3a6b712034a6f10100c427b42a100f3d033bedb4626375a00ee5f55ea02a8353

General

Target

dfa13125901da3639c91543d026664e8.exe
Size

123KB
MD5

dfa13125901da3639c91543d026664e8
SHA1

92faa3c518dbee42067c9570f76a0e2253dbdd13
SHA256

3a6b712034a6f10100c427b42a100f3d033bedb4626375a00ee5f55ea02a8353
SHA512

8c64b7606c5d948537cd2cc0b20a7d0a6a18982023845067721b0f487159657620fd69aa774869f396c633fbfaa26619621d925edd556a8d62fd9781239cde53
SSDEEP

3072:OeSQ41MZrrOwzrq5Ss9eYfphfFQkUcot3EpeBWLLKrz:OVYrJrOSsRwcpYrz

Score

8^/10

upx

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\goicfboogidikkejccmclpieicihhlpo jimddp = "electronic-group"	iaccess32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c	regedit.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000016c15-30.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1888	iaccess32.exe

Loads dropped DLL 3 IoCs

pid	Process
2620	regsvr32.exe
1888	iaccess32.exe
1888	iaccess32.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1568-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1568-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0009000000012245-5.dat	upx
behavioral1/memory/1568-8-0x0000000000330000-0x000000000035E000-memory.dmp	upx
behavioral1/memory/1888-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0006000000016c15-30.dat	upx
behavioral1/memory/2620-32-0x0000000010000000-0x0000000010047000-memory.dmp	upx
behavioral1/memory/1888-44-0x0000000003240000-0x0000000003250000-memory.dmp	upx
behavioral1/memory/1888-58-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1888-82-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1888-83-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1888-84-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1888-85-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1888-87-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1888-88-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1888-89-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1888-90-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1888-91-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1888-92-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1888-93-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1888-94-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\egaccess4_1071.dll	iaccess32.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100702130724\medias\p2e_logo_2.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100702130724\medias\p2e_3_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100702130724\medias\p2e.ico	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100702130724\instant access.exe	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100702130724\Common\module.php	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100702130724\medias\p2e_2_3.gif	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Multi\20100702130724\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100702130724\medias\p2e_1_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100702130724\medias\p2e_go_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100702130724\dialerexe.ini	iaccess32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\iaccess32.exe	dfa13125901da3639c91543d026664e8.exe
File created	C:\Windows\tmlpcert2007	iaccess32.exe
File created	C:\Windows\dialexe.zl	iaccess32.exe
File created	C:\Windows\dialexe.epk	iaccess32.exe
File created	C:\Windows\dialerexe.ini	iaccess32.exe
File created	C:\Windows\egdhtm_pack.epk	iaccess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	iaccess32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}	regsvr32.exe

Runs regedit.exe 1 IoCs

pid	Process
3012	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1568	dfa13125901da3639c91543d026664e8.exe
1888	iaccess32.exe
1888	iaccess32.exe
1888	iaccess32.exe
1888	iaccess32.exe
1888	iaccess32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 1888	1568	dfa13125901da3639c91543d026664e8.exe	28
PID 1568 wrote to memory of 1888	1568	dfa13125901da3639c91543d026664e8.exe	28
PID 1568 wrote to memory of 1888	1568	dfa13125901da3639c91543d026664e8.exe	28
PID 1568 wrote to memory of 1888	1568	dfa13125901da3639c91543d026664e8.exe	28
PID 1888 wrote to memory of 3012	1888	iaccess32.exe	29
PID 1888 wrote to memory of 3012	1888	iaccess32.exe	29
PID 1888 wrote to memory of 3012	1888	iaccess32.exe	29
PID 1888 wrote to memory of 3012	1888	iaccess32.exe	29
PID 1888 wrote to memory of 2620	1888	iaccess32.exe	30
PID 1888 wrote to memory of 2620	1888	iaccess32.exe	30
PID 1888 wrote to memory of 2620	1888	iaccess32.exe	30
PID 1888 wrote to memory of 2620	1888	iaccess32.exe	30
PID 1888 wrote to memory of 2620	1888	iaccess32.exe	30
PID 1888 wrote to memory of 2620	1888	iaccess32.exe	30
PID 1888 wrote to memory of 2620	1888	iaccess32.exe	30

C:\Users\Admin\AppData\Local\Temp\dfa13125901da3639c91543d026664e8.exe
"C:\Users\Admin\AppData\Local\Temp\dfa13125901da3639c91543d026664e8.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\iaccess32.exe
  C:\Windows\iaccess32.exe
  2⤵
  - Manipulates Digital Signatures
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
    3⤵
    - Manipulates Digital Signatures
    - Runs regedit.exe
    PID:3012
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\Multi\20100702130724\dialerexe.ini

Filesize
587B

MD5
ba025db6d2002a29d3a9a6b542253cac

SHA1
5eb01a07c65e5a529513e6a382f974aa3b1a639e

SHA256
936d7befe225219d90c586edd441c396f1a358c77e3513f8a5e469218d86bfea

SHA512
a2b3a38492cb2caa8b7df33b82a3847778c21c131dd2b0460d8e10f43b24982ef719aad8a588e7b60ba9d4125a754795edcd0b3ddeed5a75ac329b75a9606363

Download Submit
C:\Users\Public\Desktop\NOCREDITCARD.lnk

Filesize
2KB

MD5
bbd5f458aadfb797e49f6a2bd40c02e7

SHA1
7e5d918a68f66005711a7d4bd4804f1563f2f922

SHA256
2c2b29649613032c181abb9587eca0bf8cb44806dc2361ad7fdd21eb8a42fa5c

SHA512
cabcd79c6dc7be8ead3525a407bc40ea37a888b05d0bc2c138710e631fd2dc60ffbfad43b519b46e7b83ef41330a799a69d3d82b6cef6d418d24eed93783a9b7

Download Submit
C:\Windows\SysWOW64\egaccess4_1071.dll

Filesize
76KB

MD5
b83f652ffa76451ae438954f89c02f62

SHA1
b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd

SHA256
f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f

SHA512
965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83

Download Submit
C:\Windows\iaccess32.exe

Filesize
123KB

MD5
8f72af76355979ee5e35f1d3b8f43925

SHA1
762ebf0ad33e25386a0b90572bc29d0a1c336cd0

SHA256
0354b1752f15f4f94587caf480a1477785c5dbbb8961c750e3d0154977eeb41d

SHA512
da7bec33885c5ec93d18b462058c12efb5cb98c9cec6b4afeccad49e9b77915c4bb0d4540f1f52c570d235b4f7e36e8755f92ad0b772a50e7daa8fff2c95b88c

Download Submit
C:\Windows\tmlpcert2007

Filesize
6KB

MD5
b103757bc3c714123b5efa26ff96a915

SHA1
991d6694c71736b59b9486339be44ae5e2b66fef

SHA256
eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48

SHA512
d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1

Download Submit
memory/1568-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1568-8-0x0000000000330000-0x000000000035E000-memory.dmp

Filesize
184KB

Download
memory/1568-59-0x0000000000330000-0x000000000035E000-memory.dmp

Filesize
184KB

Download
memory/1568-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-85-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-54-0x0000000003240000-0x0000000003250000-memory.dmp

Filesize
64KB

Download
memory/1888-94-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-61-0x0000000003240000-0x0000000003250000-memory.dmp

Filesize
64KB

Download
memory/1888-82-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-83-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-84-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-44-0x0000000003240000-0x0000000003250000-memory.dmp

Filesize
64KB

Download
memory/1888-87-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-88-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-89-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-90-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-91-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-92-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-93-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2620-32-0x0000000010000000-0x0000000010047000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing