c673e00e0e5c771f2d146c07d656ba6c3ea2112146e5b382ba7391e513eb8160

General

Target

SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Size

1.3MB
MD5

a10aff228a835255b89419bebf24bdb2
SHA1

959e432c06de820e4778461befb789bde41ebba8
SHA256

c673e00e0e5c771f2d146c07d656ba6c3ea2112146e5b382ba7391e513eb8160
SHA512

5f6bfff9f54d767b377526170f709a37f6fa4bdb066ba837a2603d0aca75f42a0cfdc9c8d4b6f52fdbe0d34573f8e5b13628c6a4f76554d20c36aef41f4f60b4
SSDEEP

24576:14GHnhIzO6YYXsf9vA5eNizYpnjfONnXfoMBtyfuzRODhXym0Iwzl7DDEb81O:Cshd6YYXYNA5L+njat9ROEJNDEo1

Score

7^/10

aspackv2 upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002341a-13.dat	acprotect

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000023419-29.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
420	MP3SoundRecorder.exe

Loads dropped DLL 6 IoCs

pid	Process
420	MP3SoundRecorder.exe
420	MP3SoundRecorder.exe
420	MP3SoundRecorder.exe
420	MP3SoundRecorder.exe
420	MP3SoundRecorder.exe
420	MP3SoundRecorder.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/888-0-0x0000000000F30000-0x00000000011FC000-memory.dmp	upx
behavioral2/files/0x000700000002341a-13.dat	upx
behavioral2/memory/888-79-0x0000000000F30000-0x00000000011FC000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/888-79-0x0000000000F30000-0x00000000011FC000-memory.dmp	autoit_exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MP3SoundRecorder\ti.ico	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File created	C:\Program Files (x86)\MP3SoundRecorder\ti_rec.ico	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File created	C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File opened for modification	C:\Program Files (x86)\MP3SoundRecorder\record.dll	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File created	C:\Program Files (x86)\MP3SoundRecorder\set.ini	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File created	C:\Program Files (x86)\MP3SoundRecorder\ti_play.ico	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File opened for modification	C:\Program Files (x86)\MP3SoundRecorder\ti_play.ico	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File opened for modification	C:\Program Files (x86)\MP3SoundRecorder\Help.chm	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File opened for modification	C:\Program Files (x86)\MP3SoundRecorder\ti_rec_p.ico	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File created	C:\Program Files (x86)\MP3SoundRecorder\mp3dec2.dll	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File created	C:\Program Files (x86)\MP3SoundRecorder\mp3decdll.dll	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File created	C:\Program Files (x86)\MP3SoundRecorder\prmixer.dll	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File created	C:\Program Files (x86)\MP3SoundRecorder\record.dll	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File opened for modification	C:\Program Files (x86)\MP3SoundRecorder\set.ini	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File created	C:\Program Files (x86)\MP3SoundRecorder\Help.chm	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File opened for modification	C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File opened for modification	C:\Program Files (x86)\MP3SoundRecorder\mp3dec2.dll	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File opened for modification	C:\Program Files (x86)\MP3SoundRecorder\prmixer.dll	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File opened for modification	C:\Program Files (x86)\MP3SoundRecorder\readme.txt	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File opened for modification	C:\Program Files (x86)\MP3SoundRecorder\ti_play_p.ico	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File created	C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File opened for modification	C:\Program Files (x86)\MP3SoundRecorder\mp3decdll.dll	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File created	C:\Program Files (x86)\MP3SoundRecorder\readme.txt	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File opened for modification	C:\Program Files (x86)\MP3SoundRecorder\ti_rec.ico	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File opened for modification	C:\Program Files (x86)\MP3SoundRecorder\ti.ico	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File created	C:\Program Files (x86)\MP3SoundRecorder\ti_play_p.ico	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File created	C:\Program Files (x86)\MP3SoundRecorder\ti_rec_p.ico	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File opened for modification	C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
420	MP3SoundRecorder.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 420	888	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	86
PID 888 wrote to memory of 420	888	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	86
PID 888 wrote to memory of 420	888	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	86

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:888
- C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe
  "C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe

Filesize
293KB

MD5
4b4596685b04d3d2fa26d3db2566e3d9

SHA1
a585baa7927b7d9ed48e71d16be1cb082380ccf9

SHA256
0febad3d37a4181e6fb0c4b22e3c474ed31feca37ed5cdf467c47034a12801d1

SHA512
46a1919c33a4c560d148e819d723774d70a59a39d1bdcfbfdd8b21c35e79d539408a3c0eedaa8deb773a35fe460852840997eb46f7ae6e03301866a0cea81c39

Download Submit
C:\Program Files (x86)\MP3SoundRecorder\Record.dll

Filesize
144KB

MD5
0900b5101c195e81136d9ae29f2ffab1

SHA1
23aa366cd9680a7cb9d852eafd792ecfacc1b2a0

SHA256
db1773367d1f1577083c92f8af9aaad2697730a8e2114bd979077a2eb83cb3e1

SHA512
29f3bcfe931d3e213362ddb9006cf3cee1279797edc296921075301be4c5b54a88941f252f055ea0141d15cba2e75bcd8a349a064b9811340a91cd74043ee944

Download Submit
C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll

Filesize
129KB

MD5
b3827cd4220b03a488558ab1d0375688

SHA1
f8b691df0c58ab126aabf716d8ad9b45e0486403

SHA256
5aa9f5dd3532cd512b6a995bfc732fa41920497e58f4a1c4090943b8cc0be272

SHA512
e5b32a8aae9bff6f4d7c5877a60d07383573bed7276495bc01d6cafa5a9ecbe15cbdb40f55d2bf8b8492ffea5e3115df53e649356e82c51b956e7e191c373c22

Download Submit
C:\Program Files (x86)\MP3SoundRecorder\mp3dec2.dll

Filesize
44KB

MD5
e37e04a72f9c06a0ddb327c7a85c4433

SHA1
68dd5bc160ad3838264e3be75211f0a709790b8e

SHA256
b77ef65a7e415a6aa4b10244057951d37e6c19750fec58e271360aa0dc5d94c3

SHA512
de33fec8a9a560b4712c8f17eb34f66f44216e8b05d46f10b4e60636f7fda299cd91d8d893914f741d701497a95e636114e21c4f8533b082a9df49b5aa1c0c20

Download Submit
C:\Program Files (x86)\MP3SoundRecorder\prmixer.dll

Filesize
184KB

MD5
43d7d7490fa34f55abb2d91a886f9f86

SHA1
fcb09bc35908631db403a05bb9e4b0b72a0bb003

SHA256
38ca4d2075d74f4ac6a5dade53754320cd31a4270e2c6ab0498ff4bcf4f07acc

SHA512
e48effed54499cfa39ea252064f71bba157e2afb55f7006f6f670d9b1e9a4bd3c8f4d7869658fa5e7b7b043c162df565f64ee07ce3d704647858971b6dc72038

Download Submit
C:\Program Files (x86)\MP3SoundRecorder\set.ini

Filesize
562B

MD5
3bdff134bb920cb94e0f8c276d15b641

SHA1
23fec0ca9ea4b75ed0a01ba8856d365eddd9c375

SHA256
e4ddef3d1e5063d0e57bd70798c45a118b4fe8675029f14aeee3a7578e9e05bb

SHA512
ffdb18835ef95258f16d101dae452c67e5c02d49b281684a67a2ac1d108a5c7643ea9e3d849fa428d0a86fbaa3048a949a59f6e3e99513d256c9daed50536ed8

Download Submit
C:\Program Files (x86)\MP3SoundRecorder\ti.ico

Filesize
318B

MD5
134c8bed1fc5e4a3e770601ae8f27da5

SHA1
6ff5a0f9c9edad8a30ce4892f1b8bf3d313d2160

SHA256
b736782a412a078e8d46ea43199f2f8725cb40ea470ec314763f9cb2a88c9954

SHA512
237941da48a648aa55624001ad3e7f8bf2289de4d6b5fdea78c9c552c7d21cd05d2d6665fa52ac0d761bdbbe3313bf4c8ba07da8e8e8e2de48dc1e1e0670bc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut664B.tmp

Filesize
248KB

MD5
9186d8fc4b4298ca4fc0caa405970a9e

SHA1
f6f97cf79d261908a5872c657aba9cefd9c170c6

SHA256
cff94f945b47337dcf86a255f34c86f7970cd03b194329be0cbd0b980a33ac61

SHA512
5db9ac188a464e382c58c877cf4b4d8c4e528c5db93fe8f501cad8352ee74b59fc910d3de011c0d42e1ac6ec53c16a81f1bcf73e106a8117863e557e74a3f43e

Download Submit
memory/420-85-0x00000000006A0000-0x00000000006D2000-memory.dmp

Filesize
200KB

Download
memory/420-87-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/420-91-0x0000000002200000-0x0000000002228000-memory.dmp

Filesize
160KB

Download
memory/420-95-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/420-97-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/888-79-0x0000000000F30000-0x00000000011FC000-memory.dmp

Filesize
2.8MB

Download
memory/888-0-0x0000000000F30000-0x00000000011FC000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing