39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482

General

Target

39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe
Size

12.4MB
MD5

2e21d73c2d966944f9abe8b86fdf204e
SHA1

438e391ca8fabb4ad2cc11df14551f076dd67ddc
SHA256

39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482
SHA512

c54f99f7474ae5db41ac442f843c7fce5cb5ca033f18bfc35d618ee2f181a7b589564db20be24cb9c88659d2db9d87c57e712cb2aaf489ef6792cdfb859fa628
SSDEEP

393216:0HoFh75DfUg5eMTy/yRzE5KELV37xbeQs8deRs:0Hob7daMTOKERxSZ8dx

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000019a84-231.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3048	7z.exe
324	syltools.exe

Loads dropped DLL 5 IoCs

pid	Process
2368	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe
2368	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe
3048	7z.exe
2368	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe
324	syltools.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2368-0-0x00000000009A0000-0x0000000000BAA000-memory.dmp	upx
behavioral1/files/0x0007000000015cb6-37.dat	upx
behavioral1/memory/324-233-0x0000000010000000-0x0000000010081000-memory.dmp	upx
behavioral1/files/0x0005000000019a84-231.dat	upx
behavioral1/memory/2368-247-0x00000000009A0000-0x0000000000BAA000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	syltools.exe
File opened (read-only)	\??\H:	syltools.exe
File opened (read-only)	\??\J:	syltools.exe
File opened (read-only)	\??\X:	syltools.exe
File opened (read-only)	\??\Z:	syltools.exe
File opened (read-only)	\??\B:	syltools.exe
File opened (read-only)	\??\E:	syltools.exe
File opened (read-only)	\??\N:	syltools.exe
File opened (read-only)	\??\R:	syltools.exe
File opened (read-only)	\??\V:	syltools.exe
File opened (read-only)	\??\Y:	syltools.exe
File opened (read-only)	\??\U:	syltools.exe
File opened (read-only)	\??\W:	syltools.exe
File opened (read-only)	\??\G:	syltools.exe
File opened (read-only)	\??\I:	syltools.exe
File opened (read-only)	\??\O:	syltools.exe
File opened (read-only)	\??\P:	syltools.exe
File opened (read-only)	\??\Q:	syltools.exe
File opened (read-only)	\??\S:	syltools.exe
File opened (read-only)	\??\K:	syltools.exe
File opened (read-only)	\??\L:	syltools.exe
File opened (read-only)	\??\M:	syltools.exe
File opened (read-only)	\??\T:	syltools.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2368-247-0x00000000009A0000-0x0000000000BAA000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\c:\tools\autorun.inf	7z.exe
File opened for modification	\??\c:\tools\autorun.inf	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
324	syltools.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 3048	2368	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe	28
PID 2368 wrote to memory of 3048	2368	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe	28
PID 2368 wrote to memory of 3048	2368	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe	28
PID 2368 wrote to memory of 3048	2368	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe	28
PID 2368 wrote to memory of 324	2368	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe	30
PID 2368 wrote to memory of 324	2368	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe	30
PID 2368 wrote to memory of 324	2368	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe	30
PID 2368 wrote to memory of 324	2368	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe	30

C:\Users\Admin\AppData\Local\Temp\39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe
"C:\Users\Admin\AppData\Local\Temp\39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\7z.exe
  C:\Users\Admin\AppData\Local\Temp\7z.exe x C:\Users\Admin\AppData\Local\Temp\39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe -p18688699960 -y -oc:\tools
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  PID:3048
- \??\c:\tools\syltools.exe
  c:\tools\syltools.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
919KB

MD5
686e08ef0e632143fc4c2facb8072edd

SHA1
93af191a245bd3b542b3665a677cfd21f013efe8

SHA256
154f32ef79bb84a5aae909211b4020f7ba5e362b650bcbc798bc432dafd459c1

SHA512
1b1e0cf5bd539722a8e36f12769ab149640385d1d2761ecebc2bebeb4092a19e8407a900ffe9ab2c82a628ffd248633ce0fd454cd9c97cc49f076aa204c5532f

Download Submit
C:\tools\11.exe

Filesize
380KB

MD5
ace663ed10d3f87e729f934d724304ac

SHA1
e3f2ae024a0667bdafd7d6360a8e4564bda0c5e6

SHA256
40f8c340f112baa4f4902dd662f9d8af5416e94c16339c37a60ad3d468da7cba

SHA512
2c12281313364658d674dd68905cd0ac23cc079f5488768004c62d9895d4686c87fbfe30ce3b1f3e229476277386b2e98bf961c6b60b8d1e4524a022909b79fa

Download Submit
C:\tools\syltools.exe

Filesize
2.9MB

MD5
ced916f666893d11a4a868254542f1ee

SHA1
83c2cef4f642683e7e14def976d827f417fb2752

SHA256
fa6af994f4389d9856265d13c68c6c5d69eb0385e940570e6adb6e80f26a98ea

SHA512
cbb14866545f8463174c327b6b5d8b82189cda6cf00b884b702bfe274bf22edced72027cd80f472566bfde449c21ae60ec56c95b88f6807d8ef6e25c72fa1f2a

Download Submit
\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
164KB

MD5
2667d1d118fe3e9f51f09fa9b5296233

SHA1
ab31e106c118653a22895dc1ea1381d883e76db9

SHA256
72acda706067a16ee03ebfdf0665f47ffaa893755ad210ee309f5934aa095833

SHA512
6b41da8d756fff93a88cfbbb62791ca06680a74fc5b2ba291a74f26b5976b43354fbd96c91f17d8098216e7c584b7dfe354bbefaae397dffc34f48e3ed07177a

Download Submit
\Users\Admin\AppData\Local\Temp\apm1507.tmp

Filesize
148KB

MD5
10a2f663fdc511fd52bfcfd0a8837549

SHA1
e3669af6eeb82c20b10245caa4974cb727b52bf0

SHA256
bd5f2e4ac7c2bea616fa60a50698b0d6d46a9456c08392a5c62c340d6f738eeb

SHA512
7e54bcce8f6813873db102f010431ad1ba83d554e9c368c598d428a1b8e6bc10f3622e559c0daa9d5b1740aa6fc08a5d97bc3f23217035b929a64b0399ce9830

Download Submit
memory/324-245-0x0000000005B60000-0x0000000005B6A000-memory.dmp

Filesize
40KB

Download
memory/324-246-0x0000000005B60000-0x0000000005B6A000-memory.dmp

Filesize
40KB

Download
memory/324-229-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/324-240-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/324-241-0x0000000005B60000-0x0000000005B6A000-memory.dmp

Filesize
40KB

Download
memory/324-242-0x00000000058C0000-0x00000000058CA000-memory.dmp

Filesize
40KB

Download
memory/324-244-0x0000000005B60000-0x0000000005B6A000-memory.dmp

Filesize
40KB

Download
memory/324-260-0x0000000005B60000-0x0000000005B6A000-memory.dmp

Filesize
40KB

Download
memory/324-243-0x0000000005B60000-0x0000000005B6A000-memory.dmp

Filesize
40KB

Download
memory/324-233-0x0000000010000000-0x0000000010081000-memory.dmp

Filesize
516KB

Download
memory/324-259-0x0000000005B60000-0x0000000005B6A000-memory.dmp

Filesize
40KB

Download
memory/324-248-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/324-250-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/324-254-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/324-255-0x0000000005B60000-0x0000000005B6A000-memory.dmp

Filesize
40KB

Download
memory/324-256-0x00000000058C0000-0x00000000058CA000-memory.dmp

Filesize
40KB

Download
memory/324-257-0x0000000005B60000-0x0000000005B6A000-memory.dmp

Filesize
40KB

Download
memory/324-258-0x0000000005B60000-0x0000000005B6A000-memory.dmp

Filesize
40KB

Download
memory/2368-247-0x00000000009A0000-0x0000000000BAA000-memory.dmp

Filesize
2.0MB

Download
memory/2368-0-0x00000000009A0000-0x0000000000BAA000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads