Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 07:40
Behavioral task
behavioral1
Sample
ae0af1ab4da45887861b4b328c7b4858.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ae0af1ab4da45887861b4b328c7b4858.exe
Resource
win10v2004-20240226-en
General
-
Target
ae0af1ab4da45887861b4b328c7b4858.exe
-
Size
116KB
-
MD5
ae0af1ab4da45887861b4b328c7b4858
-
SHA1
3a9d11de653e1a375c1431841cb9b2feacd285a2
-
SHA256
8aac244c63b70915cde5e42da5ea49ff0b020adbc10bf91f2b5ce40d64a1f052
-
SHA512
e71712d42396ce3e7d23a989451927974ddc015a664c0cc7bda33bc791e3c8c2262ed85d5a00a9112d106ad9813b4ca31032f8f46e9290a8ea2c25e4e0a1b73f
-
SSDEEP
3072:jJWz04Mkca4bxxIbLfluHPLjSoDl39VwNjsd4:1WzCkR4bxxwfwHj7D19YId
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x002900000001467f-18.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 1444 APP-2.Exe -
Loads dropped DLL 4 IoCs
pid Process 1672 ae0af1ab4da45887861b4b328c7b4858.exe 1672 ae0af1ab4da45887861b4b328c7b4858.exe 1444 APP-2.Exe 1672 ae0af1ab4da45887861b4b328c7b4858.exe -
resource yara_rule behavioral1/files/0x002900000001467f-18.dat upx behavioral1/memory/1444-20-0x0000000000310000-0x000000000031E000-memory.dmp upx behavioral1/memory/1672-23-0x0000000000320000-0x000000000032E000-memory.dmp upx behavioral1/memory/1444-26-0x0000000000310000-0x000000000031E000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\APP-2nq.dll APP-2.Exe File opened for modification C:\Windows\SysWOW64\APP-2nq.dll APP-2.Exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1672 ae0af1ab4da45887861b4b328c7b4858.exe 1444 APP-2.Exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1672 wrote to memory of 1444 1672 ae0af1ab4da45887861b4b328c7b4858.exe 28 PID 1672 wrote to memory of 1444 1672 ae0af1ab4da45887861b4b328c7b4858.exe 28 PID 1672 wrote to memory of 1444 1672 ae0af1ab4da45887861b4b328c7b4858.exe 28 PID 1672 wrote to memory of 1444 1672 ae0af1ab4da45887861b4b328c7b4858.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae0af1ab4da45887861b4b328c7b4858.exe"C:\Users\Admin\AppData\Local\Temp\ae0af1ab4da45887861b4b328c7b4858.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\APP-2.ExeC:\Users\Admin\AppData\Local\Temp\APP-2.Exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1444
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD57c2833f55aa78343d8b455f7ec0e9060
SHA1ab82ed6864e0b9e21cc4778bde467d173984e795
SHA256908b253dfcde4383ae96bf0ae02cf1348f7006fbc365dd66f3954229a241f874
SHA512826d756e5e9f9f21315ad7a505ae88a81d9b1a28da6bc16e3aa7c83c8d7e77ffa661ec6e0bb91e5118bff4ddd649698ef8515d8a77d31caff11b92251c413c00
-
Filesize
12KB
MD55fb7c17be1034d6b7b092183b85c9954
SHA108e769ff257c308a7eca835513d7e230121f8eed
SHA256d2226759a52ee530eac71beabbf06fcff7b7625a6c9d57439da9224ba7432592
SHA512a8119981c97196e1dcf54e0c73eb257f59beca2205b2b50a7da72d640fe766efa7e172faa0c5bd3afe1be41019beabbe27f16cbc8681eb45fb89514df040f3fd