1121a23abf827d61a30300db64b472a66911726724e260c17679f27e5bd7cbc3

Analysis

max time kernel
142s
max time network
141s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/$_0_.exe
Size

2.8MB
MD5

fe4422df8857fd1eeea3b41a277889db
SHA1

4c80bd07bd3c5249c7daf2b33d0a318899ca2925
SHA256

f9c7c3a5222120e920e276e4955a967b07e8d35d4764ab6152f6989fd8f64045
SHA512

445607b7e28ef6525a42acc48f49f5accc0d6a867beda24f52ddc36f996dfea4ca9b48824001197e53d8e0f904235b01ca54a71af5d6da8c4accc8b87f58700f
SSDEEP

49152:0PfwEe+K3l5Tkug19UwsjR0SV2IZ2SQV1ch4heoMBoW1aZ:0gEe2EhYoE

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral7/files/0x00050000000196bf-164.dat	acprotect
behavioral7/memory/1992-166-0x0000000074F90000-0x0000000074F9A000-memory.dmp	acprotect
behavioral7/files/0x00050000000196c4-231.dat	acprotect
behavioral7/memory/1992-382-0x0000000074F90000-0x0000000074F9A000-memory.dmp	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1992	dcd7Installer.exe

Loads dropped DLL 60 IoCs

pid	Process
2480	$_0_.exe
2480	$_0_.exe
2480	$_0_.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe
1992	dcd7Installer.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral7/memory/2480-0-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/files/0x00050000000196bf-164.dat	upx
behavioral7/memory/1992-166-0x0000000074F90000-0x0000000074F9A000-memory.dmp	upx
behavioral7/files/0x00050000000196c4-231.dat	upx
behavioral7/memory/2480-381-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/memory/1992-382-0x0000000074F90000-0x0000000074F9A000-memory.dmp	upx
behavioral7/memory/2480-383-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/memory/2480-384-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/memory/2480-390-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/memory/2480-393-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/memory/2480-395-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/memory/2480-397-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/memory/2480-399-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/memory/2480-401-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/memory/2480-403-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/memory/2480-405-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/memory/2480-407-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/memory/2480-409-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/memory/2480-411-0x0000000001010000-0x0000000001079000-memory.dmp	upx
behavioral7/memory/2480-413-0x0000000001010000-0x0000000001079000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral7/files/0x0036000000015d90-20.dat	nsis_installer_1
behavioral7/files/0x0036000000015d90-20.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1992	dcd7Installer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1992	2480	$_0_.exe	28
PID 2480 wrote to memory of 1992	2480	$_0_.exe	28
PID 2480 wrote to memory of 1992	2480	$_0_.exe	28
PID 2480 wrote to memory of 1992	2480	$_0_.exe	28
PID 2480 wrote to memory of 1992	2480	$_0_.exe	28
PID 2480 wrote to memory of 1992	2480	$_0_.exe	28
PID 2480 wrote to memory of 1992	2480	$_0_.exe	28

C:\Users\Admin\AppData\Local\Temp\$TEMP\$_0_.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\$_0_.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\temp\dcd7Installer.exe
  "C:\Users\Admin\AppData\Local\temp\dcd7Installer.exe" /KEYWORD=dcd7 "/PATHFILES=C:\Users\Admin\AppData\Local\temp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy24FF.tmp\nsURL.dll

Filesize
109KB

MD5
ee1c41db6834538ee4048ccfc45055be

SHA1
efbbfc884a3193fadf542b0bef387cffc86923b7

SHA256
8904eb2c575ac5509d1a19f7c14b6ab804e88c22e3c2232d45de4198cf9850aa

SHA512
312c60a27ee625c9454cb8403c575bd2f9562fd1288ae84ad648018b62e455bf89928acb2508e75be8e76cd19ac1127e873b1187d06fa265ca2e624e02382ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy24FF.tmp\tkDecript.dll

Filesize
222KB

MD5
ea79ad436f5e54ee5dc2aba13fe1b15a

SHA1
66e248962bfb1f370796dac393621367638c21b1

SHA256
0ae09d65f5284409e6d9a2d40d7aaa8cbf1dd1815e67a9c12a9557f5de1f7832

SHA512
dbd40403126c6ef6f5747c900809140c8897376f03696247cd8d10431bec7abb0c7191761e8ea551cfde2234059ec087ffbca54510ddf0dc78b8329f598fab2e

Download Submit
C:\Users\Admin\AppData\Local\temp\dcd7fondo.bmp

Filesize
206KB

MD5
3520bd39c7714d6cb6b8cfe52bf3dbb0

SHA1
e2b598737cc3f34821deb115f6ff2317179e0250

SHA256
098d036e629850ef85f97fb5300312868a6f0fa872429860a32d1824d06eb2e6

SHA512
6b416de5f5a0d96452ff1b80d2356b58a03fc7996cbd477d8b718c0e71bd1088745bdc71cfb3a1fc9be7ac940aefd48efa32bda7c10c92067991200b1b69e875

Download Submit
C:\Users\Admin\AppData\Local\temp\dcd7header.bmp

Filesize
25KB

MD5
361f6c8fce14289fb7993eb02fb37491

SHA1
4c4970dd55cb088cad46ebdd0b7d0e250c93c479

SHA256
54acc0b6d62a283462185995b1e5cfb000b8368835262ea1d99d508289df43ef

SHA512
9341e6be7fa35560744a089c42f88b81c3dc0147f6042dbbcfabdcbf63434a8ad5e199f43dcf73449a3f44e1b079f6f1c87fdba9d11cda45234b3efb7a3fa301

Download Submit
C:\Users\Admin\AppData\Local\temp\dcd7installer.ini

Filesize
572B

MD5
18d944112b5072ae292b54e2ed3bf56d

SHA1
ddbe1b547d90c243c7d60dd4ffc7847ec381a466

SHA256
f74f4830322264c29a2c996c3fac3ab490c2a78a9fffd7975b6c65fd16172ad8

SHA512
5731673f5af8214268c56c069786d0731c224e51a477c111f4084f596dd1c005e16def73fcecde618277788d0820d35228dbbe85fe28561beac9073516930f79

Download Submit
\Users\Admin\AppData\Local\Temp\dcd7Installer.exe

Filesize
2.0MB

MD5
94d3871dcd0378ba34e4e1f11ae87aad

SHA1
33d915f0b98e1b58e4df4d3aebfe555ea822ff3d

SHA256
134b2d746bd3c15b81d559a4f1fd3c647670f061a151df7ae65e296eedd403de

SHA512
64e36ff3d04dc80ce2a5e432096a16d4e0168c10d168f529040edb1e9f4a970b56b70067ae90b09e5efe41ca184328e3c17dd398b34962bf295b95627ea15dae

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24FF.tmp\ButtonEvent.dll

Filesize
4KB

MD5
55788069d3fa4e1daf80f3339fa86fe2

SHA1
d64e05c1879a92d5a8f9ff2fd2f1a53e1a53ae96

SHA256
d6e429a063adf637f4d19d4e2eb094d9ff27382b21a1f6dccf9284afb5ff8c7f

SHA512
d3b1eec76e571b657df444c59c48cad73a58d1a10ff463ce9f3acd07acce17d589c3396ad5bdb94da585da08d422d863ffe1de11f64298329455f6d8ee320616

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24FF.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24FF.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24FF.tmp\nsArray.dll

Filesize
6KB

MD5
f8462e9d1d7fd39789afca89ab6d6046

SHA1
7e9a518e15b7490245d2bef11a73f209c8d8d59b

SHA256
48941e9f5c92a33f1e60a7a844d562dd77ce736fd31b5503c980b49679dfe85e

SHA512
57dee2253abd7d17d53811d5e95237f9434288518fb043645524a517786db2d8a91df86a6da732c620f12ad0e7ea30a923b8d5f3de386c65bd3ff240bc0dff69

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24FF.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24FF.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
memory/1992-191-0x00000000037B0000-0x00000000037D6000-memory.dmp

Filesize
152KB

Download
memory/1992-387-0x0000000002FF0000-0x0000000002FFC000-memory.dmp

Filesize
48KB

Download
memory/1992-277-0x0000000002FF0000-0x0000000002FFC000-memory.dmp

Filesize
48KB

Download
memory/1992-365-0x0000000003950000-0x000000000395C000-memory.dmp

Filesize
48KB

Download
memory/1992-279-0x0000000002FF0000-0x0000000002FFC000-memory.dmp

Filesize
48KB

Download
memory/1992-373-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/1992-372-0x0000000003960000-0x0000000003961000-memory.dmp

Filesize
4KB

Download
memory/1992-392-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/1992-166-0x0000000074F90000-0x0000000074F9A000-memory.dmp

Filesize
40KB

Download
memory/1992-389-0x0000000003950000-0x000000000395C000-memory.dmp

Filesize
48KB

Download
memory/1992-382-0x0000000074F90000-0x0000000074F9A000-memory.dmp

Filesize
40KB

Download
memory/1992-278-0x0000000002FF0000-0x0000000002FFC000-memory.dmp

Filesize
48KB

Download
memory/1992-388-0x0000000002FF0000-0x0000000002FFC000-memory.dmp

Filesize
48KB

Download
memory/1992-386-0x0000000002FF0000-0x0000000002FFC000-memory.dmp

Filesize
48KB

Download
memory/2480-399-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-401-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-381-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-390-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-0-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-393-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-383-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-395-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-384-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-397-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-403-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-405-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-407-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-409-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-411-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download
memory/2480-413-0x0000000001010000-0x0000000001079000-memory.dmp

Filesize
420KB

Download