6eabddd1f881ba9a200e7ac71837c6a6dddfe4e61e2b1688e85e6495dd9a01f7c841fad5815c63acd6728bbe2e6c16ec1d3b2a5698025d96e7f527251a8