e9045c4012cdfd4f2911db303478527e2006aa3b148dfdbacae85b4ee3b52e5e

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 11:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

be7563a984dc5168ce14181b90432859.exe
Size

1018KB
MD5

be7563a984dc5168ce14181b90432859
SHA1

b98280f7310095da26de3e448beb489998f74c54
SHA256

e9045c4012cdfd4f2911db303478527e2006aa3b148dfdbacae85b4ee3b52e5e
SHA512

363339b8c932c69473ae34daad38fb0f86979a6173a2ca570b28a767251299af97c81376a2b1c41f2eeabe86e6933a332f9c891d9eb2ba4893910fee1c6d3f12
SSDEEP

24576:kF8B9/XCfoX5IgBIeepfBLwtQVReC5Tt9T:I8j+g+XZd5TtN

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000019588-61.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1452	cscript.exe
1944	autorun.exe

Loads dropped DLL 5 IoCs

pid	Process
2624	cmd.exe
2624	cmd.exe
2624	cmd.exe
2624	cmd.exe
1944	autorun.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2804-0-0x0000000000400000-0x0000000000678000-memory.dmp	upx
behavioral1/files/0x0005000000019588-61.dat	upx
behavioral1/memory/1944-63-0x0000000010000000-0x000000001007E000-memory.dmp	upx
behavioral1/memory/2804-71-0x0000000000400000-0x0000000000678000-memory.dmp	upx
behavioral1/memory/1944-73-0x0000000010000000-0x000000001007E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2624	2804	be7563a984dc5168ce14181b90432859.exe	28
PID 2804 wrote to memory of 2624	2804	be7563a984dc5168ce14181b90432859.exe	28
PID 2804 wrote to memory of 2624	2804	be7563a984dc5168ce14181b90432859.exe	28
PID 2804 wrote to memory of 2624	2804	be7563a984dc5168ce14181b90432859.exe	28
PID 2624 wrote to memory of 1452	2624	cmd.exe	30
PID 2624 wrote to memory of 1452	2624	cmd.exe	30
PID 2624 wrote to memory of 1452	2624	cmd.exe	30
PID 2624 wrote to memory of 1452	2624	cmd.exe	30
PID 2624 wrote to memory of 1944	2624	cmd.exe	31
PID 2624 wrote to memory of 1944	2624	cmd.exe	31
PID 2624 wrote to memory of 1944	2624	cmd.exe	31
PID 2624 wrote to memory of 1944	2624	cmd.exe	31
PID 2624 wrote to memory of 1944	2624	cmd.exe	31
PID 2624 wrote to memory of 1944	2624	cmd.exe	31
PID 2624 wrote to memory of 1944	2624	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\be7563a984dc5168ce14181b90432859.exe
"C:\Users\Admin\AppData\Local\Temp\be7563a984dc5168ce14181b90432859.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5486.tmp\Run.cmd" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\5486.tmp\cscript.exe
    cscript HS_MESSAGE.vbs "Did you run the program as Administrator? " "Activation Tool" Q YESNO 30
    3⤵
    - Executes dropped EXE
    PID:1452
- - C:\Users\Admin\AppData\Local\Temp\5486.tmp\autorun.exe
    autorun.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5486.tmp\HS_MESSAGE.vbs

Filesize
796B

MD5
af0559e0301b2f75fa7ce812c5296de8

SHA1
205ddd069a599d20f0e91e17bbf3250eb339cc9e

SHA256
56a32a3cd84010b6517ed492ae6eadac54e5a903f4a0d21b4db32431416d82a2

SHA512
b80b0a1e9f142b16fcd54b24b23b637115454bf637d1abbaf8f9076a33148331e26668dadaa16202fbdbfcdcb152db519a26cee52a01af82149fdf2af2e70db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5486.tmp\Run.cmd

Filesize
1KB

MD5
0b851d375a6a8a8b04431d9635371f85

SHA1
4cf97a4f0e3b04e476b4492cce7409a5c20b68ef

SHA256
706d9ddf9c333f9c77238d22500dfb294776220625755e5668dff80246fc48fa

SHA512
b5bbf8aaed186aaca7c87f2c8528ea669da3ac4fc3d09f136c56244b78369f2105d707fe37f2cd7b546c9ad676758184daa6799324838bb59bf1bd0d561fb35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5486.tmp\autorun.apm

Filesize
193KB

MD5
748f99ec78fc9e2e3bba87c6441dfd0e

SHA1
a87a9290cd1678c3ac0e69bbed924791a27bc540

SHA256
7d33cd2203c3e4268855f00d897f51eaf4b1d4f06e198d3a05d5f923e3ccd794

SHA512
9c320ed5b6a52384037b885cd8dcb850112466c0d47d78290ffd6f2955c59e847c303fa5778cfeb6f195fbf4cb5cbbfeabad121c478bbb2f67edb57470bbf368

Download Submit
C:\Users\Admin\AppData\Local\Temp\5486.tmp\autorun.exe

Filesize
912KB

MD5
2fecda6df50f9525b03f2fe38b2cc8b5

SHA1
e2449ff98e654886d2c692e755a6a743e5447c24

SHA256
4d62de70e161fe807de1d0c922d000ed3e957fc9ee11a7764dbe2fce097fcc73

SHA512
b2109cb6c0fad314cf79b3702b999a116719e6c60c147db03a70d0bdb7ce4b8b32f7b723d6a3bf408a3fb0ff69cbaae2fe17b787222d1a5f605e2050d2752d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\5486.tmp\autorun.exe

Filesize
501KB

MD5
45abc4a2464a29e26ea83a654fc94f0d

SHA1
0059d59928083e1ef885c856702f59c386d7fb09

SHA256
925c5b62ebda435fbf7a11fd7e7433602224aef309f435b74dd5192d3706bcdf

SHA512
a4eea664725b18a84bf32c134536e0ea9e1141e79e390010589dc64bbdc7e95bdf1bbf7a34a27785c2f0b3761cd400c6fcc1d9026c26063085d7ed2b7a27112c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5486.tmp\cscript.exe

Filesize
149KB

MD5
34098403f9d8f71ce2ec749122168e89

SHA1
0aed0994e4b43bc3ecc2106dc1c1d3210c82b7d7

SHA256
12df0b06a9b56dce3efdb85984f84b387b1a5b61c9ebbf5a3bd61a5fbb996f60

SHA512
e5b27d305b2a1c411bffbbf6c6534a92ce17af807c69344ed31a2fee42639ac5fef97ef4a654c4d6b2b8d42ba808856b857e9b4d8c008a7ba98adbab6c6b9372

Download Submit
\Users\Admin\AppData\Local\Temp\5486.tmp\autorun.exe

Filesize
1.1MB

MD5
3a356a520a46b30fef9499dbb7c52b53

SHA1
ee7293009e508a55092e38127bfbf290b93f4ec7

SHA256
579be7204dc5e9865e35519124c1d79f0e8098aa9fa97187599ead5398a89510

SHA512
a588347ed51241e920fe1c1fa1010a06f6814a45dc2eef518074a7f22abdeadb964863fea464b0e06f210af22885eebcfcd5c4c83609a6468f6bdc3e1bb3d9f6

Download Submit
\Users\Admin\AppData\Local\Temp\5486.tmp\autorun.exe

Filesize
287KB

MD5
42c5b8cd716b29509d9e30c5c09734d7

SHA1
715c6f8dc33e6b096b47df44fe8d3cd23eeea734

SHA256
c4785a8b1ee1046d4aac26ab6288d0f592d11ca185f905ec6bde6b9576170e18

SHA512
fbe78a1cfa722afda1856445c2f1e9c620f0e930ba92042c4373df18d9d0cdb51122f1e55e64bee34dc92bec38a76c5994957cecee6796982f051b322e9115b9

Download Submit
\Users\Admin\AppData\Local\Temp\apm6FF2.tmp

Filesize
146KB

MD5
3d4839228c7ee77e28832879eeb17340

SHA1
ebe4a6388c8c6831837e232b48b8f4266b7f711e

SHA256
5d6ff8a11cda6d5b1e6d8a5562594379a082cee18f402a8a0a26b8cabe428954

SHA512
f3c534524eaa4b51ee44a6c1d05a142c0d10d9c1c48db79b60903dd948d5712b367479b82cd85fa8ee094dcd2569c0fd85a36c10c97deab59e49e1f1f4da6c56

Download Submit
memory/1944-59-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1944-63-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1944-72-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/1944-73-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1944-77-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2804-0-0x0000000000400000-0x0000000000678000-memory.dmp

Filesize
2.5MB

Download
memory/2804-71-0x0000000000400000-0x0000000000678000-memory.dmp

Filesize
2.5MB

Download