39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482

General

Target

39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe
Size

12.4MB
MD5

2e21d73c2d966944f9abe8b86fdf204e
SHA1

438e391ca8fabb4ad2cc11df14551f076dd67ddc
SHA256

39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482
SHA512

c54f99f7474ae5db41ac442f843c7fce5cb5ca033f18bfc35d618ee2f181a7b589564db20be24cb9c88659d2db9d87c57e712cb2aaf489ef6792cdfb859fa628
SSDEEP

393216:0HoFh75DfUg5eMTy/yRzE5KELV37xbeQs8deRs:0Hob7daMTOKERxSZ8dx

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000002296a-226.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4372	7z.exe
5780	syltools.exe

Loads dropped DLL 2 IoCs

pid	Process
4372	7z.exe
5780	syltools.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2072-0-0x0000000000B30000-0x0000000000D3A000-memory.dmp	upx
behavioral2/files/0x000700000002341e-34.dat	upx
behavioral2/files/0x000600000002296a-226.dat	upx
behavioral2/memory/5780-229-0x0000000010000000-0x0000000010081000-memory.dmp	upx
behavioral2/memory/2072-254-0x0000000000B30000-0x0000000000D3A000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	syltools.exe
File opened (read-only)	\??\E:	syltools.exe
File opened (read-only)	\??\I:	syltools.exe
File opened (read-only)	\??\J:	syltools.exe
File opened (read-only)	\??\M:	syltools.exe
File opened (read-only)	\??\N:	syltools.exe
File opened (read-only)	\??\Q:	syltools.exe
File opened (read-only)	\??\R:	syltools.exe
File opened (read-only)	\??\V:	syltools.exe
File opened (read-only)	\??\W:	syltools.exe
File opened (read-only)	\??\Y:	syltools.exe
File opened (read-only)	\??\X:	syltools.exe
File opened (read-only)	\??\B:	syltools.exe
File opened (read-only)	\??\G:	syltools.exe
File opened (read-only)	\??\H:	syltools.exe
File opened (read-only)	\??\K:	syltools.exe
File opened (read-only)	\??\L:	syltools.exe
File opened (read-only)	\??\O:	syltools.exe
File opened (read-only)	\??\T:	syltools.exe
File opened (read-only)	\??\P:	syltools.exe
File opened (read-only)	\??\U:	syltools.exe
File opened (read-only)	\??\Z:	syltools.exe
File opened (read-only)	\??\A:	syltools.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2072-254-0x0000000000B30000-0x0000000000D3A000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\c:\tools\autorun.inf	7z.exe
File opened for modification	\??\c:\tools\autorun.inf	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5780	syltools.exe
Token: SeCreatePagefilePrivilege	5780	syltools.exe
Token: SeShutdownPrivilege	5780	syltools.exe
Token: SeCreatePagefilePrivilege	5780	syltools.exe
Token: 33	3124	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3124	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5780	syltools.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 4372	2072	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe	82
PID 2072 wrote to memory of 4372	2072	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe	82
PID 2072 wrote to memory of 4372	2072	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe	82
PID 2072 wrote to memory of 5780	2072	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe	87
PID 2072 wrote to memory of 5780	2072	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe	87
PID 2072 wrote to memory of 5780	2072	39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe	87

C:\Users\Admin\AppData\Local\Temp\39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe
"C:\Users\Admin\AppData\Local\Temp\39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\7z.exe
  C:\Users\Admin\AppData\Local\Temp\7z.exe x C:\Users\Admin\AppData\Local\Temp\39f7e2b5de54745bbd54c098809633758732875d9fef2ac52af0c81abdccd482.exe -p18688699960 -y -oc:\tools
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  PID:4372
- \??\c:\tools\syltools.exe
  c:\tools\syltools.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5780

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c4 0x4a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
cb2ebf84ae67301c8aff33863cff048c

SHA1
7087a0c08eda96a5e45c06c0cd232beebbbd7e70

SHA256
fc3b815aba9ddf583916fdb3e88215e75b0c704389ba5bbb0363f7acb372ee80

SHA512
c11de7a44e4a25324cfa7dfed6f73bb4804805c732699694c0f433196612c1218e40b57d979bbcb26b0fa0b5578d7e9b52d6c504fccecf0fb233b8a6c6975f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
919KB

MD5
686e08ef0e632143fc4c2facb8072edd

SHA1
93af191a245bd3b542b3665a677cfd21f013efe8

SHA256
154f32ef79bb84a5aae909211b4020f7ba5e362b650bcbc798bc432dafd459c1

SHA512
1b1e0cf5bd539722a8e36f12769ab149640385d1d2761ecebc2bebeb4092a19e8407a900ffe9ab2c82a628ffd248633ce0fd454cd9c97cc49f076aa204c5532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
164KB

MD5
2667d1d118fe3e9f51f09fa9b5296233

SHA1
ab31e106c118653a22895dc1ea1381d883e76db9

SHA256
72acda706067a16ee03ebfdf0665f47ffaa893755ad210ee309f5934aa095833

SHA512
6b41da8d756fff93a88cfbbb62791ca06680a74fc5b2ba291a74f26b5976b43354fbd96c91f17d8098216e7c584b7dfe354bbefaae397dffc34f48e3ed07177a

Download Submit
C:\Users\Admin\AppData\Local\Temp\apm3A98.tmp

Filesize
148KB

MD5
10a2f663fdc511fd52bfcfd0a8837549

SHA1
e3669af6eeb82c20b10245caa4974cb727b52bf0

SHA256
bd5f2e4ac7c2bea616fa60a50698b0d6d46a9456c08392a5c62c340d6f738eeb

SHA512
7e54bcce8f6813873db102f010431ad1ba83d554e9c368c598d428a1b8e6bc10f3622e559c0daa9d5b1740aa6fc08a5d97bc3f23217035b929a64b0399ce9830

Download Submit
C:\tools\11.exe

Filesize
380KB

MD5
ace663ed10d3f87e729f934d724304ac

SHA1
e3f2ae024a0667bdafd7d6360a8e4564bda0c5e6

SHA256
40f8c340f112baa4f4902dd662f9d8af5416e94c16339c37a60ad3d468da7cba

SHA512
2c12281313364658d674dd68905cd0ac23cc079f5488768004c62d9895d4686c87fbfe30ce3b1f3e229476277386b2e98bf961c6b60b8d1e4524a022909b79fa

Download Submit
C:\tools\syltools.exe

Filesize
2.9MB

MD5
ced916f666893d11a4a868254542f1ee

SHA1
83c2cef4f642683e7e14def976d827f417fb2752

SHA256
fa6af994f4389d9856265d13c68c6c5d69eb0385e940570e6adb6e80f26a98ea

SHA512
cbb14866545f8463174c327b6b5d8b82189cda6cf00b884b702bfe274bf22edced72027cd80f472566bfde449c21ae60ec56c95b88f6807d8ef6e25c72fa1f2a

Download Submit
memory/2072-254-0x0000000000B30000-0x0000000000D3A000-memory.dmp

Filesize
2.0MB

Download
memory/2072-0-0x0000000000B30000-0x0000000000D3A000-memory.dmp

Filesize
2.0MB

Download
memory/5780-224-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/5780-229-0x0000000010000000-0x0000000010081000-memory.dmp

Filesize
516KB

Download
memory/5780-255-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/5780-260-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads