b34cf1675a8b79c06301a9029e0c4b47d916bff0752e4b4cb289bf84f1912464

General

Target

plugin2.exe
Size

4.2MB
MD5

b346f27746c82026ddc8d6623bea4d5a
SHA1

b1eef214d93f2a5ff7e1b7b5022c2f1fea036e5a
SHA256

9a8abce9786e03261035da1aef1aa9fb1272a71ab73155ca9faabc435c8528f2
SHA512

2f017f37c95df0471b045ab283a127de18944a52ff702adde36cdac65a4b93f795c5755388bbb3aeb73b2f2e1506f5d8402398430ec7f07df5cf8a802fb754ef
SSDEEP

98304:9+q7OxiuoJmf1kkdATd6Ufpb/ys4DOyvh80QdGsuMwzg3:QxZoJmf1TATdjd4xu0QAsUk3

Score

7^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 8 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral4/files/0x000a000000023b6b-23.dat	acprotect
behavioral4/files/0x000a000000023b70-26.dat	acprotect
behavioral4/files/0x000a000000023b6f-28.dat	acprotect
behavioral4/files/0x000a000000023b76-34.dat	acprotect
behavioral4/files/0x000a000000023b6e-36.dat	acprotect
behavioral4/files/0x000a000000023b72-40.dat	acprotect
behavioral4/files/0x000a000000023b73-43.dat	acprotect
behavioral4/files/0x000a000000023b75-48.dat	acprotect

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.dll-d1f22018eb4333fa4d3b6158c5759a37.lnk	plugin2.exe

Loads dropped DLL 8 IoCs

pid	Process
60	plugin2.exe
60	plugin2.exe
60	plugin2.exe
60	plugin2.exe
60	plugin2.exe
60	plugin2.exe
60	plugin2.exe
60	plugin2.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/4848-0-0x0000000000240000-0x0000000000281000-memory.dmp	upx
behavioral4/files/0x000a000000023b6b-23.dat	upx
behavioral4/memory/60-25-0x0000000074A00000-0x0000000074CB3000-memory.dmp	upx
behavioral4/files/0x000a000000023b70-26.dat	upx
behavioral4/files/0x000a000000023b6f-28.dat	upx
behavioral4/memory/60-31-0x0000000074810000-0x000000007492A000-memory.dmp	upx
behavioral4/memory/60-30-0x0000000074930000-0x0000000074948000-memory.dmp	upx
behavioral4/files/0x000a000000023b76-34.dat	upx
behavioral4/files/0x000a000000023b6e-36.dat	upx
behavioral4/memory/60-38-0x000000001E8C0000-0x000000001E8E1000-memory.dmp	upx
behavioral4/memory/60-39-0x000000001E7A0000-0x000000001E7C7000-memory.dmp	upx
behavioral4/files/0x000a000000023b72-40.dat	upx
behavioral4/memory/60-42-0x000000001E200000-0x000000001E27A000-memory.dmp	upx
behavioral4/files/0x000a000000023b73-43.dat	upx
behavioral4/memory/60-45-0x00000000742A0000-0x00000000742BE000-memory.dmp	upx
behavioral4/files/0x000a000000023b75-48.dat	upx
behavioral4/memory/60-50-0x000000001E800000-0x000000001E86E000-memory.dmp	upx
behavioral4/memory/60-55-0x0000000000240000-0x0000000000281000-memory.dmp	upx
behavioral4/memory/60-69-0x00000000742A0000-0x00000000742BE000-memory.dmp	upx
behavioral4/memory/60-68-0x000000001E200000-0x000000001E27A000-memory.dmp	upx
behavioral4/memory/4848-85-0x0000000000240000-0x0000000000281000-memory.dmp	upx
behavioral4/memory/60-67-0x000000001E7A0000-0x000000001E7C7000-memory.dmp	upx
behavioral4/memory/60-66-0x000000001E8C0000-0x000000001E8E1000-memory.dmp	upx
behavioral4/memory/60-65-0x0000000074810000-0x000000007492A000-memory.dmp	upx
behavioral4/memory/60-64-0x0000000074A00000-0x0000000074CB3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows.dll-d1f22018eb4333fa4d3b6158c5759a37 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plugin2.exe"	plugin2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2884	60	WerFault.exe	83
4708	60	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 60	4848	plugin2.exe	83
PID 4848 wrote to memory of 60	4848	plugin2.exe	83
PID 4848 wrote to memory of 60	4848	plugin2.exe	83

C:\Users\Admin\AppData\Local\Temp\plugin2.exe
"C:\Users\Admin\AppData\Local\Temp\plugin2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\plugin2.exe
  "C:\Users\Admin\AppData\Local\Temp\plugin2.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  PID:60
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1260
    3⤵
    - Program crash
    PID:2884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1268
    3⤵
    - Program crash
    PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 60 -ip 60
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 60 -ip 60
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI48482\_ctypes.pyd

Filesize
37KB

MD5
d7f2a6f8ceef96a76dc55064c1d0d065

SHA1
336d2ad30f77baf2382a6d8d13618ecf918dff24

SHA256
95203f4fa2bb28f83939a8666ea6c975c8123b906a2eccae7f6d75ad9c77a84b

SHA512
14929cfbbedf8359be1e373ba69553335c700deff1951ecfa7a2bd53cb4fe157bd5c5d626edd97fcdbb2f3aa3e91ab076d79172673924828e6f59698e82e904b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48482\_hashlib.pyd

Filesize
375KB

MD5
fe9d1b72e0d336a8066d80423b2c63f6

SHA1
f78c95d1b0a8bfdbaa2ec3f353c7b295708a316b

SHA256
4a5b0119a05582cb85c35995d3f18c1a429461583c5cd1f2fd95a93ed2afe4ff

SHA512
201fc2c0b938128e6041256e8263b6e0da1fe4befcd4d525a1952b1f6e58e08bf645323d06a516774a30ab80769412e2941acbdd49e6dddefb1c43b27a7878d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48482\bz2.pyd

Filesize
35KB

MD5
291f0811eb4a4a7df13b499c2d701623

SHA1
8ebcfc6f172fce8d4e03688ea6e42428c65f7c79

SHA256
5aa88b01d0f37d0b2652a17698ef0c003d2b4e87648e368c19c19766c4b68501

SHA512
18a36d8cf2eee44c8fbe7eb454f7aa78d88e51cd5382a158e1dd910c5a121275b45c7bf8f0629cee3a959db7a09d61ad7f0b4a58dc8e5347e6a028be7a1e3db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48482\python27.dll

Filesize
880KB

MD5
6138016baaf592eec469d8c12ce4dc8f

SHA1
5c60a6678d5174bd9b5ee62af37fc9cdf1e4e66b

SHA256
97e3d69aee31bc6f3a2e42c37f5f71ce4847f95fed464f0009ad081e7d1046ef

SHA512
24455441e57fcc4b6b5f8a2086d6f56ec77549980f62fc028d00431db7d644a1cb008e7f8356873d701aa04caecf5c2d553fe708af10a5c0251d67f291077e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48482\pythoncom27.dll

Filesize
116KB

MD5
b5e816d9d5b082ea838ff3c92c17e4eb

SHA1
c9cf16f2e5cab843f630120a315ac0ee386b2bd8

SHA256
2608e2dc017887d806212d99ee35b22c2d1e2cfb1500a9e42dabccb55d15a00b

SHA512
302f7e62c1ed5beb84abac166223849286c45ad2b37fd71f2cc3ecc38deaf2ef0c0d4b729e92361f719ec5f5f1bfe8ee22cac91c46ae62718ede780969d56e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48482\pywintypes27.dll

Filesize
52KB

MD5
31e477b8317230a3d3b487cd7602415a

SHA1
f819b5c858db5fed1040a8576313917374ca944a

SHA256
021363d1945a8f1ec102bc29ecb32a11afa51023a42b4d951a9a50be5a2a42a9

SHA512
4f91f80c0d0cf671e637618b810c4e5cdc0699adce6b88ffa55058deb4fff98bdbb319712c6138e3692b9353ad33af9871abd643c63a791844653a9e980000d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48482\win32api.pyd

Filesize
34KB

MD5
96bc06d86df79fcb05915aa7e9e1ca76

SHA1
76f6f814869b2b1519c23f8dea96a67646c96882

SHA256
f66ee4eac6a46133597eb85a48b1caf10df74db817a96629629e33ac4e68ad57

SHA512
5ab22e797bf2cb83b620bc1f84b8e1e31f60973d92ac3ada829f66defbe9c63fc1c107422ffe5cd3042abd0ad36ec9c0c3149470026b8c9fcebe6e361e4adf92

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48482\win32com.shell.shell.pyd

Filesize
88KB

MD5
70b6a6e42eb081a629812393ab8b6dfc

SHA1
6d54a38b86ee4730fc6d24963ef56c8df95433c9

SHA256
6b6da79c99e28c32c7df3f85c96da029842fa0bcdbc20af08d4bc7644a772c36

SHA512
29873d11e596ebb95898be53f2e9ba2a7c2dadb9b5e51bdc89b9050f9beca574ebd855e5dd47ee88544028c4592c526f81308ff0f1906ea5fad7c97c7bb75b4f

Download Submit
memory/60-45-0x00000000742A0000-0x00000000742BE000-memory.dmp

Filesize
120KB

Download
memory/60-52-0x0000000002510000-0x000000000253B000-memory.dmp

Filesize
172KB

Download
memory/60-39-0x000000001E7A0000-0x000000001E7C7000-memory.dmp

Filesize
156KB

Download
memory/60-30-0x0000000074930000-0x0000000074948000-memory.dmp

Filesize
96KB

Download
memory/60-42-0x000000001E200000-0x000000001E27A000-memory.dmp

Filesize
488KB

Download
memory/60-31-0x0000000074810000-0x000000007492A000-memory.dmp

Filesize
1.1MB

Download
memory/60-64-0x0000000074A00000-0x0000000074CB3000-memory.dmp

Filesize
2.7MB

Download
memory/60-25-0x0000000074A00000-0x0000000074CB3000-memory.dmp

Filesize
2.7MB

Download
memory/60-50-0x000000001E800000-0x000000001E86E000-memory.dmp

Filesize
440KB

Download
memory/60-38-0x000000001E8C0000-0x000000001E8E1000-memory.dmp

Filesize
132KB

Download
memory/60-53-0x0000000002510000-0x000000000253B000-memory.dmp

Filesize
172KB

Download
memory/60-54-0x0000000002540000-0x0000000002571000-memory.dmp

Filesize
196KB

Download
memory/60-55-0x0000000000240000-0x0000000000281000-memory.dmp

Filesize
260KB

Download
memory/60-69-0x00000000742A0000-0x00000000742BE000-memory.dmp

Filesize
120KB

Download
memory/60-68-0x000000001E200000-0x000000001E27A000-memory.dmp

Filesize
488KB

Download
memory/60-65-0x0000000074810000-0x000000007492A000-memory.dmp

Filesize
1.1MB

Download
memory/60-67-0x000000001E7A0000-0x000000001E7C7000-memory.dmp

Filesize
156KB

Download
memory/60-66-0x000000001E8C0000-0x000000001E8E1000-memory.dmp

Filesize
132KB

Download
memory/4848-85-0x0000000000240000-0x0000000000281000-memory.dmp

Filesize
260KB

Download
memory/4848-0-0x0000000000240000-0x0000000000281000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads