c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
Size

2.3MB
MD5

2ebeded4ad3545ca6c6a99f2bf0985b5
SHA1

da1dcdcb57fd34940902b9dc343ebb0d98e09919
SHA256

c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0
SHA512

a76b70cab15e0df124a5187ca76d1b5e9c4ac6a14bedf7da0b07c52466cf62f96a72b2071582e2f96cf671cfb1c12a876c69c6b096d235666a59b641936f60f7
SSDEEP

49152:t/UTRSYDBBW+p6OooDKU1+V5MDexWeyz32tfVZNTExmqmPXiJBR:tWSYdBerU1+XMHmtfr1v1qJT

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 20 IoCs

resource	yara_rule
behavioral1/memory/3044-22-0x0000000074380000-0x0000000074431000-memory.dmp	UPX
behavioral1/memory/3044-28-0x00000000747F0000-0x0000000074801000-memory.dmp	UPX
behavioral1/memory/3044-39-0x0000000074360000-0x0000000074375000-memory.dmp	UPX
behavioral1/memory/3044-59-0x000000001E7A0000-0x000000001E7C7000-memory.dmp	UPX
behavioral1/memory/3044-58-0x0000000074360000-0x0000000074375000-memory.dmp	UPX
behavioral1/memory/3044-57-0x000000001E980000-0x000000001E9A1000-memory.dmp	UPX
behavioral1/memory/3044-56-0x00000000747F0000-0x0000000074801000-memory.dmp	UPX
behavioral1/memory/3044-55-0x0000000074810000-0x000000007482E000-memory.dmp	UPX
behavioral1/memory/3044-54-0x0000000074380000-0x0000000074431000-memory.dmp	UPX
behavioral1/memory/3044-53-0x00000000742D0000-0x0000000074360000-memory.dmp	UPX
behavioral1/memory/3044-40-0x00000000742D0000-0x0000000074360000-memory.dmp	UPX
behavioral1/files/0x0006000000016ccd-38.dat	UPX
behavioral1/memory/3044-37-0x000000001E7A0000-0x000000001E7C7000-memory.dmp	UPX
behavioral1/files/0x0007000000015d02-35.dat	UPX
behavioral1/memory/3044-33-0x000000001E980000-0x000000001E9A1000-memory.dmp	UPX
behavioral1/files/0x0006000000016c5b-32.dat	UPX
behavioral1/files/0x0006000000016d01-30.dat	UPX
behavioral1/memory/3044-27-0x0000000074810000-0x000000007482E000-memory.dmp	UPX
behavioral1/files/0x0007000000015cf5-26.dat	UPX
behavioral1/files/0x0007000000015ced-24.dat	UPX

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000016ccd-38.dat	acprotect
behavioral1/files/0x0007000000015d02-35.dat	acprotect
behavioral1/files/0x0006000000016c5b-32.dat	acprotect
behavioral1/files/0x0006000000016d01-30.dat	acprotect
behavioral1/files/0x0007000000015cf5-26.dat	acprotect
behavioral1/files/0x0007000000015ced-24.dat	acprotect

Loads dropped DLL 8 IoCs

pid	Process
3044	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
3044	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
3044	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
3044	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
3044	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
3044	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
3044	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
3044	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016c3a-20.dat	upx
behavioral1/memory/3044-22-0x0000000074380000-0x0000000074431000-memory.dmp	upx
behavioral1/memory/3044-28-0x00000000747F0000-0x0000000074801000-memory.dmp	upx
behavioral1/memory/3044-39-0x0000000074360000-0x0000000074375000-memory.dmp	upx
behavioral1/memory/3044-45-0x0000000074440000-0x00000000746F1000-memory.dmp	upx
behavioral1/memory/3044-59-0x000000001E7A0000-0x000000001E7C7000-memory.dmp	upx
behavioral1/memory/3044-58-0x0000000074360000-0x0000000074375000-memory.dmp	upx
behavioral1/memory/3044-57-0x000000001E980000-0x000000001E9A1000-memory.dmp	upx
behavioral1/memory/3044-56-0x00000000747F0000-0x0000000074801000-memory.dmp	upx
behavioral1/memory/3044-55-0x0000000074810000-0x000000007482E000-memory.dmp	upx
behavioral1/memory/3044-54-0x0000000074380000-0x0000000074431000-memory.dmp	upx
behavioral1/memory/3044-53-0x00000000742D0000-0x0000000074360000-memory.dmp	upx
behavioral1/memory/3044-40-0x00000000742D0000-0x0000000074360000-memory.dmp	upx
behavioral1/files/0x0006000000016ccd-38.dat	upx
behavioral1/memory/3044-37-0x000000001E7A0000-0x000000001E7C7000-memory.dmp	upx
behavioral1/files/0x0007000000015d02-35.dat	upx
behavioral1/memory/3044-33-0x000000001E980000-0x000000001E9A1000-memory.dmp	upx
behavioral1/files/0x0006000000016c5b-32.dat	upx
behavioral1/files/0x0006000000016d01-30.dat	upx
behavioral1/memory/3044-27-0x0000000074810000-0x000000007482E000-memory.dmp	upx
behavioral1/files/0x0007000000015cf5-26.dat	upx
behavioral1/files/0x0007000000015ced-24.dat	upx
behavioral1/memory/3044-21-0x0000000074440000-0x00000000746F1000-memory.dmp	upx
behavioral1/files/0x0006000000016c3a-19.dat	upx
behavioral1/files/0x0006000000016c57-18.dat	upx
behavioral1/files/0x0006000000016c57-17.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Graphic Driver Extension Loader Service = "C:\\ProgramData\\Intel\\IntelGFX.exe"	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 3044	3024	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe	28
PID 3024 wrote to memory of 3044	3024	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe	28
PID 3024 wrote to memory of 3044	3024	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe	28
PID 3024 wrote to memory of 3044	3024	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe	28

C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
"C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
  "C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI30242\IntelGFX.exe.manifest

Filesize
1KB

MD5
6d9baafd6ebcbaf5127448f0b334b7ae

SHA1
dcc0d1c77b913d81e0ebdc97069525c84f5bc59c

SHA256
64431ef89972f5c64a96499a4e972d66ce870008c2471edd696d2fc99e746ac2

SHA512
9989056b9a77e2434a5c48daf99cd24fe15c85d55b7ec87ea141f55417e9e1e7394585778efdb035c822b361a97da364c2c59090817050a84c2e76d4bb92eb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30242\MSVCR90.dll

Filesize
128KB

MD5
75a3740bb79ae94fc74903d26326b5b9

SHA1
9d475f893c10b13230093b495761cbf62998f5e6

SHA256
c665fa5b9dfc85ed3c3098bb121a701cfa541a37b9f01b1879197cb5783db988

SHA512
a9706c21712482998afcd48e4c552263e0d794340a6a10a046491f6109286b14ad585369bad41347227ebdfdbcf893a2eb86d43317f76a1e6186d6e190be2b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30242\python27.dll

Filesize
192KB

MD5
cb9708e764150e9b31945f9b89963835

SHA1
80f3b88d6b9ec8505cd2f0982376c7bff9ca02c8

SHA256
d393e3dcdaaf6acfc1625c5a8adf4add402987179a221a7474f17228628d3654

SHA512
488bca89ba5d5f9a1a3cf8e2957af21f78df2c2148a4fa4e15132a0d73080eca01371a858968acda3597587c0314d20b586f6f85d455b6ce9045aa328c908939

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30242\msvcr90.dll

Filesize
192KB

MD5
2318feff52a4cbbbda0cdf3fd447a49b

SHA1
81d866b03931346deade5d66606c4d2608756aba

SHA256
ed7818df2d76f502e6c70c7d495b1e6f358b4ebe8bb8a045c024dd1401420ffe

SHA512
2a0ca5b0f5cc33acb82cd723012ad5257a69b218b0332a1f61ae1746c0aa881794c052fa5904ed72b018800fa9a7ab8b9223b522f0c161428303a049c79bc703

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30242\python27.dll

Filesize
128KB

MD5
774b5e73fce373318cefbe93048fc03f

SHA1
02ef353926b6e073794c2e63e792abc1ae88a221

SHA256
8a5b103ca8a2846265b14175ff8bb42c6a881e12f52a1879913af879392534bb

SHA512
1b5f79bd1985b5c0a6098ae48bf754ec650551587f01bdb7a2868e5076bc74df51542905d43abbc8af54470cdd69ce7104e711ffda4e45f6f8769dbc7ad97387

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30~1\_ctypes.pyd

Filesize
36KB

MD5
892b1c64bd2d6455ccee13bed8f7372c

SHA1
570700b3019d6eb4846bed288fa9cff3663d77f5

SHA256
fc813a3c6294feef54d36fff55d8e8fd23527a67e71b4c275094a1529863ac15

SHA512
0a72db9be613525889abd1556875d79806ebd000682c7b82ce2f7ea8397987ba8d461bafc0770a4fd32ba805a018fc49c3a50804479eeeb1b7475c1f2f696c8a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30~1\_socket.pyd

Filesize
21KB

MD5
8811517fe8d6a2c32ebfb512ac431177

SHA1
91cc8ac9d82bc7e21965035ba31ee5bef44a6403

SHA256
90afba4a6d54e8a079e51a77e76be48485d1cd20118369745e0b6a9d08444f35

SHA512
5241836f9a8d1d60bbc8cd3f7ffe9125c3f7cb37aaa8090713e18ab1d8423a427c641f9523675ab951aea608e96ed32c6a8fbc14ffe804b57158b477a14b9239

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30~1\_sqlite3.pyd

Filesize
22KB

MD5
0c070d68f24a1d645259319ad6f98ef4

SHA1
e8882fa93829caf674e69b16497f7808c8eedca7

SHA256
91053a6c100d8d5df8552202f3223aea67822b32a4ad7d8697608e6d23f508a4

SHA512
89284b4a55b87c4871123030b542f1ccc83609d693e1ea1799fefe954ffbce8636962f3f87fb6907fbd1058618364306b7776ba3eb9e2bbe91414dad13fd5cb5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30~1\pywintypes27.dll

Filesize
51KB

MD5
66731fcba577b47bf97fa0e36a539ff5

SHA1
759dfa167ea71fdbeb6275ef341ae7e52fba2e53

SHA256
d8c4796d11acb3583c3b3359b4b4e0f93d33af9aebd4bdaadb301c37b1df1dae

SHA512
f6a476621236abc66518cab9b2acfe975306fa84769d0149ebbe5420d9b625ce80f57f4ad9c7111604f2e7ce8fc1946828468cd38aadc320f43bae64879e5f12

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30~1\sqlite3.dll

Filesize
252KB

MD5
2a999115993593c76466f8c4f351d43c

SHA1
193841fd5a2bda36ac3e82cada19f6accde30b33

SHA256
1514c1981fe724bf5bf42e3800b7ea86235821973a70ca046de2dcd8ed82d17a

SHA512
4918c584c5da52ccd543e5bf0df23f429611afac3c3ee7081022e93f85a443932e484a3ccabbf7708aed410bd30d1388c81694b33ff59398ec8bcb34c10d4b52

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30~1\win32crypt.pyd

Filesize
37KB

MD5
fd32de25a44ec1f391be5bc4c7ab0711

SHA1
d97d91cc246f1f49293e9567a9c35a06c4359d7f

SHA256
172aed8bf628a97b8fe3c1a6effbe63bd4c60e908d208b9498b2e2aa1bf99e1b

SHA512
fa43cc7ac54312b4ac74c5d07d7a79d8c97fd7c1816d9169601af867698d62e16ade36965831fb0e3e405df8136ddf00578738239be0c2a6f390ff6f55b35dd4

Download Submit
memory/3044-58-0x0000000074360000-0x0000000074375000-memory.dmp

Filesize
84KB

Download
memory/3044-56-0x00000000747F0000-0x0000000074801000-memory.dmp

Filesize
68KB

Download
memory/3044-53-0x00000000742D0000-0x0000000074360000-memory.dmp

Filesize
576KB

Download
memory/3044-37-0x000000001E7A0000-0x000000001E7C7000-memory.dmp

Filesize
156KB

Download
memory/3044-54-0x0000000074380000-0x0000000074431000-memory.dmp

Filesize
708KB

Download
memory/3044-33-0x000000001E980000-0x000000001E9A1000-memory.dmp

Filesize
132KB

Download
memory/3044-55-0x0000000074810000-0x000000007482E000-memory.dmp

Filesize
120KB

Download
memory/3044-40-0x00000000742D0000-0x0000000074360000-memory.dmp

Filesize
576KB

Download
memory/3044-27-0x0000000074810000-0x000000007482E000-memory.dmp

Filesize
120KB

Download
memory/3044-57-0x000000001E980000-0x000000001E9A1000-memory.dmp

Filesize
132KB

Download
memory/3044-59-0x000000001E7A0000-0x000000001E7C7000-memory.dmp

Filesize
156KB

Download
memory/3044-21-0x0000000074440000-0x00000000746F1000-memory.dmp

Filesize
2.7MB

Download
memory/3044-45-0x0000000074440000-0x00000000746F1000-memory.dmp

Filesize
2.7MB

Download
memory/3044-39-0x0000000074360000-0x0000000074375000-memory.dmp

Filesize
84KB

Download
memory/3044-28-0x00000000747F0000-0x0000000074801000-memory.dmp

Filesize
68KB

Download
memory/3044-22-0x0000000074380000-0x0000000074431000-memory.dmp

Filesize
708KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads