1f2f38766e7ed058845430f9a50b1e5a924632a248570b5d34be000633ed7165

General

Target

SecuriteInfo.com.Trojan.Dorv.20162.exe
Size

2.6MB
MD5

cae45149321a94c1677620f539b48642
SHA1

a3a325b4cb8ac5420c9dc9718ffebc6eead74bc3
SHA256

1f2f38766e7ed058845430f9a50b1e5a924632a248570b5d34be000633ed7165
SHA512

5e293869fbad31892805ac72d7051573edee1432151bde2aacbac5f605a7a14bf413f219d9d998caf062a40f6f658c87c938fcb0c31a7d326a72634f20e2a8c7
SSDEEP

49152:ZPU92dMYNc70530EXdURjcerptI2LkvBMsbgOacKkgHc8pN:uQ2YNc70URwkpCSLsbGPPN

Score

7^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0034000000015cb3-19.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2680	SecuriteInfo.com.Trojan.Dorv.20162.tmp

Loads dropped DLL 5 IoCs

pid	Process
3016	SecuriteInfo.com.Trojan.Dorv.20162.exe
2680	SecuriteInfo.com.Trojan.Dorv.20162.tmp
2680	SecuriteInfo.com.Trojan.Dorv.20162.tmp
2680	SecuriteInfo.com.Trojan.Dorv.20162.tmp
2680	SecuriteInfo.com.Trojan.Dorv.20162.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	SecuriteInfo.com.Trojan.Dorv.20162.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2680	SecuriteInfo.com.Trojan.Dorv.20162.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2680	3016	SecuriteInfo.com.Trojan.Dorv.20162.exe	28
PID 3016 wrote to memory of 2680	3016	SecuriteInfo.com.Trojan.Dorv.20162.exe	28
PID 3016 wrote to memory of 2680	3016	SecuriteInfo.com.Trojan.Dorv.20162.exe	28
PID 3016 wrote to memory of 2680	3016	SecuriteInfo.com.Trojan.Dorv.20162.exe	28
PID 3016 wrote to memory of 2680	3016	SecuriteInfo.com.Trojan.Dorv.20162.exe	28
PID 3016 wrote to memory of 2680	3016	SecuriteInfo.com.Trojan.Dorv.20162.exe	28
PID 3016 wrote to memory of 2680	3016	SecuriteInfo.com.Trojan.Dorv.20162.exe	28

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Dorv.20162.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Dorv.20162.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\is-K0B8A.tmp\SecuriteInfo.com.Trojan.Dorv.20162.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-K0B8A.tmp\SecuriteInfo.com.Trojan.Dorv.20162.tmp" /SL5="$40016,2218981,139776,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Dorv.20162.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-I7LQ9.tmp\ItDownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-I7LQ9.tmp\WaterLib.dll

Filesize
123KB

MD5
b4ae1b26b68545a823f067738a6877f9

SHA1
a90a812cac906afb2fbe2a400746de67c845ecb0

SHA256
57ec9023fddd0e0dedffc93bae937442eebd648a4d14383b22fb1a787582cbbc

SHA512
64b6e3ac5eba6231dabe61b73feb8bbeb2015cf871858aa0163fbc84b41912f8453aa16d6939f4d82f235929dbe333c5534965ceb2c83c67720f5f336ca3ccef

Download Submit
\Users\Admin\AppData\Local\Temp\is-I7LQ9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-K0B8A.tmp\SecuriteInfo.com.Trojan.Dorv.20162.tmp

Filesize
1.2MB

MD5
30625d674945acbe08c37dd26a6d04c2

SHA1
356012b1562ab8509c68d82197b7016f0029d192

SHA256
b9523e92d20b8279560405b6c931048bba529bab102202a53d1216e360ef45f2

SHA512
d33c7d59353b9538187c8cf4b274ee9ac3c886fd16c3e61ec8b417de8e59d39d44c9def3fd88c725e6e85dfa822837aa52597b55c39cd023924bae1dcd1ce5a1

Download Submit
memory/2680-29-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/2680-38-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/2680-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2680-23-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/2680-25-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2680-82-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/2680-27-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2680-28-0x00000000031A0000-0x00000000031DC000-memory.dmp

Filesize
240KB

Download
memory/2680-78-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/2680-30-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2680-34-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/2680-16-0x00000000031A0000-0x00000000031DC000-memory.dmp

Filesize
240KB

Download
memory/2680-42-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/2680-46-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/2680-50-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/2680-54-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/2680-58-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/2680-62-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/2680-66-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/2680-70-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/2680-74-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/3016-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3016-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing