705d45a1a1de06bc947f75bce0b45750e69ae9426bb1660dce9e1a1658d07061

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 23:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c7236250fa6eae6e635ac935b9d354f1.exe
Size

10.7MB
MD5

c7236250fa6eae6e635ac935b9d354f1
SHA1

f34bd373e7281ed418854d80dfa7b28cfc269882
SHA256

705d45a1a1de06bc947f75bce0b45750e69ae9426bb1660dce9e1a1658d07061
SHA512

29462de097240f07fe4309134d5291694c4d3d3d2f7f096039c9ffba5a7dd18b260979543a1e3071ba284800b95a1d58e88b4c6dc05c0587fddf0fbd6b646b0c
SSDEEP

196608:t3sympoQ9HHKhnP4donuY7tBZ5Q6Vbg2buAciEF1gB+t+Gx42GAi:tcymSuHenP4doLy8f5NE3/MGSPR

Score

7^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002320e-65.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	c7236250fa6eae6e635ac935b9d354f1.exe

Executes dropped EXE 2 IoCs

pid	Process
3352	V2Update.exe
1160	Moyv2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3352	V2Update.exe
3352	V2Update.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3352	V2Update.exe
1160	Moyv2.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 3352	3032	c7236250fa6eae6e635ac935b9d354f1.exe	97
PID 3032 wrote to memory of 3352	3032	c7236250fa6eae6e635ac935b9d354f1.exe	97
PID 3032 wrote to memory of 3352	3032	c7236250fa6eae6e635ac935b9d354f1.exe	97
PID 3352 wrote to memory of 1644	3352	V2Update.exe	101
PID 3352 wrote to memory of 1644	3352	V2Update.exe	101
PID 3352 wrote to memory of 1644	3352	V2Update.exe	101
PID 3352 wrote to memory of 4492	3352	V2Update.exe	102
PID 3352 wrote to memory of 4492	3352	V2Update.exe	102
PID 3352 wrote to memory of 4492	3352	V2Update.exe	102
PID 3352 wrote to memory of 1160	3352	V2Update.exe	107
PID 3352 wrote to memory of 1160	3352	V2Update.exe	107
PID 3352 wrote to memory of 1160	3352	V2Update.exe	107

C:\Users\Admin\AppData\Local\Temp\c7236250fa6eae6e635ac935b9d354f1.exe
"C:\Users\Admin\AppData\Local\Temp\c7236250fa6eae6e635ac935b9d354f1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\V2Update.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\V2Update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\System32\regsvr32.exe \DLL\e_beyan_indir.dll /s
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\System32\regsvr32.exe \DLL\e_beyan_indir_mlt.dll /s
    3⤵
    PID:4492
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Moyv2.exe
    Moyv2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Moyv2.exe

Filesize
598KB

MD5
57ee7d035b08611845dc34275e823574

SHA1
591630c64043d79fdd93e487e3742ff9c40b590b

SHA256
1ee7e00f979b2f7614d65e460e263135ca2bd100f08fe7748c715b618023b7ee

SHA512
30612fc2673fb9cbed84eda8403df55872dbd911ea57283e73bcd62366786e5a7cca6637854a4c179388ebce4655fc847c4ace28a3289cfb91081d30243432e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Moyv2.exe

Filesize
64KB

MD5
a12662f287250efd8efb88a8dd8ff8fc

SHA1
d3e4cd9fcfb01da86ee6f7aa29d06b488f7768db

SHA256
7508420ebf98390b490498db78d9cce9e2e9141407455f0db332d66807fc1280

SHA512
6518f1828306945a58d1fb8619e19d1a0cfe755162a2e0c38c68e3b18d45ddb6e0033c402257c2499d5abd77f1da3663e006c5bc84c01cb4d89588a23419e00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\V2Update.exe

Filesize
92KB

MD5
d044c51e59188dd24a846b78b04a36e0

SHA1
01bdea268c40113e1e6be2ecb222ca52afd4dbd1

SHA256
8b7f8dd4e15b1ba874806e11977b6776c658415faf63949068c61a076950ea5c

SHA512
763154abebec0c12f34e4a3100148bc05c47d88993f530e18dddd3c88df07bdef9de36d5a6365aba5077908eac0aaae768436daa658abb85ce9ff93855f1f913

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\Gv_Takip.exe

Filesize
7.5MB

MD5
a5f379b80633208e9eb64baa4bb361e3

SHA1
7bb440c280414a3623dcb0fbdeac78a6e733e914

SHA256
b5af44776e572d979ca19c2bb063a76434dd22c248f998874b5a88a75585bbf4

SHA512
ab6ab22f609651c232380ed7c68d4f7aef134ffb0b9280394843e027a6e0cc53ee5d1c2353184635e6f86d2e851fbc462080032a463e6da84d372e1e2f3db81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\Moy2_sms.dll

Filesize
52KB

MD5
d1640c7898448ef4b986ee64c1741974

SHA1
2578615d6d23fbde04c9f94b31e76111fca799f3

SHA256
a3e4d42a4bb8047aa1ea1b18d2f918cfec15bb18ee73f95992fd68174d9eef64

SHA512
efb1aeb38ea37fec2db05e722454e3ad184b5aaec6d83d5453bedbf34286ab768136bd10db93e27a9d81b2140a962dfac17ea5437d811effc400d058e68d2a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\MoyV2.exe

Filesize
21.5MB

MD5
2bcd667805ab97b102388f186d87aa3c

SHA1
1702fb0104d108186697488768db0e325c573292

SHA256
8b26481aadd0e6bb9d2af8c73b764c013cab351dff86cce79b97f5681516d0e1

SHA512
36a62b1695e642769eece97e9079419f09383a62fad3e04e3da3d95aed35af9595d7644e2c09baff3016162bf6876ef457890063e8a979bfb089ca6ef1d7e0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\Moy_2_Fnc.dll

Filesize
496KB

MD5
b628130a580ce8f11a106e02cf86203b

SHA1
449d8fa81fd499b2ff736b4496aa2dc75d9cf3c6

SHA256
4c11bc7477f19745be3e958a7fdc66d19490c6fd8f40de9ceaa2bf3f10f8bb8c

SHA512
5e0ae597d8f5ca2065ba5af0b5c475d62a29b42e6e14e3c8025b648cf3b5e963c1d638d3efc3df4efc232345f68f2f34496c2d96955bc6d4d4073687b0bff685

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\Moy_2_Gib.dll

Filesize
132KB

MD5
c8c3dc146db85eb22ba9aaaa53c389bd

SHA1
24900d36661eb09a31ea44683055c5b524d53d69

SHA256
a3930d18d5672f3d8b76a72fe697ad8ce8d357c03b20c92bb9710e219ddb634e

SHA512
26880de896acfe6f1e3abe84e19b76de30e8cc4895cfa68c9a6e7a5ad7fe4e8e8dfc8bc05b9b8f30729f58d6f600a197d823e79c0d4e67ec159cf363b8328d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\Moy_2_Menu.dll

Filesize
156KB

MD5
05678675cd99a7778002f9933b0724f4

SHA1
939a7e2ecaf443eda1eeb8221ba4c6a5d510dcf6

SHA256
3bc121b70c836fedcfe1a474265a4b3984270a677114f78a313038f1491c3f6a

SHA512
794068d1bd060355cee4406c41bf8b83c8645779d938a3cc409c0aecdda972400241cad4cf9dbf447f25e83cc06b16fc352750450532bf34c7a0f6a061ea0280

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\SumatraPDF.exe

Filesize
6.2MB

MD5
a66c9054c372978b5752566361c27535

SHA1
527b8a0f9bffc41df878fb45e73f58e01e827e25

SHA256
54e19ff0a436f9806ff4dec14882a3391026751242b0e53330325e7c256d5155

SHA512
3114d24ccc0705cb722fd0a6ef135215e6475702d12073ab0567039a34d2cb279f7a6f6ffb58cc2a38dc87b3f97c71c245709ba6242813a0abd5ca0d0bb7e17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\Unzip32.dll

Filesize
140KB

MD5
90c34787f181708dc15233e06a275cbe

SHA1
94bbbeede65e4c51c3c2435ad4a0378627e8a412

SHA256
6343b6c89d9dce1dd0c320d68a650ed053e31d3eecea75d376947c4cec222ff6

SHA512
eedc45e715a4232b5dab9b3d95ddec6ce526cc410066991e3dc3d26e4b2c68bae3b3e00096af2852a395c19363dbbe552b7795a330c357149a08e9c5ac391483

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\e_beyan_indir.dll

Filesize
680KB

MD5
0eea8a27a6350d4407357194130a80af

SHA1
efe841ee2d4d242ee91183a8b9bc33b4f95f2b52

SHA256
b1fc34624f42b0f2e7250a80d7bfefdfc1e21fbdd2fcad2032a7afab0c0b3247

SHA512
a7a9492692da01daca6eb1173071db573757806ba206ba68449307f47758ad897e661393a0b88e267110b4e9fd05662439b8b1975584b879703b19c9e0a302f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\e_beyan_indir_mlt.dll

Filesize
1008KB

MD5
8276fa65c09d84003b3579b5002c2a84

SHA1
894407508b179b61172589d7022f574635feaf3a

SHA256
c479df352b673e4b82efa958f2518aa12fed8151787e1a3e0f20b7e8767738af

SHA512
956477a6236176e8c3340f281e7b080205d9d1eaf5b0750c82090242299f3bc3c39f3a69bcaf2fe83c205d519d4443c22def7336e139853d3add9b412f862ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\encryptpdf.dll

Filesize
200KB

MD5
3ad1615a1adc60fb707f92e92e15792d

SHA1
cb2c6dc51cbf5d919ba466da42f4cdd9f24bc8cd

SHA256
e8a1a30420de24890f8723429d0e0909dda31504055bfda15c3c21307c44e595

SHA512
fe37a95c4166dde1ddf9131c21b41631cb80b25288467b91ba276bbe510322f9bdf42d26f45205df98ce67b85a689e7864ca36ceefcb776215375a81b75ae688

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\etbico.gif

Filesize
1KB

MD5
88237f7e60c5c5838fa131e59cf5f5eb

SHA1
c29613b964b5cb7e96df871ca061c569e43fc6c5

SHA256
b8b22bce57f0bf5c2fa6140aadfea9faddc1debe07bc28b391918929ae749920

SHA512
43ea3872808d8aa682800cb5e319efc640f9a584004852592148497f92c18e2d574f592291a2ab0d458d04efe1fdfb950e5b150ce0898e4a396cf8ca9dd0fc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\help.rtf

Filesize
22KB

MD5
a4f4a4bf6bb0781d2e26b4f50e0625e0

SHA1
ba04958541cc424e13abbb7ded94aafa7bfe1951

SHA256
cfae0f9b000edbb8061bd6f28cf2d11dd65cde286898e1a773947a0b8113cc78

SHA512
d42a0f3009b94372503c2c99069e4b46545bbc3bc8e90da78fc2574dd75f611802260720df9f5a9ea70bd8d2852e9a5fa7ecfe3c415ba33343611f456a8f0ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\pdf2txt.dll

Filesize
951KB

MD5
26bd5668ab34cf87cd4ccce398e6170b

SHA1
e454ac60ec6570b4f9d6eede523b63cb126cd4e8

SHA256
af21fc2064a5acf907b3bf800b63e4433e4bd88bf77ef964cb5e2f44852a66bb

SHA512
78488e33e9d9df79e3b655e0e54dfa84ae81a7085540e6de57445ac597cac384012565f4524928153288162949f136a33ae8fa4d901e5e6f0a2c404c332a4152

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\vbzip11.dll

Filesize
144KB

MD5
abee1079ea3f3e74c933915bf10a7b9b

SHA1
b3de541c524f46fd0c95dcefd3f7765114107910

SHA256
d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

SHA512
f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update\web_Takip.exe

Filesize
52KB

MD5
ab2a69f57a6666ccc1190456e49aee09

SHA1
c0a7be690b6ccb15c76ebcdfed5df2f963f52d6f

SHA256
b0a96007eb50cd4860ddc71bcb49ad425ad1c8cacc8da36d42a90571ba900d2e

SHA512
a7eaf0886721b9ac08da934fcc02b5568aedbe14a4111bd6b5cd5896eb137af094673f86b51a8863a07831b6b825b538fb83b465d30fea1cc1ee1924ee97cf9e

Download Submit