7e98e7dcb5d8fce61a19bf3df0dcae6606e097d0c893cb054179e23bce33cc2f

General

Target

caea5f568524ad987464cb959741f278.exe
Size

774KB
MD5

caea5f568524ad987464cb959741f278
SHA1

7c5cf87dbe2b22f4382168068530eb67962af10f
SHA256

7e98e7dcb5d8fce61a19bf3df0dcae6606e097d0c893cb054179e23bce33cc2f
SHA512

1d0f7fba0d5ec2b9a64c745786b00dbba7ced44c38f729481af13014cfac3c870c665f31d4da858e19567c805596b0197230c12b1d6a23d90fd3d9b1b7b92e85
SSDEEP

24576:kK0IGNuarwcxxFBboX6f+fgOYaFUH86BBruB0t/vyPT:kKznGd+fg/xHzXruB0paT

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000012265-4.dat	acprotect

Deletes itself 1 IoCs

pid	Process
1992	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1228	cservice.exe

Loads dropped DLL 6 IoCs

pid	Process
896	caea5f568524ad987464cb959741f278.exe
896	caea5f568524ad987464cb959741f278.exe
896	caea5f568524ad987464cb959741f278.exe
896	caea5f568524ad987464cb959741f278.exe
1228	cservice.exe
1228	cservice.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012265-4.dat	upx
behavioral1/memory/896-6-0x0000000010000000-0x000000001012A000-memory.dmp	upx
behavioral1/memory/1228-30-0x0000000010000000-0x000000001012A000-memory.dmp	upx
behavioral1/memory/1228-38-0x0000000010000000-0x000000001012A000-memory.dmp	upx
behavioral1/memory/896-46-0x0000000010000000-0x000000001012A000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cservice.exe	caea5f568524ad987464cb959741f278.exe
File opened for modification	C:\Windows\SysWOW64\cservice.exe	caea5f568524ad987464cb959741f278.exe
File created	C:\Windows\SysWOW64\cservice.dll	cservice.exe
File opened for modification	C:\Windows\SysWOW64\cservice.dll	cservice.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\a811bd751c2989b4cdb5dae73484c7a2.dat	cservice.exe
File opened for modification	C:\Windows\Fonts\a811bd751c2989b4cdb5dae73484c7a2.dat	cservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
896	caea5f568524ad987464cb959741f278.exe
1228	cservice.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
896	caea5f568524ad987464cb959741f278.exe
1228	cservice.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 1228	896	caea5f568524ad987464cb959741f278.exe	28
PID 896 wrote to memory of 1228	896	caea5f568524ad987464cb959741f278.exe	28
PID 896 wrote to memory of 1228	896	caea5f568524ad987464cb959741f278.exe	28
PID 896 wrote to memory of 1228	896	caea5f568524ad987464cb959741f278.exe	28
PID 1228 wrote to memory of 1292	1228	cservice.exe	21
PID 896 wrote to memory of 1992	896	caea5f568524ad987464cb959741f278.exe	29
PID 896 wrote to memory of 1992	896	caea5f568524ad987464cb959741f278.exe	29
PID 896 wrote to memory of 1992	896	caea5f568524ad987464cb959741f278.exe	29
PID 896 wrote to memory of 1992	896	caea5f568524ad987464cb959741f278.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1292
- C:\Users\Admin\AppData\Local\Temp\caea5f568524ad987464cb959741f278.exe
  "C:\Users\Admin\AppData\Local\Temp\caea5f568524ad987464cb959741f278.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\cservice.exe
    C:\Windows\system32\cservice.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\del_file_cd.bat
    3⤵
    - Deletes itself
    PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\Exmlrpc.fne

Filesize
72KB

MD5
4b93667fd1049edc44df7888773e24d6

SHA1
45a73a3b4c3e43118c6b264a5dd7d30b6cca4e4f

SHA256
f650908d54de80e4cf3a7859efe11812e41e3e4515050434cff904e6a150453a

SHA512
7bffbc049906b990c12820afe004b67b32c83a71c6bd36f6222ff062e9bced38a03f6d80e2dd7b269845ddd986b1517b5e136f5c772d7c6c93f7dc4d12bda0b6

Download Submit
C:\del_file_cd.bat

Filesize
208B

MD5
cb68b958d5c7813348e2c5e34c61446e

SHA1
cfb2607a7f402ec63bb74a88f465b1a2fe700b80

SHA256
770eed9ffff06f3b22ae6933edf461c4d77bc00eb353bb34f85d13c144a938b0

SHA512
1002975e13df146359b1d33aa2524eae0997526504a44920f014913b5859a7b308bc74951012dc6851f810e6d4b700416833ceffe8519c3e8bd78b2c71b2de70

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
124KB

MD5
a062fbf36321864ac8e7e2e408ff0d90

SHA1
8cc46a09096eb373e5e01d7547f108eb09bbac9d

SHA256
249a27ede8d0fbd3e5dd89b9150d1215c7ae1dc2f137db5a67cee44e6b5c0431

SHA512
2ddb24f7f9a6f6b17b4ac3a5e0b4cfe9424a710ef34c7918754bcd4acff8ff41e043c2e8ab829da42d2e4a80cc45b59f309253833ba3d7329ba79d7fc7128819

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
406KB

MD5
c3807c0338c0d375f810afb236cb7200

SHA1
92522e6145c0eaa35716afd575eea2e6c3c729d3

SHA256
5e4972260a7130a96c353ababbdd887e0e2431f0388b8368357527d2311584dc

SHA512
ac3bb279c3a599df315d1bba8c65398fb1f8ddde06e5e558dd533bfa4216c0b45f91624586e8584d2b2879f6b9885599f2abf74d5125ca0f1ca4f74242de2668

Download Submit
\Windows\SysWOW64\cservice.exe

Filesize
121KB

MD5
2e30762b918a5890cfab6c611399b05d

SHA1
2d4de53b37a83e343a9e796e625eecac10e17f08

SHA256
ec6177e34469fbaf60706b55019e23f32707cae7230b39e9b9d5e3c672e0693e

SHA512
9e08b7e2cf2a139fe006639c3ae9138517b8dbc4974d71574e9308372ca3cd2653cf231cdcb13de1a044d474989c1451fc062e523283b84ce3ba234552497a8a

Download Submit
\Windows\SysWOW64\cservice.exe

Filesize
774KB

MD5
caea5f568524ad987464cb959741f278

SHA1
7c5cf87dbe2b22f4382168068530eb67962af10f

SHA256
7e98e7dcb5d8fce61a19bf3df0dcae6606e097d0c893cb054179e23bce33cc2f

SHA512
1d0f7fba0d5ec2b9a64c745786b00dbba7ced44c38f729481af13014cfac3c870c665f31d4da858e19567c805596b0197230c12b1d6a23d90fd3d9b1b7b92e85

Download Submit
memory/896-6-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/896-8-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/896-15-0x0000000001D30000-0x0000000001D77000-memory.dmp

Filesize
284KB

Download
memory/896-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/896-48-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/896-46-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/1228-27-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1228-38-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/1228-33-0x0000000001EA0000-0x0000000001EC1000-memory.dmp

Filesize
132KB

Download
memory/1228-47-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1228-30-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/1292-37-0x0000000008BC0000-0x000000000C4F9000-memory.dmp

Filesize
57.2MB

Download

Analysis

Sharing