dc25a22239346d77fd44a62c129bc700eefe00c7499ab87f8392d60753ca2380

General

Target

c5df5ac08537f07dee8b27158e9782ad.exe
Size

686KB
MD5

c5df5ac08537f07dee8b27158e9782ad
SHA1

4eb39419d6d5f3b448df42443f733d4fbb46c368
SHA256

dc25a22239346d77fd44a62c129bc700eefe00c7499ab87f8392d60753ca2380
SHA512

78d1c6dbaf7a27663977aa56a7f9cfe220c5d0af0334200af06932ff932c4b8d347b2e9299707f40a34d4bd027b41ad641b387ac424dadd162eef9801218c08b
SSDEEP

12288:fv0p6e9zd062bnkh2qNER2YY/EcbCgVlAEujX83fExeMJXWZ:fv4lD062bnkEBIYAEMu84ekXWZ

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00090000000226e5-4.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1128	Pieeccrzs.exe

Loads dropped DLL 6 IoCs

pid	Process
4676	c5df5ac08537f07dee8b27158e9782ad.exe
1128	Pieeccrzs.exe
1128	Pieeccrzs.exe
1128	Pieeccrzs.exe
4676	c5df5ac08537f07dee8b27158e9782ad.exe
4676	c5df5ac08537f07dee8b27158e9782ad.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000226e5-4.dat	upx
behavioral2/memory/4676-5-0x0000000010000000-0x0000000010129000-memory.dmp	upx
behavioral2/memory/1128-21-0x0000000010000000-0x0000000010129000-memory.dmp	upx
behavioral2/memory/4676-49-0x0000000010000000-0x0000000010129000-memory.dmp	upx
behavioral2/memory/1128-45-0x0000000010000000-0x0000000010129000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Pieeccrzs.exe	c5df5ac08537f07dee8b27158e9782ad.exe
File created	C:\Program Files (x86)\Pieeccrzs.dll	Pieeccrzs.exe
File opened for modification	C:\Program Files (x86)\Pieeccrzs.dll	Pieeccrzs.exe
File created	C:\Program Files (x86)\Pieeccrzs.exe	c5df5ac08537f07dee8b27158e9782ad.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4676	c5df5ac08537f07dee8b27158e9782ad.exe
4676	c5df5ac08537f07dee8b27158e9782ad.exe
4676	c5df5ac08537f07dee8b27158e9782ad.exe
4676	c5df5ac08537f07dee8b27158e9782ad.exe
1128	Pieeccrzs.exe
1128	Pieeccrzs.exe
1128	Pieeccrzs.exe
1128	Pieeccrzs.exe
1128	Pieeccrzs.exe
1128	Pieeccrzs.exe
1128	Pieeccrzs.exe
1128	Pieeccrzs.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4676	c5df5ac08537f07dee8b27158e9782ad.exe
4676	c5df5ac08537f07dee8b27158e9782ad.exe
1128	Pieeccrzs.exe
1128	Pieeccrzs.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 1128	4676	c5df5ac08537f07dee8b27158e9782ad.exe	92
PID 4676 wrote to memory of 1128	4676	c5df5ac08537f07dee8b27158e9782ad.exe	92
PID 4676 wrote to memory of 1128	4676	c5df5ac08537f07dee8b27158e9782ad.exe	92
PID 1128 wrote to memory of 3580	1128	Pieeccrzs.exe	57
PID 4676 wrote to memory of 3324	4676	c5df5ac08537f07dee8b27158e9782ad.exe	93
PID 4676 wrote to memory of 3324	4676	c5df5ac08537f07dee8b27158e9782ad.exe	93
PID 4676 wrote to memory of 3324	4676	c5df5ac08537f07dee8b27158e9782ad.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3580
- C:\Users\Admin\AppData\Local\Temp\c5df5ac08537f07dee8b27158e9782ad.exe
  "C:\Users\Admin\AppData\Local\Temp\c5df5ac08537f07dee8b27158e9782ad.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Program Files (x86)\Pieeccrzs.exe
    "C:\Program Files (x86)\Pieeccrzs.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""c:\c5df5ac08537f07dee8b27158e9782ad.exe_And xMe.bat""
    3⤵
    PID:3324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Pieeccrzs.exe

Filesize
2.4MB

MD5
21fae397fb384de6a9082049413fc20b

SHA1
31c9803cd3438c7f64423e2efdec7797cb100394

SHA256
d226e57a0953e967bb150dc5655acdc6276b8a8b35cd256dba12eeb86fc060cc

SHA512
eb9746dd6de8d49b0a36f4be9130b611aa0ee6f3261066ad436865875d22ce0d3d427bf0e32d913722ec56ec0bb828528de2ac6ca692ebfc172db3981629cbeb

Download Submit
C:\Program Files (x86)\Pieeccrzs.exe

Filesize
3.0MB

MD5
fc5fa3f1b5903d718c0abb6c67a1b8da

SHA1
62ca4c41ed0b7597a1ea0d01b5a62dd5ad3ca241

SHA256
1314babfce6e409997dd6486c94b7eb439eec439da0a3b1fc43527ade915949b

SHA512
2636982acd06b553f46b731ab82ef85487d99aec974e2d3de3fed65a906c31bcc06ac4a33a13d4362be36ae699d3eb96b872712663c4734f6b5235f95c3c562f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\Exmlrpc.fne

Filesize
72KB

MD5
f79ee77a4f30401507e6f54a61598f58

SHA1
7f3ef4945f621ed2880ff5a10a126957b2011a17

SHA256
cf8e29720823eb114fbc3018569a7296ed3e6fcd6c4897f50c5c6e0e98d0b3f8

SHA512
26ccde784b06c46f60fb5a105c806c4d9dc1497fd79d39728fbcfa869d470ca2ba018b0665f3cbc05019fb0766dac2eb1084a6fdce2f9aaaae881beb09dd3739

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
409KB

MD5
c3d354bdf277263b13dca264ec2add9d

SHA1
b428dfd7df0f6024e22838823cc702e2293bd314

SHA256
ede1e15bb21655495ea3b3fb6710390d53839abeed944ed7ab1af7403b50aa5f

SHA512
24c8e96b3c07fa4e44fbb31a4e09bea728d90d410352aa9c6b6b6165ff5c038f689b7b58b05abc6513fa4ab953b78edc0f9e8298b2d57fe1c26e80068e7ca68e

Download Submit
\??\c:\c5df5ac08537f07dee8b27158e9782ad.exe_And xMe.bat

Filesize
182B

MD5
2d95770afd9723d414c0e23bd8fa3663

SHA1
00a49d0b67a4db2b9704bf5d2da53ff55490d77f

SHA256
f6f55b687c45bbebdd540045590d43dd235da7897f824a3d83c85849467c3eac

SHA512
74b03a15946a8004c43dd83feb3dd1f2b6622aa24b767572cf4c0b7351b8e29a39fb8e062e9220b9684f88d2e2c8833a71ca2781c4c10187a5feb95505801d77

Download Submit
memory/1128-25-0x0000000001F90000-0x0000000001FAE000-memory.dmp

Filesize
120KB

Download
memory/1128-21-0x0000000010000000-0x0000000010129000-memory.dmp

Filesize
1.2MB

Download
memory/1128-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1128-45-0x0000000010000000-0x0000000010129000-memory.dmp

Filesize
1.2MB

Download
memory/1128-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4676-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4676-5-0x0000000010000000-0x0000000010129000-memory.dmp

Filesize
1.2MB

Download
memory/4676-44-0x0000000002210000-0x000000000222E000-memory.dmp

Filesize
120KB

Download
memory/4676-49-0x0000000010000000-0x0000000010129000-memory.dmp

Filesize
1.2MB

Download
memory/4676-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing