e288b191a6d23a63eaed3ad5398447b96d850c52d4acd352fe9e7332322a6865

Analysis

max time kernel
117s
max time network
130s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98a7872409f8a680d880c79dccf75d98.exe
Size

2.2MB
MD5

98a7872409f8a680d880c79dccf75d98
SHA1

171c826ea5aee09dabf3e053eb961bcc8358956b
SHA256

e288b191a6d23a63eaed3ad5398447b96d850c52d4acd352fe9e7332322a6865
SHA512

1dde49d87a656a1f6737fb6ea85a5e07a2950eee9db29434623da7b7ff64cb9f6d3a28146d8bbf5395b1488c28c4e369ef80b940924463b45163454ee529b95f
SSDEEP

49152:FCnGlLFDOpX0F9aPm6sOyQr8qHg6Gbul/V71b1dzYfjM:FOGzDOuGP9sOypugTO7F1dzN

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00090000000141b0-16.dat	acprotect

Loads dropped DLL 5 IoCs

pid	Process
1704	98a7872409f8a680d880c79dccf75d98.exe
1704	98a7872409f8a680d880c79dccf75d98.exe
1704	98a7872409f8a680d880c79dccf75d98.exe
1704	98a7872409f8a680d880c79dccf75d98.exe
1704	98a7872409f8a680d880c79dccf75d98.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000141b0-16.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	98a7872409f8a680d880c79dccf75d98.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	98a7872409f8a680d880c79dccf75d98.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	98a7872409f8a680d880c79dccf75d98.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1704	98a7872409f8a680d880c79dccf75d98.exe

C:\Users\Admin\AppData\Local\Temp\98a7872409f8a680d880c79dccf75d98.exe
"C:\Users\Admin\AppData\Local\Temp\98a7872409f8a680d880c79dccf75d98.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
23KB

MD5
f9ac4bf38b52fab2b9917e8ffaa6b806

SHA1
8f355e133e517a406f96a837d76897e9ecf237c5

SHA256
9ed7c4736e2d590fce30cdd4b885d46cca59deff9d35f2fed43b685b998f6ade

SHA512
f2cea92ff9fa225752ef82773bc2fb9130fdbf436752263309594b91c37f5a7f7e6f1d45be05e1b460c52c5f52ead5fc0acae7e50403b86f3e439d9adec295e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstAFA.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nstAFA.tmp\LangDLL.dll

Filesize
1KB

MD5
c259934a9f18096037dc2f67e17862bb

SHA1
c6dcce40f89b27fc4dd1d564eb912f3486592b24

SHA256
4351dde24007271f60e8a5e93b1e052544b5d72965228cbf0e4ef3701c0616cb

SHA512
1949fc9e42f19d75a0e0c5ad48b6e54e2c8a5b8c5d930ed4671abef581c5751120c51838c794124995e3563d4dc5b345ff4596325dcbd884eb09fb86b7e6046d

Download Submit
\Users\Admin\AppData\Local\Temp\nstAFA.tmp\System.dll

Filesize
1KB

MD5
cc6f3a883d1cbf9919505dab0e0ed46b

SHA1
b6e575c387c0c73f74755e0c074eb7e99d4d3558

SHA256
58ba125965c7d76532ada34714332e08e407d6cf676840d65c910e1e951a8bcd

SHA512
f72930ff304abb238b5a7c99cee6bc26dde02fa4abc7fb81887eaa2c45c1c81a6173fa295c1f98be1a4c142d77685925cd7860b467c116d706e654ff6d909d64

Download Submit
\Users\Admin\AppData\Local\Temp\nstAFA.tmp\nsDialogs.dll

Filesize
8KB

MD5
70ff3467972798867e07b3bd4e5fef33

SHA1
a69a9cb5117224a9445b379ccde3f5abcd939a43

SHA256
cff57fcdc8ac8a5a84ecbb017c9b635981bd8042bbabb1fe1d79df0f2c6cb0df

SHA512
247f1ce690e44fdd01eb46ed4e664d93071dfdfeeb373389242acdd6728810f57b960aae65d777ed372a63527d7ff30072cfb77043f3392216865ac56b8fffde

Download Submit
\Users\Admin\AppData\Local\Temp\nstAFA.tmp\nsRandom.dll

Filesize
2KB

MD5
66e62dd6a345f29838c0f8910eeab235

SHA1
eaf4a8f96d384087e8d32bde277be0932eb90b92

SHA256
bd8f920b13be217e1b23f65653f69accc2c944d5ff28e8595791590c176e069e

SHA512
36066e2bb1f21fc949ab5bf509f74124aad97c8fff3d6d0b2ccc02459f4cf99c2ffc9c1fd9bf68cd84f88bb64b41392f028b09b66e367d63a25d0ffd460aa76a

Download Submit
memory/1704-21-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/1704-69-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download