Analysis
-
max time kernel
137s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24-05-2024 16:39
General
-
Target
af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
-
Size
1.4MB
-
MD5
a9c11049f1ede0225dac68f96c37fdf3
-
SHA1
4f26c7ea18895ddf02e35ce376aaf48c04a4ce28
-
SHA256
af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54
-
SHA512
d7c2d2ad6bae2f1fd5518e2b5c33e59e8f642b2307bec75faff86e65c87f4dfff4b74f06f0ad31e9c4533f7b7acb6ad895d5ce2d88402bf1aac7543414718555
-
SSDEEP
24576:MfSDKK9C9pLmPET243ZlpZOTy+it8Po/olPhA8sEXSFjQG9xmreCmU+9i:YS1eV64Jelit8QAlPhfsq8jRISCk9i
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Loads dropped DLL 15 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe"C:\Users\Admin\AppData\Local\Temp\af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /End /TN MicrosoftEdgeUpdateBrowserReplacementTask2⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /End /TN MicrosoftEdgeUpdateTaskMachineCore2⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /End /TN MicrosoftEdgeUpdateTaskMachineUA2⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Delete /TN MicrosoftEdgeUpdateBrowserReplacementTask /F2⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Delete /TN MicrosoftEdgeUpdateTaskMachineCore /F2⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Delete /TN MicrosoftEdgeUpdateTaskMachineUA /F2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c systeminfo & del /f /q "C:\Users\Admin\AppData\Local\Temp\af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\systeminfo.exesysteminfo3⤵
- Gathers system information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD59e35968f76080747d7d83b7d2bfcbf88
SHA1f3a89f8383b19d59b87b68f6a429661044482a94
SHA256514b342c8471f75ae831068a45cb9b5c59c472c354f242c5bff032b21a014586
SHA512603c43b5ea9c562da78552466e3977a19fdb77fc75c8fa8b12c1a5b4522bf122ffef4131641fc5b57dc4b6a1741d595f8566cb99cf7f6ef73e81548f341b615a
-
C:\Users\Admin\AppData\Local\Temp\broscfg.dllFilesize
1.3MB
MD5e7e63934509e4962ffe6662defb4153d
SHA19bb76af08ce49fe9b92ab7b7e08a94b61aff0f73
SHA256fbe7a0ead89b2e4414ed8bdcbcf7f789fbf4644caa3dd59137a823f7d4ea930a
SHA5126da4771a751eaa94cfd3613dd80fe0805cdb8df023f2abfa9c865449df8bedb96f7f25c2e9e33bac6f8e1e3d742553cd2b7d4eb8510849efe9b8957f48f2fd67
-
C:\Users\Admin\AppData\Local\TheWorld6\User Data\Default\Preferences.tmpFilesize
10KB
MD5f49633b4fee954a8a2b9d28a95e80418
SHA11325fb0a3599cc1f80b9f1aae97a45480714f2df
SHA256decc9ca76393388ce377fa7ce106e777b4c6a89ca53e3266f47a1c094c032987
SHA512fbd72da06f6b98dc4171c88455d021f9e870904b6e90fcfb5a634a97671ca589cabcbbf150af95b97b3d89e1bbde3fe7f8bf99d741d3ef76170e745cdcf336e3
-
C:\Users\Admin\AppData\Local\liebao\User Data\Default\Preferences.tmpFilesize
9KB
MD5d796ef88ddb5777a8f2bd311a20e2166
SHA1b57233c01a308c7c9f91aa9dda4f2a4702f5c538
SHA256de29d62f4700b3830cd784a21e93f8b832fe27fe7c86746aad8e0dafe8f21185
SHA5124acf855a43bc2e8afe056217aaa5e3cd62fd7eeeed8b6fe10ccfc94f0fe7ab1a9ee9104636713d205371e3b68a15d9c3aa7cdd92ee60da9e1d253c0872d11583
-
memory/3516-165-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-172-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-78-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-105-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-119-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-125-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-143-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-32-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-0-0x0000000000390000-0x0000000000508000-memory.dmpFilesize
1.5MB
-
memory/3516-64-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-171-0x0000000000390000-0x0000000000508000-memory.dmpFilesize
1.5MB
-
memory/3516-185-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-184-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-6-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-201-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-208-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-207-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-216-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-227-0x0000000010000000-0x0000000010254000-memory.dmpFilesize
2.3MB
-
memory/3516-229-0x0000000000390000-0x0000000000508000-memory.dmpFilesize
1.5MB