fa0845ecaf39cf34b4fcc0fffaac0990e9fcf426792d8de12c0130b89dcf9ba5

Analysis

max time kernel
141s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a279bd6bee67e910fb463fa75221e5c7.exe
Size

449KB
MD5

a279bd6bee67e910fb463fa75221e5c7
SHA1

d311d6aa8af547a3fe221afe15164736f75d96de
SHA256

fa0845ecaf39cf34b4fcc0fffaac0990e9fcf426792d8de12c0130b89dcf9ba5
SHA512

fe3bd5e2b7d4b4a7b18b2528c29e5bf810dfb48dfb5090c2cf6ae73702ad6f43412393661e691d95b08eb30109529a74f09221495878711d2f7bac9b2e88b2bb
SSDEEP

6144:5ZunObR8sVImcyYC5JNusn3L6KvXwXe3OZaxpr4IjCjPqlbYZFfW552z5c3XjbxE:WK+mzJiO3O4xpTjCbq9Yrd5k/dIkRn0P

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00060000000231f2-24.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	a279bd6bee67e910fb463fa75221e5c7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	qqxxwg.exe

Executes dropped EXE 2 IoCs

pid	Process
4172	loadwg.exe
620	qqxxwg.exe

Loads dropped DLL 3 IoCs

pid	Process
620	qqxxwg.exe
4172	loadwg.exe
3652	a279bd6bee67e910fb463fa75221e5c7.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000e000000023100-8.dat	upx
behavioral2/memory/4172-13-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/files/0x000a000000023110-16.dat	upx
behavioral2/memory/620-17-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00060000000231f2-24.dat	upx
behavioral2/memory/620-27-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral2/memory/3652-32-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral2/memory/4172-30-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral2/memory/620-33-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/620-34-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral2/memory/4172-36-0x0000000000400000-0x00000000004AC000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4172-36-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\A1A6BC2E.dll	qqxxwg.exe
File created	C:\Windows\SysWOW64\c6424110.drv	qqxxwg.exe
File opened for modification	C:\Windows\SysWOW64\A1A6BC2E.cfg	qqxxwg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID	qqxxwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}	qqxxwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}\InprocServer32	qqxxwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}\InprocServer32\ = "A1A6BC2E.dll"	qqxxwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}\InprocServer32\ThreadingModel = "Apartment"	qqxxwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}\InprocServer32	qqxxwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	qqxxwg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4172	loadwg.exe
4172	loadwg.exe
620	qqxxwg.exe
620	qqxxwg.exe
620	qqxxwg.exe
620	qqxxwg.exe
620	qqxxwg.exe
620	qqxxwg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4172	loadwg.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
640	Process not Found
640	Process not Found
640	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe
Token: SeDebugPrivilege	620	qqxxwg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
620	qqxxwg.exe
620	qqxxwg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
620	qqxxwg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 4172	3652	a279bd6bee67e910fb463fa75221e5c7.exe	90
PID 3652 wrote to memory of 4172	3652	a279bd6bee67e910fb463fa75221e5c7.exe	90
PID 3652 wrote to memory of 4172	3652	a279bd6bee67e910fb463fa75221e5c7.exe	90
PID 4172 wrote to memory of 620	4172	loadwg.exe	91
PID 4172 wrote to memory of 620	4172	loadwg.exe	91
PID 4172 wrote to memory of 620	4172	loadwg.exe	91
PID 620 wrote to memory of 2216	620	qqxxwg.exe	94
PID 620 wrote to memory of 2216	620	qqxxwg.exe	94
PID 620 wrote to memory of 2216	620	qqxxwg.exe	94

C:\Users\Admin\AppData\Local\Temp\a279bd6bee67e910fb463fa75221e5c7.exe
"C:\Users\Admin\AppData\Local\Temp\a279bd6bee67e910fb463fa75221e5c7.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\qqxxwg.exe
    qqxxwg.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\RarSFX0\qqxxwg.exe >> NUL
      4⤵
      PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe

Filesize
334KB

MD5
fe98c43523c3a19d6f50dd094f5885dc

SHA1
3e85dbbf8ef43bc9da761308028f86e503b98111

SHA256
fe50b3c51a497093e2af356b694d431a2db7bda8a344c548122710c991d2775a

SHA512
80efcd41b4418df2ef1382bc77bd798041da5bc8f22b994214a89344b29e81308943f8bfafca7754fedf5e0928887cce915f0cd1a318ca22634f045ef53b5391

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qqxxwg.exe

Filesize
25KB

MD5
bbddd96673e6cfc6895573c98efca7dd

SHA1
4ac17a072aad6c872ea083c36eb066a2fa75b0ef

SHA256
9cb6fc7f02232a07c982272aef488f8b0441c6d67da29d1112b9be5d724252d3

SHA512
48924283a6a3a7050408a8b9d26f7e20ac7486abfed6d49bd517b305b0efb88e8abc830293ab6c1fe96c8315704ffb52af28d8b3031764359feff94cc0248b0b

Download Submit
C:\Windows\SysWOW64\A1A6BC2E.dll

Filesize
215KB

MD5
6c6f3133311a9f64759c2abaf3232cb5

SHA1
eec3c6eb642ebc49d04d9ac3cc8160862906a7c1

SHA256
2cae7747c172236a92b521adf5526a5bc1f1d2d0625afc98789b0c61531a3c18

SHA512
4fd7e812140a97184b247f5f11dae24e3cd21b63444db86d1892d3e4e469681efc8e58b29b15e7848451fe119d0ee6e9e94607de7e1ad6a42fbff28314a1b537

Download Submit
memory/620-17-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/620-27-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/620-33-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/620-34-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/3652-32-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/3652-35-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4172-13-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4172-30-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4172-36-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download