c2a5c16519d9dadc1ad0454b7fe77672856bcbecc4cf39eb5d7bc89491e6d9f3

General

Target

c2a5c16519d9dadc1ad0454b7fe77672856bcbecc4cf39eb5d7bc89491e6d9f3.exe
Size

10.3MB
MD5

6b7c72e705f070fc34440815bbae677a
SHA1

03902c706a6da6f4c87015159694a30761e33f60
SHA256

c2a5c16519d9dadc1ad0454b7fe77672856bcbecc4cf39eb5d7bc89491e6d9f3
SHA512

0ea9ba95adc920941ad3693c27643900eeb12928e22a47c35611548fbabc06b4c4fcdb6023df757afd8b48440459ada3299cae53b7b65a3792f4f55bc67da811
SSDEEP

196608:u+Ft+tfmD4XF0ebvjXsrq0Xd+b9VmBrS4usDEh7VB8PuYmfADv0UP4gQ0jIyKiSK:V4Ktebvj820tuGc4QwSADfP4gQ0jrKdK

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0034000000014701-48.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
1908	c2a5c16519d9dadc1ad0454b7fe77672856bcbecc4cf39eb5d7bc89491e6d9f3.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0034000000014701-48.dat	upx
behavioral1/memory/1908-55-0x0000000073BB0000-0x0000000073BE9000-memory.dmp	upx
behavioral1/memory/1908-65-0x0000000073BB0000-0x0000000073BE9000-memory.dmp	upx
behavioral1/memory/1908-69-0x0000000073BB0000-0x0000000073BE9000-memory.dmp	upx
behavioral1/memory/1908-71-0x0000000073BB0000-0x0000000073BE9000-memory.dmp	upx
behavioral1/memory/1908-74-0x0000000073BB0000-0x0000000073BE9000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\gb.mu	c2a5c16519d9dadc1ad0454b7fe77672856bcbecc4cf39eb5d7bc89491e6d9f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	c2a5c16519d9dadc1ad0454b7fe77672856bcbecc4cf39eb5d7bc89491e6d9f3.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1908	c2a5c16519d9dadc1ad0454b7fe77672856bcbecc4cf39eb5d7bc89491e6d9f3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	c2a5c16519d9dadc1ad0454b7fe77672856bcbecc4cf39eb5d7bc89491e6d9f3.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1908	c2a5c16519d9dadc1ad0454b7fe77672856bcbecc4cf39eb5d7bc89491e6d9f3.exe
1908	c2a5c16519d9dadc1ad0454b7fe77672856bcbecc4cf39eb5d7bc89491e6d9f3.exe
1908	c2a5c16519d9dadc1ad0454b7fe77672856bcbecc4cf39eb5d7bc89491e6d9f3.exe
1908	c2a5c16519d9dadc1ad0454b7fe77672856bcbecc4cf39eb5d7bc89491e6d9f3.exe

C:\Users\Admin\AppData\Local\Temp\c2a5c16519d9dadc1ad0454b7fe77672856bcbecc4cf39eb5d7bc89491e6d9f3.exe
"C:\Users\Admin\AppData\Local\Temp\c2a5c16519d9dadc1ad0454b7fe77672856bcbecc4cf39eb5d7bc89491e6d9f3.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Cursors\gb.mu

Filesize
13KB

MD5
be702be6be99ad2203d50516014e5cd9

SHA1
b4842827e5bc9de24e74d5b08afa0675df570dba

SHA256
02bb80610621625b0c420a9fc8ba32efeef4b859b327aaa0dfb62da38abbf41c

SHA512
79cfb96a73ec2b8341c59580f7ecd5db53b5023e41acad47e6e8bd8350532d1c4dcb04c1e62bbf3bd149b1779ed904b271bb1b9fb23c6fed1752ade43239f9a8

Download Submit
\Users\Admin\AppData\Local\Temp\HPSocket.dll

Filesize
80KB

MD5
b220f0b3057a925147f57c5ebff51523

SHA1
bb9faca3b0e9f849301ecbd58381e7965a143781

SHA256
f12af891c0c1cb5e793ab260ff92e9792c8f7f2541162390a44c27e2e954dcb8

SHA512
1e9fb6bd6005aab4f553b0a02c373671ce26fa773b06461e0041cfad0ae62bbf319105296ebd5e2c1ccf1c478ce17510aeb32dab8b83254fa2a18c9148f121f1

Download Submit
memory/1908-15-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/1908-37-0x0000000000400000-0x000000000208E000-memory.dmp

Filesize
28.6MB

Download
memory/1908-11-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/1908-35-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/1908-10-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/1908-33-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/1908-30-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/1908-28-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/1908-25-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/1908-23-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/1908-20-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/1908-8-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/1908-0-0x0000000001251000-0x0000000001648000-memory.dmp

Filesize
4.0MB

Download
memory/1908-13-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/1908-6-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/1908-5-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/1908-18-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/1908-1-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/1908-3-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/1908-51-0x0000000000400000-0x000000000208E000-memory.dmp

Filesize
28.6MB

Download
memory/1908-53-0x0000000000400000-0x000000000208E000-memory.dmp

Filesize
28.6MB

Download
memory/1908-54-0x0000000000400000-0x000000000208E000-memory.dmp

Filesize
28.6MB

Download
memory/1908-55-0x0000000073BB0000-0x0000000073BE9000-memory.dmp

Filesize
228KB

Download
memory/1908-65-0x0000000073BB0000-0x0000000073BE9000-memory.dmp

Filesize
228KB

Download
memory/1908-67-0x0000000001251000-0x0000000001648000-memory.dmp

Filesize
4.0MB

Download
memory/1908-68-0x0000000000400000-0x000000000208E000-memory.dmp

Filesize
28.6MB

Download
memory/1908-69-0x0000000073BB0000-0x0000000073BE9000-memory.dmp

Filesize
228KB

Download
memory/1908-71-0x0000000073BB0000-0x0000000073BE9000-memory.dmp

Filesize
228KB

Download
memory/1908-74-0x0000000073BB0000-0x0000000073BE9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing