f8dec3bc89c9f3442ad2fa7234124e7fa1de93235e4571e3b011bab14ae5db60

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 07:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b42bc8be0a045e0a254ce8cf5a4c5f55.exe
Size

84KB
MD5

b42bc8be0a045e0a254ce8cf5a4c5f55
SHA1

58e88d802d9720e0f064f9f4a09477684a35c4d1
SHA256

f8dec3bc89c9f3442ad2fa7234124e7fa1de93235e4571e3b011bab14ae5db60
SHA512

0772e5b956e72f73000878ebf94df5877c4d8ec21352e02bb4c4c89d608c995da44aa2b26189efe0020485c2638c38d290f7b6200d6a81308fb40a8cd9f8c303
SSDEEP

1536:J6ggfUfojGnRR1J0+6Q230jgBhVulU8KgKFVXljQG6q8+t:J6uxJ0+yBz6jK9XtQ88+t

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceDll = "C:\\Progra~1\\%Program Files%\\Wdcp.dll"	laass.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceDll = "C:\\Progra~1\\%Program Files%\\Wdcp.dll"	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000016d36-20.dat	acprotect
behavioral1/files/0x0006000000016d36-24.dat	acprotect
behavioral1/files/0x0006000000016d36-22.dat	acprotect
behavioral1/files/0x0006000000016d36-27.dat	acprotect
behavioral1/files/0x0006000000016d36-26.dat	acprotect
behavioral1/files/0x0006000000016d36-25.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2944	laass.exe

Loads dropped DLL 7 IoCs

pid	Process
1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
2944	laass.exe
2552	rundll32.exe
2552	rundll32.exe
2552	rundll32.exe
2552	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "file:c:\\windows\\362.VBS"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "file:c:\\windows\\362.VBS"	laass.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Progra~1\%Program Files%\~	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
File created	C:\Progra~1\%Program Files%\Wdcp.dll	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
File opened for modification	C:\Progra~1\%Program Files%\Wdcp.dll	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
File opened for modification	\??\c:\Program Files\%Program Files%	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
File created	C:\Progra~1\%Program Files%\laass.exe	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
File created	C:\Progra~1\%Program Files%\363.VBS	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
File created	C:\Progra~1\%Program Files%\Cest.bat	b42bc8be0a045e0a254ce8cf5a4c5f55.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\best.bat	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
File created	C:\windows\362.vbs	b42bc8be0a045e0a254ce8cf5a4c5f55.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
2944	laass.exe
2944	laass.exe
2944	laass.exe
2944	laass.exe
2944	laass.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe
2944	laass.exe
2552	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2944	laass.exe
2552	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2944	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	28
PID 1544 wrote to memory of 2944	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	28
PID 1544 wrote to memory of 2944	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	28
PID 1544 wrote to memory of 2944	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	28
PID 1544 wrote to memory of 2552	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	29
PID 1544 wrote to memory of 2552	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	29
PID 1544 wrote to memory of 2552	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	29
PID 1544 wrote to memory of 2552	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	29
PID 1544 wrote to memory of 2552	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	29
PID 1544 wrote to memory of 2552	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	29
PID 1544 wrote to memory of 2552	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	29
PID 1544 wrote to memory of 2564	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	30
PID 1544 wrote to memory of 2564	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	30
PID 1544 wrote to memory of 2564	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	30
PID 1544 wrote to memory of 2564	1544	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	30

C:\Users\Admin\AppData\Local\Temp\b42bc8be0a045e0a254ce8cf5a4c5f55.exe
"C:\Users\Admin\AppData\Local\Temp\b42bc8be0a045e0a254ce8cf5a4c5f55.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Program Files\%Program Files%\laass.exe
  "C:\Program Files\%Program Files%\laass.exe" Wdcp.dll main
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2944
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" Wdcp.dll main
  2⤵
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B42BC8~1.EXE > nul & rd c:\%Progr~1 > nul
  2⤵
  - Deletes itself
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\%Program Files%\Wdcp.dll

Filesize
2.2MB

MD5
545feef76b9aff4e5de5779664086cdf

SHA1
6aa9fc26a25da621a7e5a72abc93fe083535c5ed

SHA256
d5175fe99cd6e83a95ecc8853b84efdda7867ea9341ec6661600788f55f2fa2a

SHA512
637d03d0099282d8e376196e28ca0d5bf1ed615ce8d6ff0d251bd6a762cd5db8b34223568fa6285563148c7348747118501e0b330a377997f4ee5ec71f9f939d

Download Submit
\??\c:\ntldr.sys

Filesize
90B

MD5
2decc7673a337ecad80bbbfed8a524bb

SHA1
7a0ade42fc8d51817572919584e0ef1a3c7bf18c

SHA256
7290f853e512f2c5d401ac03dbcb2e5f0dd6bf27e5dc51b7f476a33ea9d94974

SHA512
8c608695079866acc9c2d4486841688f93cc1e632534058c9ffbb7e95c197a0e4ac6da422ce67a60aca7ccd887df85c3cd225f24d0214b050ffa98cb76145d82

Download Submit
\Program Files\%Program Files%\Wdcp.dll

Filesize
114KB

MD5
e511bf26d6fbc38fb128913e2cc4efe0

SHA1
9c569ba7a1e283d7d64f89d658f3c8c3ae37bee2

SHA256
2f312438716883508d913e9dd1c5839b19aa7a8fcc23f509d90700b2ae5eac62

SHA512
fdd4381ff7d6c55e51a54e5416d347855ea8e128a1b5e132d13b4f939feedfbdaa2a7e3c03f961a85c83559ebd90811fcab8400f4ce167bbf619fe04615771e9

Download Submit
\Program Files\%Program Files%\Wdcp.dll

Filesize
154KB

MD5
372c8be680be113f093aa405ed4bca46

SHA1
cbefd4c3d281f47d60cc097a68ae6dd1a3489937

SHA256
6b6ecd36db75cb9a6b798620d9c8a81cf2410c8bd41e8d3f8af9f5591cae53e5

SHA512
68fd3ce27018966df8cadb4129a2848c06d0571cbba0cfe14c21b218f2211aadc02fa0b9cb15df8a988f1a250607373cd386a7b460f04b1ece0f7e459b5f05ed

Download Submit
\Program Files\%Program Files%\Wdcp.dll

Filesize
103KB

MD5
c1a06f1725cb546f1bf281a1b5cbe808

SHA1
c2f5c5497353baf600bf0288b6eded6001f7bc35

SHA256
aa1b5b743334c71902b15997f3d34d0c6f0939cc1487181a34c979088ca50ab7

SHA512
9519181bead522556146aca86d08b5e81a47823d5e9ca565ad868a21b40b115f660183967d3e755c2ccdcf61cc758f6220b5703f1ad6b807080d05e6aaedfe10

Download Submit
\Program Files\%Program Files%\Wdcp.dll

Filesize
135KB

MD5
229e58b147e3a70453cd43ee37472a87

SHA1
6d06fa61c683002117bc6a260e55c908f5317e90

SHA256
879a085870c17839982aef4224cf1cfb75a21fa3a82864ff19603a1b2827cc43

SHA512
61ae0abd7bbc35d9792abd0e8b44acdd7cf3a0d01f867e5c28c0b25c3c26e583bcfe316784f8fc6f1ed83e70f79839bd511f7e7123aea297022f0bbc40a822a2

Download Submit
\Program Files\%Program Files%\Wdcp.dll

Filesize
204KB

MD5
1255c80eeb34a6f00051a2b3f12cc78e

SHA1
c1a6563612ee6b5866cba3e78e442508055b7be6

SHA256
23bff7029cbad01574cacf10d00d7e54c006deffb981e8e4731e37858e213a37

SHA512
1feab63e56915996569af52a6c28148479915cc51b4d9c4d6fb4e6fe6fa6aacbc4dee3a77ad75dc270cc3b79aa2b3276aa664f8622c2a571106911c385b04de6

Download Submit
\Program Files\%Program Files%\laass.exe

Filesize
9KB

MD5
359c541c07a39ab11bb45aad29b2d2ce

SHA1
3c4f277f184ae306a4d0efe1bcb9e03ecabbb9b7

SHA256
6e2378348ebebf5b301744fedb0be396ef4e7e92ad94877da79eed9eb46850d5

SHA512
768050272dd4875a4c2a6a96f6337334c05d1512dfc0cc9ceee883a7c701de5e2e90872a6f9029de5b528b74c07cb8aa61c10f9f9e834f8021e9759136fcfbff

Download Submit
memory/1544-21-0x0000000000400000-0x000000000042ED90-memory.dmp

Filesize
187KB

Download
memory/1544-1-0x0000000000400000-0x000000000042ED90-memory.dmp

Filesize
187KB

Download
memory/1544-0-0x0000000000400000-0x000000000042ED90-memory.dmp

Filesize
187KB

Download
memory/2552-28-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2552-30-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2552-29-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2552-32-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2552-35-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2944-23-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2944-31-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2944-34-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download