e252c533572f241e7c1accf9f4c19c1f157f75edb6803148f391df8e0d75895e

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACpass.exe
Size

1.1MB
MD5

4e187e0549136e7a17d74449bb918458
SHA1

8a266b55c7e7bda8db8fc35f140776fad0d8c104
SHA256

b99041db57c7811509738ded80b9fa14a1be4e842eb8cf7c70b35cb66fdea62a
SHA512

c29ea549d69476b491d2b470eb025c652553dae1c81478349b2aded100328be59f39fc5282106ecb310caee17ba07b5ba7a41906e11f5dd0db89c060fd684ccc
SSDEEP

24576:EpniDGwA7mhhBLCpxtmA3Dai9vDE/PH3Uh32ARsa3kY2+mO8q:aiDGGhBL6xt5Z9bE/fkhmo13O+mOJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2820	is-QVEH9.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2820	3004	ACpass.exe	41
PID 3004 wrote to memory of 2820	3004	ACpass.exe	41
PID 3004 wrote to memory of 2820	3004	ACpass.exe	41

C:\Users\Admin\AppData\Local\Temp\ACpass.exe
"C:\Users\Admin\AppData\Local\Temp\ACpass.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\is-2JG2D.tmp\is-QVEH9.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2JG2D.tmp\is-QVEH9.tmp" /SL4 $7004A "C:\Users\Admin\AppData\Local\Temp\ACpass.exe" 940451 52224
  2⤵
  - Executes dropped EXE
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-2JG2D.tmp\is-QVEH9.tmp

Filesize
128KB

MD5
61c9d243c394cf854fab4407ea5443ff

SHA1
e29a56688a965e2ede6509081ebcff1c2aa62e62

SHA256
914621ab7856ace80f1855f37dc8176a1f61ef2ea47e105426aebe63c34f6192

SHA512
58a6e395084f0074277ffb25ce425948ae3849ec3864547adb11c754a650b101abb9bd4678fda0ac0a681d03e823a2fd07ce24e591367ac8a8ce8dcd1106a77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2JG2D.tmp\is-QVEH9.tmp

Filesize
212KB

MD5
46033d7923d3f6dc1d31641561019a22

SHA1
d4c9ef75553e3e1dee288d7a6f38cea5bc0e7cfc

SHA256
ac6e76d7d83b87bad343e31f69e30e380952f8ec2d56d50b863c9b56b398d85d

SHA512
428c0a5fb07c0a59499daac9a2c46736b155730eb7549d0dbf260b2359d2c742d2c0d6c5eb305dd5dab46264b1d9817a310bd2cecd7bedb2c807155adc075388

Download Submit
memory/2820-7-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2820-13-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2820-16-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3004-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3004-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3004-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download