46a19858fdae67330956ded6caf816539c1a1b62eb8dd455293692ab6b44f885

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abe768936889d0d1d6accb08e007f6a5.exe
Size

1.0MB
MD5

abe768936889d0d1d6accb08e007f6a5
SHA1

a706211fe11ce130d23c1d7e9fbb8be3cf6aad3b
SHA256

46a19858fdae67330956ded6caf816539c1a1b62eb8dd455293692ab6b44f885
SHA512

5a60dc545d9c4dcf2ef8f340aed6637b215f04602f6b728fac64188316f83720daa4d6af8dc16b5fa36f77234c1e8fb1fe3be332601c163372f2cfaf834fa5f4
SSDEEP

24576:99WC988bu6Co3zZOno39xQ1/UbjSg1wk/h48OcwN2wRzfFooBla4iw:9B88TCo3Wo3He/HgeBRja4iw

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000016d4e-81.dat	acprotect
behavioral1/files/0x0006000000016d57-87.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2556	1292Installer.exe

Loads dropped DLL 12 IoCs

pid	Process
2224	abe768936889d0d1d6accb08e007f6a5.exe
2224	abe768936889d0d1d6accb08e007f6a5.exe
2224	abe768936889d0d1d6accb08e007f6a5.exe
2556	1292Installer.exe
2556	1292Installer.exe
2556	1292Installer.exe
2556	1292Installer.exe
2556	1292Installer.exe
2556	1292Installer.exe
2556	1292Installer.exe
2556	1292Installer.exe
2556	1292Installer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016d4e-81.dat	upx
behavioral1/memory/2556-83-0x0000000074CF0000-0x0000000074CFA000-memory.dmp	upx
behavioral1/files/0x0006000000016d57-87.dat	upx
behavioral1/memory/2556-89-0x0000000003820000-0x000000000382C000-memory.dmp	upx
behavioral1/memory/2556-111-0x0000000074CF0000-0x0000000074CFA000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2224	abe768936889d0d1d6accb08e007f6a5.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	1292Installer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2556	2224	abe768936889d0d1d6accb08e007f6a5.exe	1
PID 2224 wrote to memory of 2556	2224	abe768936889d0d1d6accb08e007f6a5.exe	1
PID 2224 wrote to memory of 2556	2224	abe768936889d0d1d6accb08e007f6a5.exe	1
PID 2224 wrote to memory of 2556	2224	abe768936889d0d1d6accb08e007f6a5.exe	1
PID 2224 wrote to memory of 2556	2224	abe768936889d0d1d6accb08e007f6a5.exe	1
PID 2224 wrote to memory of 2556	2224	abe768936889d0d1d6accb08e007f6a5.exe	1
PID 2224 wrote to memory of 2556	2224	abe768936889d0d1d6accb08e007f6a5.exe	1

C:\Users\Admin\AppData\Local\temp\1292Installer.exe
"C:\Users\Admin\AppData\Local\temp\1292Installer.exe" /KEYWORD=1292 "/PATHFILES=C:\Users\Admin\AppData\Local\temp\"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2556

C:\Users\Admin\AppData\Local\Temp\abe768936889d0d1d6accb08e007f6a5.exe
"C:\Users\Admin\AppData\Local\Temp\abe768936889d0d1d6accb08e007f6a5.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd4174.tmp\ToolkitOffers.dll

Filesize
244KB

MD5
a94b9549c1089db0e9484ea742c80d1b

SHA1
49b90d3b790381e1efd855d4b99bbee8f84e2a4f

SHA256
f7d3c93f46f0874ff4e7625941707a4e50c4606492f705c8e563e88daa92c963

SHA512
49ee6daa7b4a82705cf2aa2ccbe4febd431358364b1fc1adcf5516b0ffb6e0f0cc5ae33799c1c4bc14834c1efe284a94b28ac983c9817dffb2d39a8934ae92a3

Download Submit
C:\Users\Admin\AppData\Local\temp\1292Installer.exe

Filesize
627KB

MD5
cca79726950beda07bdbe10c6628890a

SHA1
8c035673288be1d53bf8532ba3c55418ba15e5f2

SHA256
a44e4233a0962d46809ba617cbc04bbb9679aca3ba33c26a91424fbb0d6698f0

SHA512
f06f2033ebaee8b6da8b2aa93788bafc39fba55ca3b3cafba7a4940df92298ba95bf758e3d586482344cf23cbf4dfe7a4a4153221d7fe83e6d52c34e8a94410b

Download Submit
C:\Users\Admin\AppData\Local\temp\1292fondo.bmp

Filesize
206KB

MD5
ba30ca2fb7647d0180ec122df91e1d5c

SHA1
2efe00f518820c8b2989ca4810d5bcd85fca6796

SHA256
4244273881946ed3b97f646e92956f8757fb07bc28ea5d4e6d60d1010086b93f

SHA512
b448685f346c6eab7a8f07effd0aa0be1e80f73d06d7a875a304b3f20e90d36609780228fcec89b4ce768e909bb0a8a5ae369ee4858d0502967947d086e53222

Download Submit
C:\Users\Admin\AppData\Local\temp\1292header.bmp

Filesize
25KB

MD5
f52f6f36cf810fe0dccc0034fef304ca

SHA1
4217d8b43d22db74d499c1179044284c9fa78913

SHA256
7e8c072cd41b14218c14cc13595531e1da4eef973af1fffee178ef2c34583ef6

SHA512
6ec2f24d6356b14faa0122e094114ca38f8ed1a4f454b412c4837e6abf515a51a73959b19e6f7ba01f615f3dd00fa0b5f67ef4fe37a242c3117010ce70ebd868

Download Submit
C:\Users\Admin\AppData\Local\temp\1292installer.ini

Filesize
369B

MD5
bd4edba0035ea3f462ca514e14f8fc6c

SHA1
9eadda4be7f366f2f2e043e12456b03ff75a0a16

SHA256
8404c25bda32ae59f4bd56ee99ec90f2e54ed4d9c3bec80b6517d5e2302c7f68

SHA512
37c52d21b3d2e69cb7279f663c4b17e8105dc930dca9b23caeda0560cc85e1433346fa137436d2652b4aabb6054fb8fbf27645db006da73fa89b873e33e2851e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4174.tmp\ButtonEvent.dll

Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4174.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4174.tmp\nsArray.dll

Filesize
6KB

MD5
6585fc9e20b149a15e4dbb8aab03dbf6

SHA1
d3839b1694341ad494b0f92e4e3c6cc1c18e2333

SHA256
08e298c9a25208730f165660af4eec21e9fbd8021c34bce12a020d27e51843d4

SHA512
234f98317ba3a0cad5954a261610e0c851f3ae01d8213267bf4c06b259b57f1cc629c81b10e0778755065973381be33496a2f2ed82fea6c92540a389d7126476

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4174.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4174.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
memory/2556-89-0x0000000003820000-0x000000000382C000-memory.dmp

Filesize
48KB

Download
memory/2556-107-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2556-106-0x0000000003830000-0x0000000003831000-memory.dmp

Filesize
4KB

Download
memory/2556-83-0x0000000074CF0000-0x0000000074CFA000-memory.dmp

Filesize
40KB

Download
memory/2556-111-0x0000000074CF0000-0x0000000074CFA000-memory.dmp

Filesize
40KB

Download
memory/2556-113-0x0000000003820000-0x000000000382C000-memory.dmp

Filesize
48KB

Download
memory/2556-114-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download