bbc0d94f0cdd9711f992b83ef5ad8ced87605b2ede666db7536ea6ce34c192a3

General

Target

8a9cacd789a6b530c5aefa0a3f5a5952.exe
Size

4.3MB
MD5

8a9cacd789a6b530c5aefa0a3f5a5952
SHA1

18c2d69de57fbd554d5a8e59d8a9c229afc8cadc
SHA256

bbc0d94f0cdd9711f992b83ef5ad8ced87605b2ede666db7536ea6ce34c192a3
SHA512

022a776f5a6bde4dc799ec0b1cc152eab2b31f86b2bc6036528a57c850a3b69f670a85efb0368b9bdf06daf55490205fb10885082cef3ff53330dde3817eff42
SSDEEP

98304:By3taq6A+5u9oVa6TuVBkiF+LPJ5WRIwGhvSbTTN4uMi2Gsc:c3taVzE6s6uBzbIw8UBMi6

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000018b60-13.dat	acprotect
behavioral1/files/0x0006000000018b55-16.dat	acprotect
behavioral1/files/0x0009000000012270-19.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
2668	8a9cacd789a6b530c5aefa0a3f5a5952.exe
2668	8a9cacd789a6b530c5aefa0a3f5a5952.exe
2668	8a9cacd789a6b530c5aefa0a3f5a5952.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000018b60-13.dat	upx
behavioral1/memory/2668-17-0x0000000074FF0000-0x00000000752A1000-memory.dmp	upx
behavioral1/files/0x0006000000018b55-16.dat	upx
behavioral1/memory/2668-18-0x0000000074F30000-0x0000000074FE1000-memory.dmp	upx
behavioral1/files/0x0009000000012270-19.dat	upx
behavioral1/memory/2668-21-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral1/memory/2668-22-0x0000000074FF0000-0x00000000752A1000-memory.dmp	upx
behavioral1/memory/2668-23-0x0000000074F30000-0x0000000074FE1000-memory.dmp	upx
behavioral1/memory/2668-25-0x0000000074FF0000-0x00000000752A1000-memory.dmp	upx
behavioral1/memory/2668-26-0x0000000074F30000-0x0000000074FE1000-memory.dmp	upx
behavioral1/memory/2668-27-0x0000000010000000-0x000000001000E000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2668	2120	8a9cacd789a6b530c5aefa0a3f5a5952.exe	29
PID 2120 wrote to memory of 2668	2120	8a9cacd789a6b530c5aefa0a3f5a5952.exe	29
PID 2120 wrote to memory of 2668	2120	8a9cacd789a6b530c5aefa0a3f5a5952.exe	29
PID 2120 wrote to memory of 2668	2120	8a9cacd789a6b530c5aefa0a3f5a5952.exe	29
PID 2668 wrote to memory of 2836	2668	8a9cacd789a6b530c5aefa0a3f5a5952.exe	30
PID 2668 wrote to memory of 2836	2668	8a9cacd789a6b530c5aefa0a3f5a5952.exe	30
PID 2668 wrote to memory of 2836	2668	8a9cacd789a6b530c5aefa0a3f5a5952.exe	30
PID 2668 wrote to memory of 2836	2668	8a9cacd789a6b530c5aefa0a3f5a5952.exe	30

C:\Users\Admin\AppData\Local\Temp\8a9cacd789a6b530c5aefa0a3f5a5952.exe
"C:\Users\Admin\AppData\Local\Temp\8a9cacd789a6b530c5aefa0a3f5a5952.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\8a9cacd789a6b530c5aefa0a3f5a5952.exe
  "C:\Users\Admin\AppData\Local\Temp\8a9cacd789a6b530c5aefa0a3f5a5952.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cls && title BlackBong Software 2016-2018
    3⤵
    PID:2836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI21202\main.exe.manifest

Filesize
1008B

MD5
ad0ec8ca74f71a81b29b4dfa20e30bec

SHA1
af5cf20cc503e27cdbceabe0d96591e5840f0e4c

SHA256
ce2ef99323bafb9a10a82b643fbed8930bb054ea9d5b06356b9b08c262154b48

SHA512
da46bfc845e3d9354de8d7fa10ad204257fa985e4c4ce01ccc96dfeb14c9de536f31fb1f1ee07baa054a27cf638033f0e6fb5c11c25f98a522fb9dac22033de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21202\python27.dll

Filesize
879KB

MD5
4953718d73246486612d952e00b2deb9

SHA1
c87098ffe58ba2f5c24c9653ea9599da1a65e663

SHA256
ec4d398a61fe2ecb956342f5e2845fd811b436c601f9416ba307592a530c8f70

SHA512
afd60f911b09ba17e0e458b73293499730e7ff87c204ed23a650bcc04a0773d106256e855ec31996735850b15416e6fa64bf16c08a20cb97ce860f6e915a5e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21~1\Crypto.Cipher._AES.pyd

Filesize
16KB

MD5
c5f603fae071c883cf8ca1400855b713

SHA1
fc6fab3bee6aa33354f1dedcb12c207fa42bbc64

SHA256
e44e6dd3cbff07038853d694f960d60c3b60e89389217319ffd176a28e16b086

SHA512
3a8c3a0c7c8c608d12434d6b4eef6cf63cfce039b4d074c90f71a9b2d19a7c0cd983fa0c72ccbd4d1e9b5f21dd7e1dc7e9433d2937dfc592365e1bd73356489e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21202\msvcr90.dll

Filesize
245KB

MD5
d8c78df257e5e96c17bb00a182d33356

SHA1
57b0debedca4f54392e917fb9c8da85c099991bd

SHA256
c895e505610e3e590eb4ecf5a006bf09ff47d4d5f3c6e4e89b356900137e85c0

SHA512
2329710c0ab14b65e696d7788438cfab7c99eb02d195a86d1f349d8acf50976296e85a0c2911a2943b53c61b74bb9ab67d2014dd0a776b1eb80c4a2aba19b5b7

Download Submit
memory/2668-17-0x0000000074FF0000-0x00000000752A1000-memory.dmp

Filesize
2.7MB

Download
memory/2668-18-0x0000000074F30000-0x0000000074FE1000-memory.dmp

Filesize
708KB

Download
memory/2668-21-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2668-22-0x0000000074FF0000-0x00000000752A1000-memory.dmp

Filesize
2.7MB

Download
memory/2668-23-0x0000000074F30000-0x0000000074FE1000-memory.dmp

Filesize
708KB

Download
memory/2668-25-0x0000000074FF0000-0x00000000752A1000-memory.dmp

Filesize
2.7MB

Download
memory/2668-26-0x0000000074F30000-0x0000000074FE1000-memory.dmp

Filesize
708KB

Download
memory/2668-27-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing