Analysis
-
max time kernel
137s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
14/03/2024, 00:56
General
-
Target
c7473898cab36024d629c4250dc75c2b.exe
-
Size
359KB
-
MD5
c7473898cab36024d629c4250dc75c2b
-
SHA1
e0b3dda2a3b33fed6f3987c0b46c459d8d585d2b
-
SHA256
55cb40f542cc5908da071759348396a3e5cdfc5187a68231fbe64504ccfaf41e
-
SHA512
376a2eca5d64bb8f3f4f5faa412fefd134bde2624c61875cc47cf213106e6892ea9f9ab86014e13c7a00061dab8756916e401f16deccb4863e584cf6852c04a7
-
SSDEEP
6144:jN4TPF4oSOgFfFoSeDkXSmuWVhc+zQGA9I/0UTla/ZQEkl808LE:xI94oSZfFoSfCmnViN9I/yIb
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 5 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7473898cab36024d629c4250dc75c2b.exe"C:\Users\Admin\AppData\Local\Temp\c7473898cab36024d629c4250dc75c2b.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system16.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\40B2.tmp\system16.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeat /delete /yes4⤵
-
-
C:\Windows\SysWOW64\at.exeat 1:10:13 /interactive /every:M,T,W,Th,F,S,Su c:\Windows\system32.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeat 5:10:19 /interactive /every:M,T,W,Th,F,S,Su c:\Windows\system32.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeat 9:10:23 /interactive /every:M,T,W,Th,F,S,Su c:\Windows\system32.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeat 13:10:33 /interactive /every:M,T,W,Th,F,S,Su c:\Windows\system32.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeat 17:10:43 /interactive /every:M,T,W,Th,F,S,Su c:\Windows\system32.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeat 21:10:53 /interactive /every:M,T,W,Th,F,S,Su c:\Windows\system32.exe4⤵
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mm.vbs"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.sratim4u.com/adsupport.asp3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffa73bf46f8,0x7ffa73bf4708,0x7ffa73bf47184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9562990068810941524,5252813651095435624,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,9562990068810941524,5252813651095435624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,9562990068810941524,5252813651095435624,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9562990068810941524,5252813651095435624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9562990068810941524,5252813651095435624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9562990068810941524,5252813651095435624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9562990068810941524,5252813651095435624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,9562990068810941524,5252813651095435624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,9562990068810941524,5252813651095435624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9562990068810941524,5252813651095435624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9562990068810941524,5252813651095435624,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9562990068810941524,5252813651095435624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9562990068810941524,5252813651095435624,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9562990068810941524,5252813651095435624,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2776 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
Filesize
198KB
MD506d38d9bf028710762491328778f9db6
SHA183e1b6cbaad5ca5f6dc63453da324f8df28de193
SHA25691558d69c027808e375e11c80166dc6ba245fbcfce715c9588decc55b4a33dad
SHA512b197e5f92add72688396a07246ee9842a3b0de36508aa57f0254531cb109c77d0392e00ea28e006f9fbab1b8fee9b333998946de47ca7526b631e8c810780781
-
Filesize
168B
MD5fc8aeed042f36ab51077c65d94a8fa9e
SHA12bfc5a93f1bc5c12d830d42718ff9fb1cc74c72f
SHA256e764266c43fcbc93425521dc3f4c9b8f9a35708828344411082ca3c6c439d6fc
SHA512a3665cef7f9aa953edd880665016f9734c7b9897960972541e77d3e2ccbeeb40275b127b6460f0d3d38a457e2ff9d73241f40b59494456625f776b1b0f3887f6
-
Filesize
1KB
MD5f9de1dabd6540592218d9addb00b06bf
SHA168653e8ab2ffc2bf47b0a42fc2a0b3875a7451e2
SHA25614adb861d9712b868197e19d8d10760624d6700878c52b9256bce2a3f683a7d2
SHA51250d270f04c030f8e17c20e2fc36806263cd0b0023b5e6afaf9cb9a844c9a43161fa947fc81b2b5efdb77d006f8a85911601ba738474216a071c87bc9a205188d
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD516f71d26603d5c3b88c47c5c14976262
SHA1757e8d3d2be37038a6d6677e7b5251b48d68e460
SHA2565165b41976b4824ba028f3daf4b4603084fa7ad890953fbd97cf7ed25c7c6ec4
SHA5125066f4eef8f72332b6f49a3b04bc9f8a00a9695f43472be12628c6157e8bd3fb6afc3f40fbce9d418835c8901959df47b61365ab8d0a81d691dd0a44bab4c2e2
-
Filesize
5KB
MD583146a53273b8ddf0598f56f9ae8140a
SHA1587cccacd54981278c14c19ebb7fbe5cb14ebc8f
SHA2564251e39054822210ddbefd6c4bfdf45e389b71049aece57104ae532aecc3ab89
SHA5129ed88f6c96aa29176c0df2be62ff9608bda9be473de707ea09be3a795374c01870ab4b7204f7e8bd4325c3194b9d41198205e1acadb9e6b7a0570b31b1d5e5a1
-
Filesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5528635dd5c21ceac377de9fdb1869970
SHA1d1759c5858fe2e7ca3605d35c1b470d31a1b8753
SHA256948c9abb66cc6efa1a83df0106b41d7edc1df43b42ff69efd58eb69bc4d2d281
SHA512303221e785d422fe30674e5a1210aa291a00b09c77034ecb600893f6a74c123f08c394e0131296979bb78411b90e611821a9b59b96e45ead61c7c56ef4a2bbe2
-
Filesize
4KB
MD5ad6a993f0eb6c3d6c60b1ce366c18311
SHA18725588d021827bb6a4ab434d55020377dec7259
SHA256f1be18b37fe2ac144c80ea14689ea4b0c1f2e86c0a02b8495a89fa3bb7b5bc6c
SHA512cacc12bcca23bd90ff389581823e2261547fa104a1b944938635abf9e70923b5e41a722cd94b8f4e9c72b6d93442e2c8243c8bdc0ab1c6e5e23f6e9c25fe0612
-
Filesize
279B
MD5dff03098c730354818240b877e8fa41f
SHA161992f3a64ef2881d462e0a88595564dc6219f9f
SHA25697f16a0ca1a6560da6bbd60b9a1045b28fc7cbc451d41d516489b8a34c6d3287
SHA5126134f564c7e7c65a5fc303d8d62641861410a8aedbf9657b1d4626d16e36e59689e8e8b4adb789ee17d457dabfd35febcd9f5db0c2fde84e14602f30b0c95896
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
Filesize
83KB
MD57db223864f91cc8afcf6d29aebb79dcb
SHA130d6fab4c59282f591519d85d289009c3719f7ff
SHA2560e2e55cdeed033ea13bc026e38083f29dd0445767a87ad9358d3f1c2b2e260e2
SHA51285ceaca8e3c27eeeaea7458eef166719bbf9eedf2d6e8054afee2c4f13ba8962ca879bf62e1253015759dadd7b6ef91e4df47b220343ab80b0725b4db8a60d9c
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
188KB
-
Filesize
188KB