f37e231d9fca43ebf0745a01769cedd64f9df3d0c8c50cdce8c6cd535a0e4482

General

Target

b7e527e572d6abb99dd0a02820828d29.exe
Size

352KB
MD5

b7e527e572d6abb99dd0a02820828d29
SHA1

5b6d1da284a9446338a8e0252d4c6aaed7da6f98
SHA256

f37e231d9fca43ebf0745a01769cedd64f9df3d0c8c50cdce8c6cd535a0e4482
SHA512

ec71163fb3956f9681a27f4c4495239f265a2741773f06de653ec676d5bf414543da2d8d6daade4a9f00db82967714e06be3e8925d1363c5af91f19eb61fb03f
SSDEEP

6144:pMK5fKXKtphMsIs3msTiHe10ceqKMLGbpzhvUZi98gWNlPTGQQm6agrd:pMKtKX8hM+TTekGB5oNtTird

Score

7^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023214-34.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	b7e527e572d6abb99dd0a02820828d29.exe

Executes dropped EXE 2 IoCs

pid	Process
3812	1.exe
3012	sdfsdfsdf.exe

Loads dropped DLL 2 IoCs

pid	Process
3012	sdfsdfsdf.exe
3012	sdfsdfsdf.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KeySpy.dll	sdfsdfsdf.exe
File opened for modification	C:\Windows\SysWOW64\KeySpy.dll	sdfsdfsdf.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\sdfsdfsdf.exe	1.exe
File opened for modification	C:\Windows\sdfsdfsdf.exe	1.exe
File opened for modification	C:\Windows\sdfsdfsdf.cfg	sdfsdfsdf.exe
File created	C:\Windows\sdfsdfsdf.cfg	sdfsdfsdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\sDate = "-"	1.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International	1.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings	1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial = 00000000	1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodisconnect = 00000000	1.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	sdfsdfsdf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\sDate = "-"	sdfsdfsdf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3012	sdfsdfsdf.exe
3012	sdfsdfsdf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3012	sdfsdfsdf.exe
3012	sdfsdfsdf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 3812	1424	b7e527e572d6abb99dd0a02820828d29.exe	87
PID 1424 wrote to memory of 3812	1424	b7e527e572d6abb99dd0a02820828d29.exe	87
PID 1424 wrote to memory of 3812	1424	b7e527e572d6abb99dd0a02820828d29.exe	87

C:\Users\Admin\AppData\Local\Temp\b7e527e572d6abb99dd0a02820828d29.exe
"C:\Users\Admin\AppData\Local\Temp\b7e527e572d6abb99dd0a02820828d29.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  PID:3812

C:\Windows\sdfsdfsdf.exe
C:\Windows\sdfsdfsdf.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
201KB

MD5
10a3dbcb3a714de2187dec1cfb0d4f9e

SHA1
fc58aa2afdde837df3ee86986595c717dda849fb

SHA256
3716ad0687ab5868947c7460bcb5c7e75bbbabbc3e06f447b5df146e83357dd4

SHA512
509d07de9b985ef680fbc66998eb130cce3293ecceb80a4509514c84bc5c082b414a6dcca9af7facef4ee814b34b1e030f94978b4688380dd0c121a71c0b12bf

Download Submit
C:\Windows\SysWOW64\KeySpy.dll

Filesize
11KB

MD5
373ddfe5e3e49a265fc6761d064d6dff

SHA1
cd812b409144f1439bf7da081251086f30c5af23

SHA256
d7d005d3cdc5f0d2a6523db9bafe07405347e27ccdcc581f3d504b1f77d933ce

SHA512
8b13264df53219598930ed95959fa096da80a2008e93a891830cd045ddf1014f0a5f186ab61f035ce064ee79a78912f2f2f2d943846dfbd3d810dc47463972f2

Download Submit
memory/1424-10-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1424-11-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1424-3-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1424-5-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1424-6-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1424-7-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1424-8-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1424-9-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1424-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1424-4-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1424-2-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1424-22-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1424-1-0x0000000000930000-0x0000000000973000-memory.dmp

Filesize
268KB

Download
memory/1424-23-0x0000000000930000-0x0000000000973000-memory.dmp

Filesize
268KB

Download
memory/3012-28-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3012-39-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/3012-40-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3812-31-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3812-20-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing