9abe52617f5243dd82f106deb57d890f2ed77a63be6de4e67c354d74941c2f0d

General

Target

ca6630338b490e1ec5803a080aa3ed37.exe
Size

158KB
MD5

ca6630338b490e1ec5803a080aa3ed37
SHA1

84af70d6b02cd39a152712bdd287ee6b551b36ca
SHA256

9abe52617f5243dd82f106deb57d890f2ed77a63be6de4e67c354d74941c2f0d
SHA512

43399342426a712a8218eca63cba1ca6000b5a73891fe91fd70cbee40e15f482b02907e4b9356912b549d1f2fa467d5fac6ebe4f02db4b20f2d9f7f75fd7759d
SSDEEP

3072:KqQ+glQWLIjZ/3HCd8tvUuEeMYCKNklApHDq109Ma4cKeurjjf7b:/PYIOnh9KNklIA8grf

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000100000000002a-10.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1592	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1592	svchost.exe
1592	svchost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000100000000002a-10.dat	upx
behavioral2/memory/1592-13-0x0000000002520000-0x000000000253F000-memory.dmp	upx

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\O:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\M:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\P:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\S:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\I:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\V:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\E:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\J:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\Q:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\R:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\H:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\N:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\T:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\U:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\G:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\L:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV	ca6630338b490e1ec5803a080aa3ed37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSBWDXR.ShellExecuteHook1007\ = "Maihook1007"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSBWDXR.ShellExecuteHook1007\Clsid\ = "{78E611A2-E484-4A0D-811E-C40100A3F452}"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ProgID	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ = "Maihook1007"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSBWDXR.ShellExecuteHook1007	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSBWDXR.ShellExecuteHook1007\Clsid	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ProgID\ = "MSBWDXR.ShellExecuteHook1007"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\EFile = "054036162053036188108255049039105103071065041214115216194089028060109145199003116110024139026249240"	ca6630338b490e1ec5803a080aa3ed37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32\ = "F:\\$RECYCLE.BIN\\MSBWDXR.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32\ThreadingModel = "Apartment"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\DFile	ca6630338b490e1ec5803a080aa3ed37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\DFile = "052035076052044070101073049037100005162071168226146241212167153147175015008054029126028195170217136141249133053154180155"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4252	ca6630338b490e1ec5803a080aa3ed37.exe
4252	ca6630338b490e1ec5803a080aa3ed37.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1592	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 1592	4252	ca6630338b490e1ec5803a080aa3ed37.exe	96
PID 4252 wrote to memory of 1592	4252	ca6630338b490e1ec5803a080aa3ed37.exe	96
PID 4252 wrote to memory of 1592	4252	ca6630338b490e1ec5803a080aa3ed37.exe	96

C:\Users\Admin\AppData\Local\Temp\ca6630338b490e1ec5803a080aa3ed37.exe
"C:\Users\Admin\AppData\Local\Temp\ca6630338b490e1ec5803a080aa3ed37.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\svchost.exe
  C:\Users\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\svchost.exe

Filesize
159KB

MD5
1926f8e4e843a3144f401f25bb9c10f0

SHA1
a8e9a7945f5bfeae52bd8d7b155a57b06728d162

SHA256
950b52c4f4f1a0364f4d5e7dc387b71dbaf1ce419e66f0a374f0945c437022cc

SHA512
572268c2e9c15492c7d83b3966d2ed127e32ba84b0a013f425d726fd17c66e8e39e66b30ac4eac94d2d0365ad932ca1e47b5d97f7984b258d2518f73bef4c286

Download Submit
F:\$RECYCLE.BIN\MSBWDXR.dll

Filesize
203KB

MD5
93e1357b630931395c94a53936051293

SHA1
b653592a597b03ca1d580f3960ef474991b71a1c

SHA256
ba25b254da8be27b87ce359263104d1d217cbbeafe3899117ad36a1915b03220

SHA512
642b9abc16e1dabc2c0af6c8b8f9005e52b1b512d862bf960a60c1235f89511c4a6d494b7265a5dfd5ae471a888cfac4a0d713ebba913461acbc0855217361bd

Download Submit
\??\c:\filedebug

Filesize
223B

MD5
72c9f02d21afa29d672e93fe19db661c

SHA1
c2734c99e45e874302eb4112f90a6781f1e916af

SHA256
34d54e77fee45860ead42d3b9aee171ca8b7d6ee5344b840815c54df713278f9

SHA512
812bcdc6629759f583ca98ea53e2e53dfb53668953b7bd7cf8a357f5ba5dc2afcfc178284e9afc419c061d2a94d9964230fb7d192a10826ec05cfe5158e9e606

Download Submit
memory/1592-13-0x0000000002520000-0x000000000253F000-memory.dmp

Filesize
124KB

Download
memory/1592-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1592-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1592-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1592-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4252-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing