9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826

General

Target

9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
Size

1.7MB
MD5

67eb9d2193fedd5308f9ac021dfb2ff8
SHA1

25be5ad019da2f1ef25ac9962e304a09a012e14a
SHA256

9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826
SHA512

22c205c5d3869530a3e6f9050d35fe4c0f59c88f1e6cbb6d96f8fde927f6a5c5959f768dabd1c50ab7312bab6fb06fc64a64e571d212d81d43b3e97cac166222
SSDEEP

49152:1hyrKTZaqdwk0c05HGinOnYbMEwoA+xnk9QqqwyCC:yOYqdwkLcHHvw5oA+BdqqwHC

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 8 IoCs

resource	yara_rule
behavioral1/memory/1688-0-0x0000000000400000-0x00000000004FF000-memory.dmp	UPX
behavioral1/files/0x0009000000014e51-22.dat	UPX
behavioral1/memory/1688-24-0x0000000000540000-0x000000000057D000-memory.dmp	UPX
behavioral1/memory/1688-27-0x0000000000540000-0x000000000057D000-memory.dmp	UPX
behavioral1/memory/1688-29-0x0000000000540000-0x000000000057D000-memory.dmp	UPX
behavioral1/memory/1688-30-0x0000000000540000-0x000000000057D000-memory.dmp	UPX
behavioral1/memory/1688-28-0x0000000000540000-0x000000000057D000-memory.dmp	UPX
behavioral1/memory/1688-47-0x0000000000400000-0x00000000004FF000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000014e51-22.dat	acprotect

Loads dropped DLL 5 IoCs

pid	Process
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000014e51-22.dat	upx
behavioral1/memory/1688-24-0x0000000000540000-0x000000000057D000-memory.dmp	upx
behavioral1/memory/1688-27-0x0000000000540000-0x000000000057D000-memory.dmp	upx
behavioral1/memory/1688-29-0x0000000000540000-0x000000000057D000-memory.dmp	upx
behavioral1/memory/1688-30-0x0000000000540000-0x000000000057D000-memory.dmp	upx
behavioral1/memory/1688-28-0x0000000000540000-0x000000000057D000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
1688	9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe

C:\Users\Admin\AppData\Local\Temp\9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe
"C:\Users\Admin\AppData\Local\Temp\9287c3da012bed79791e0127b7c21148245c19bdbfd03cbf32ecd0fb2cbcd826.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
224KB

MD5
2c0b196cb4b98677c77aa810e7f1f072

SHA1
b8ba545ebb7b55c7371cd7c18d78dfebbba33866

SHA256
8d32a07500380f9b900134fecf01068d025f7b7b27c998066a321710db5a5f0d

SHA512
39713b827cae220ae1d2f6b968bb689f72e583f1f5024260f54744c332ca99ed5a9508bcea6c143df31faa5a362e40fc5e7d2215a5c7f6c095c3951662a9b76f

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\iext.fnr

Filesize
216KB

MD5
3f1b2b497172b65f7bb15453d0d93de0

SHA1
e24556e47ced0b6ae6b89a5e280b83e15ed42e8a

SHA256
4f9ad22aa55455f56619e76a01afeb337e1f28f61c7dde5869eb2a6d8776581e

SHA512
8837e6108ffde548674487c5ebba3e3dbee8bfafa5727470d3ebaeec039baefc6dc3d756a199f4fb334754985288f0a5577b32eb41fbd69295fc9681354cd3f2

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.0MB

MD5
44e2ca67c060fbe3dc0d030149f5a478

SHA1
5df61eb626bc3849893701942114609c1086d496

SHA256
6ced19283dbbb95f264448f380592f4e98ba8228efca2f68821ab3ae61029d93

SHA512
1a348c7585d78dd68c1d0e059ea1d7cea57c1aeff734f834f75025719b9fdd0e9bb16aebe75e15502a1b83106387eaa9493b8990999e0a68b62c1afdbc8cf45e

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
88KB

MD5
51d7be0ca4431fec32d0ba0978cb2cae

SHA1
1aa65ca721bd881b615b16602f6bc7cc4c7d74d8

SHA256
1e4d44d3a865a766517057c199eda71e005e56c13fce2c4137b66d185a416986

SHA512
5cf2214bc60dde261f44aa339ba1943f5c9b70337a11d064185224b3dcfc705e55386c95de280b6d05c4b60a318abbfa3d5728724c28dfc009d57c3bbfd76ef5

Download Submit
\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
memory/1688-17-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1688-13-0x0000000000500000-0x000000000053B000-memory.dmp

Filesize
236KB

Download
memory/1688-11-0x0000000076FDF000-0x0000000076FE0000-memory.dmp

Filesize
4KB

Download
memory/1688-0-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1688-9-0x0000000000240000-0x000000000025B000-memory.dmp

Filesize
108KB

Download
memory/1688-24-0x0000000000540000-0x000000000057D000-memory.dmp

Filesize
244KB

Download
memory/1688-27-0x0000000000540000-0x000000000057D000-memory.dmp

Filesize
244KB

Download
memory/1688-26-0x0000000000549000-0x000000000054A000-memory.dmp

Filesize
4KB

Download
memory/1688-29-0x0000000000540000-0x000000000057D000-memory.dmp

Filesize
244KB

Download
memory/1688-30-0x0000000000540000-0x000000000057D000-memory.dmp

Filesize
244KB

Download
memory/1688-28-0x0000000000540000-0x000000000057D000-memory.dmp

Filesize
244KB

Download
memory/1688-32-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1688-47-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download

Analysis

Sharing