21c3dda1705a30f4d677e8bfbda332ca184e75fa377bf83e64e579209f360962

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Acrylic.exe
Size

742KB
MD5

8c77fcf5f467626fb50dec55cccbe3b3
SHA1

654f9503633c2c82f592f9ba079dc0e966615e25
SHA256

21c3dda1705a30f4d677e8bfbda332ca184e75fa377bf83e64e579209f360962
SHA512

c51807bb1350c7362fa5754b01cbbef5a3f37b821c28dd175d5845b601ed74ab567621a6e0e7c5add3aa02dadea83dafc2a8a12d02bde85043051a227ff32cde
SSDEEP

12288:oC07G2USZ3Ix8oPYSK8U4tGNJzzCUzgOAF33HvPLC0d0fGCxzGyFLdFINnq:ov7G2T3uP9KX4sNJXCUzgOK3HbSACFsq

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AcrylicService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AcrylicDNSProxySvc\ImagePath = "\"C:\\Program Files (x86)\\Acrylic DNS Proxy\\AcrylicService.exe\""	AcrylicService.exe

Executes dropped EXE 4 IoCs

Processes:

AcrylicUI.exeAcrylicService.exeAcrylicService.exeAcrylicUI.exe

pid process

1424 AcrylicUI.exe
2824 AcrylicService.exe
1924 AcrylicService.exe
588 AcrylicUI.exe
Loads dropped DLL 6 IoCs

Processes:

Acrylic.exeAcrylicUI.exe

pid process

2100 Acrylic.exe
2100 Acrylic.exe
2100 Acrylic.exe
2100 Acrylic.exe
1424 AcrylicUI.exe
1424 AcrylicUI.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.exeICACLS.exe

pid process

1748 ICACLS.exe
1288 ICACLS.exe

pid	process
1424	AcrylicUI.exe
2824	AcrylicService.exe
1924	AcrylicService.exe
588	AcrylicUI.exe

pid	process
2100	Acrylic.exe
2100	Acrylic.exe
2100	Acrylic.exe
2100	Acrylic.exe
1424	AcrylicUI.exe
1424	AcrylicUI.exe

pid	process
1748	ICACLS.exe
1288	ICACLS.exe

Drops file in Program Files directory 19 IoCs

Processes:

Acrylic.exe

description	ioc	process
File created	C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicConsole.exe	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\Uninstall.exe	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\StartAcrylicService.bat	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\ActivateAcrylicDebugLog.bat	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\UninstallAcrylicService.bat	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicConfiguration.ini	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicHosts.txt	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\ReadMe.txt	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\StopAcrylicService.bat	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\RestartAcrylicService.bat	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\PurgeAcrylicCacheData.bat	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\DeactivateAcrylicDebugLog.bat	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\OpenAcrylicHostsFile.bat	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicService.exe	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicUI.exe.manifest	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\License.txt	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicUI.exe	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\InstallAcrylicService.bat	Acrylic.exe
File created	C:\Program Files (x86)\Acrylic DNS Proxy\OpenAcrylicConfigurationFile.bat	Acrylic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AcrylicUI.exe

pid	process
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe
588	AcrylicUI.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Acrylic.exeAcrylicUI.exeNet.exe

description	pid	process	target process
PID 2100 wrote to memory of 1424	2100	Acrylic.exe	AcrylicUI.exe
PID 2100 wrote to memory of 1424	2100	Acrylic.exe	AcrylicUI.exe
PID 2100 wrote to memory of 1424	2100	Acrylic.exe	AcrylicUI.exe
PID 2100 wrote to memory of 1424	2100	Acrylic.exe	AcrylicUI.exe
PID 2100 wrote to memory of 1424	2100	Acrylic.exe	AcrylicUI.exe
PID 2100 wrote to memory of 1424	2100	Acrylic.exe	AcrylicUI.exe
PID 1424 wrote to memory of 2824	1424	AcrylicUI.exe	AcrylicService.exe
PID 1424 wrote to memory of 2824	1424	AcrylicUI.exe	AcrylicService.exe
PID 1424 wrote to memory of 2824	1424	AcrylicUI.exe	AcrylicService.exe
PID 1424 wrote to memory of 2824	1424	AcrylicUI.exe	AcrylicService.exe
PID 1424 wrote to memory of 1748	1424	AcrylicUI.exe	ICACLS.exe
PID 1424 wrote to memory of 1748	1424	AcrylicUI.exe	ICACLS.exe
PID 1424 wrote to memory of 1748	1424	AcrylicUI.exe	ICACLS.exe
PID 1424 wrote to memory of 1748	1424	AcrylicUI.exe	ICACLS.exe
PID 1424 wrote to memory of 1288	1424	AcrylicUI.exe	ICACLS.exe
PID 1424 wrote to memory of 1288	1424	AcrylicUI.exe	ICACLS.exe
PID 1424 wrote to memory of 1288	1424	AcrylicUI.exe	ICACLS.exe
PID 1424 wrote to memory of 1288	1424	AcrylicUI.exe	ICACLS.exe
PID 1424 wrote to memory of 2160	1424	AcrylicUI.exe	Net.exe
PID 1424 wrote to memory of 2160	1424	AcrylicUI.exe	Net.exe
PID 1424 wrote to memory of 2160	1424	AcrylicUI.exe	Net.exe
PID 1424 wrote to memory of 2160	1424	AcrylicUI.exe	Net.exe
PID 2160 wrote to memory of 2224	2160	Net.exe	net1.exe
PID 2160 wrote to memory of 2224	2160	Net.exe	net1.exe
PID 2160 wrote to memory of 2224	2160	Net.exe	net1.exe
PID 2160 wrote to memory of 2224	2160	Net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\Acrylic.exe
"C:\Users\Admin\AppData\Local\Temp\Acrylic.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2100

C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicUI.exe
"C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicUI.exe" InstallAcrylicService
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424

C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicService.exe
"C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicService.exe" /INSTALL /SILENT
3⤵
- Sets service image path in registry
- Executes dropped EXE
PID:2824

C:\Windows\SysWOW64\ICACLS.exe
ICACLS.exe "C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicService.exe" /inheritance:d
3⤵
- Modifies file permissions
PID:1748

C:\Windows\SysWOW64\ICACLS.exe
ICACLS.exe "C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicService.exe" /remove:g "Authenticated Users"
3⤵
- Modifies file permissions
PID:1288

C:\Windows\SysWOW64\Net.exe
Net.exe Start AcrylicDNSProxySvc
3⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 Start AcrylicDNSProxySvc
4⤵
PID:2224

C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicService.exe
"C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicService.exe"
1⤵
- Executes dropped EXE
PID:1924

C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicUI.exe
"C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicUI.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicConfiguration.ini

Filesize
27KB

MD5
e8a4d3661e93f17b625512361d2050aa

SHA1
7ad8f3afbc3ad04a47099c19fdf8282b039f1b88

SHA256
325cd3a77d57b9d5ae88e644a64cb65a8575c63d9ede7a7fead46ffe678a429b

SHA512
0b3d66704b953b692e85967505f5f3f624e004c8de9748435bb73f22972a370620851300b71ff1296d0788f9b27f0766f79487e2f90b2d4d168a35d8f1a0bfc1

Download Submit
C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicHosts.txt

Filesize
3KB

MD5
058b231416852ef49129e6cb26540de1

SHA1
df0409bb72511377371a8e7196193bf66f446b90

SHA256
1c229dc5d3e954c54df460958dc698b9a2b968eab9177bb32b8acec3dc836a3b

SHA512
47b53d6d3a4d304bdfc579cc01ccf1389900bb548f848a1e138d7914f232b971783201f2a7905e5a3f63e8fad164137366d44a033b9ff783d2b2acce15cdd11e

Download Submit
C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicService.exe

Filesize
755KB

MD5
939115bde53068322bfb4d3cbac32f9a

SHA1
68598f57932cc09d6b35a591426a2e83bdf28f34

SHA256
ea85e594e9b0c7c73cdb35d74670d02f07a7d19fcf80c4f188408e7b442c60a1

SHA512
d1991f9fcfad62c21e861898f3d1dd6700932e43a98b97d8dcf178c95baed3814e20fd447cc761670ed840d6e7afcec5f1fe8813552bedf646df8101a457ea79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1315.tmp\ioSpecial.ini

Filesize
1KB

MD5
146a1084c7b4e61062209547b60d39ed

SHA1
decacd1a6030ad84d01399086665b85f0b693375

SHA256
aa7944344d6ac863df97333f87ad3595942b374b9951d639110b9a9efa3277d4

SHA512
dd35bc4bea1887f0ede9e08232a3015ad2d7fdddc7811b5e7ad42d6e26e96748a3000e9d97a04ca9c9268703da67bbf0332d3f26e02c253053e85ed20f83ee72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1315.tmp\ioSpecial.ini

Filesize
1KB

MD5
1e5e79041acbc91a372487fd9ac0b8c3

SHA1
123c5e778e0355f73b60ae1446a42386b7346f44

SHA256
0e4befd12ba711ad32c2920ed93d7a01e181b1c24ecb6b9b25ea7dbc1980030a

SHA512
4b92ca4bf30a265d1f98ce3129d70a0f84dfb705a7913e782e3fba3c65181d24f2b3fb06a7919530a19e26a1cca54b1257f1cd7e85db6683555adb9e6b835328

Download Submit
\Program Files (x86)\Acrylic DNS Proxy\AcrylicUI.exe

Filesize
572KB

MD5
9f82dc46fad4bf327e63fe92cbb9702c

SHA1
cbe517a40db31b48a988d7791454a53b19e41436

SHA256
68183b903249c26d90d214fa1b60d53f5d100af8f87da5847769230bca189693

SHA512
f704757c32b5608c679b5948c9ba5176442c353ab217ffac67c9004cff6f220367096fabca75b04ed5948572cb94dffa23d12d2acff459d6f0177502e8d2b7fe

Download Submit
\Program Files (x86)\Acrylic DNS Proxy\Uninstall.exe

Filesize
72KB

MD5
ada07b70b8db564ea7b0a26d13fb4129

SHA1
9c81f0c84989f36d55d48e7d3b0393c2b21b2acf

SHA256
7e78d44648f3be061a984b5ba00b2a6b9172c070f03c823b852a67d78a880ee5

SHA512
61f56d6c6df7c309a0358e5a767ea730a9a75090a1246fb49d32b762aa4ce21401bd2e8be7f45d9e6c5a015561ef9b2f345af6db415d795e2708373012fc7edd

Download Submit
\Users\Admin\AppData\Local\Temp\nso1315.tmp\InstallOptions.dll

Filesize
15KB

MD5
89351a0a6a89519c86c5531e20dab9ea

SHA1
9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00

SHA256
f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277

SHA512
13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

Download Submit
memory/588-195-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1424-118-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1924-192-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download
memory/2824-114-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download