17ac11987749a2a94fb2908e556dd28bccb7a4d6bf90101a4d186307bc57ac50

General

Target

dfcd8062008e2656ece14ae234f3f43e.exe
Size

123KB
MD5

dfcd8062008e2656ece14ae234f3f43e
SHA1

70185d4b7ae268309e5723196c04688fe2cc855e
SHA256

17ac11987749a2a94fb2908e556dd28bccb7a4d6bf90101a4d186307bc57ac50
SHA512

973099f0e73cf0161a479a2b61aa23a6af100bd5be8594fb754e5d30e85e8f06b4c34be2bae36683f2f78e88673f153849a4df88659eaae02a60b930659fb8d2
SSDEEP

3072:OeSQ41MZrrOwzrq5Ss9eYfphfFQkUcot3EpeBWLLoBrSBc:OVYrJrOSsRwcp96

Score

8^/10

upx

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c	regedit.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023241-26.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	iaccess32.exe

Executes dropped EXE 1 IoCs

pid	Process
1340	iaccess32.exe

Loads dropped DLL 1 IoCs

pid	Process
1372	regsvr32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4172-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x000200000001f656-3.dat	upx
behavioral2/memory/1340-4-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4172-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x0007000000023241-26.dat	upx
behavioral2/memory/1372-28-0x0000000010000000-0x0000000010047000-memory.dmp	upx
behavioral2/memory/1340-58-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\egaccess4_1071.dll	iaccess32.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Instant Access\Multi\20100630180649\medias\p2e_logo_2.gif	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Multi\20100630180649\dialerexe.ini	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100630180649\medias\p2e_3_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100630180649\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100630180649\Common\module.php	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100630180649\medias\p2e.ico	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100630180649\instant access.exe	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100630180649\medias\p2e_1_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100630180649\medias\p2e_2_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100630180649\medias\p2e_go_3.gif	iaccess32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\iaccess32.exe	dfcd8062008e2656ece14ae234f3f43e.exe
File created	C:\Windows\tmlpcert2007	iaccess32.exe
File created	C:\Windows\dialexe.zl	iaccess32.exe
File created	C:\Windows\dialexe.epk	iaccess32.exe
File created	C:\Windows\dialerexe.ini	iaccess32.exe
File created	C:\Windows\egdhtm_pack.epk	iaccess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\IESettingSync	iaccess32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	iaccess32.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iaccess32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iaccess32.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\À	iaccess32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Runs regedit.exe 1 IoCs

pid	Process
1412	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4172	dfcd8062008e2656ece14ae234f3f43e.exe
1340	iaccess32.exe
1340	iaccess32.exe
1340	iaccess32.exe
1340	iaccess32.exe
1340	iaccess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 1340	4172	dfcd8062008e2656ece14ae234f3f43e.exe	87
PID 4172 wrote to memory of 1340	4172	dfcd8062008e2656ece14ae234f3f43e.exe	87
PID 4172 wrote to memory of 1340	4172	dfcd8062008e2656ece14ae234f3f43e.exe	87
PID 1340 wrote to memory of 1412	1340	iaccess32.exe	91
PID 1340 wrote to memory of 1412	1340	iaccess32.exe	91
PID 1340 wrote to memory of 1412	1340	iaccess32.exe	91
PID 1340 wrote to memory of 1372	1340	iaccess32.exe	92
PID 1340 wrote to memory of 1372	1340	iaccess32.exe	92
PID 1340 wrote to memory of 1372	1340	iaccess32.exe	92

C:\Users\Admin\AppData\Local\Temp\dfcd8062008e2656ece14ae234f3f43e.exe
"C:\Users\Admin\AppData\Local\Temp\dfcd8062008e2656ece14ae234f3f43e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\iaccess32.exe
  C:\Windows\iaccess32.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
    3⤵
    - Manipulates Digital Signatures
    - Runs regedit.exe
    PID:1412
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NOCREDITCARD.lnk

Filesize
2KB

MD5
3f6792bb93caf83a7d085b45d04aebbd

SHA1
515242babe6892a87fb4f7da216300f8b9a1122d

SHA256
bbfac7328c1afd05404ccc00ed807cba2e4e587f9f72462eed8b61f2b794aa15

SHA512
3b49d94620ca52081c311f6edd41c72c04b1690d6d693dc9365206ffb4ef9f0b2994c0f34382bc011db9a84bda047a2bcbff9d57856f83d70cfe1039d49a550c

Download Submit
C:\Users\Public\Desktop\NOCREDITCARD.lnk

Filesize
2KB

MD5
64fd2ddaf481068d99f09b94af38d8c6

SHA1
ec15c8522ac8135982c5aea753aa952e24d6f3a6

SHA256
6633c82c83e91e24efd92b89c986c6dd260ab6de4a190d8731176b0ad6eaff7f

SHA512
e7a345a8c13d5ff212cfcf5d704ffa9ebcbb9d98f1646f0e3e0ab2f3a2415d0d1923cbb04b0e4cd365a8f40cd7187bc45d2dd77ce02c200ee93ab69b4789401f

Download Submit
C:\Windows\SysWOW64\egaccess4_1071.dll

Filesize
76KB

MD5
b83f652ffa76451ae438954f89c02f62

SHA1
b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd

SHA256
f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f

SHA512
965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83

Download Submit
C:\Windows\dialerexe.ini

Filesize
587B

MD5
0042762c9c3b9149468e0ad16068402b

SHA1
2ebd0f4c8078f0276fc14ee740670153d3a448b4

SHA256
d5ed1e5745b6a64eecdf306d2e419b4e00c80efd620b63a8b577afb03e1c8959

SHA512
08af3afb6b112823a3f0b0aaff0231e0ac9ca9b1b3a4b099afc3e87e37c91f1e567eb93e449560106006b0b96d21c12389f2c543dc15a86f3ddd4ffdd442133d

Download Submit
C:\Windows\iaccess32.exe

Filesize
123KB

MD5
8b0701656a8107e964b3a8df06e3f3bf

SHA1
966b2d32fa618260adbef14f416830a74949bf7a

SHA256
5f1aad37ed0147c0c564aa9252b561e5496237f6be3bb4aa56d47f001b06d44f

SHA512
b0c4cdb993f3eb6ad51ba44976e5bf02f2f2800f7b4666d7c128a7bcff4baaae35eece3b9e7501a718aa160997054db8bce72e2646bc97ee3ba63ce4d53ad403

Download Submit
C:\Windows\tmlpcert2007

Filesize
6KB

MD5
b103757bc3c714123b5efa26ff96a915

SHA1
991d6694c71736b59b9486339be44ae5e2b66fef

SHA256
eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48

SHA512
d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1

Download Submit
memory/1340-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1340-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1372-28-0x0000000010000000-0x0000000010047000-memory.dmp

Filesize
284KB

Download
memory/4172-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4172-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing