c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
Size

2.3MB
MD5

2ebeded4ad3545ca6c6a99f2bf0985b5
SHA1

da1dcdcb57fd34940902b9dc343ebb0d98e09919
SHA256

c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0
SHA512

a76b70cab15e0df124a5187ca76d1b5e9c4ac6a14bedf7da0b07c52466cf62f96a72b2071582e2f96cf671cfb1c12a876c69c6b096d235666a59b641936f60f7
SSDEEP

49152:t/UTRSYDBBW+p6OooDKU1+V5MDexWeyz32tfVZNTExmqmPXiJBR:tWSYdBerU1+XMHmtfr1v1qJT

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 16 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023433-23.dat	UPX
behavioral2/memory/2176-29-0x000000001E980000-0x000000001E9A1000-memory.dmp	UPX
behavioral2/files/0x000700000002343b-35.dat	UPX
behavioral2/memory/2176-47-0x00000000757A0000-0x00000000757B5000-memory.dmp	UPX
behavioral2/memory/2176-46-0x000000001E7A0000-0x000000001E7C7000-memory.dmp	UPX
behavioral2/memory/2176-45-0x000000001E980000-0x000000001E9A1000-memory.dmp	UPX
behavioral2/memory/2176-44-0x00000000757C0000-0x00000000757D1000-memory.dmp	UPX
behavioral2/memory/2176-43-0x00000000757E0000-0x00000000757FE000-memory.dmp	UPX
behavioral2/memory/2176-36-0x00000000757A0000-0x00000000757B5000-memory.dmp	UPX
behavioral2/files/0x0007000000023434-33.dat	UPX
behavioral2/files/0x0007000000023439-30.dat	UPX
behavioral2/files/0x000700000002343d-27.dat	UPX
behavioral2/memory/2176-25-0x00000000757C0000-0x00000000757D1000-memory.dmp	UPX
behavioral2/memory/2176-24-0x00000000757E0000-0x00000000757FE000-memory.dmp	UPX
behavioral2/files/0x0007000000023432-21.dat	UPX
behavioral2/files/0x0007000000023438-17.dat	UPX

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023433-23.dat	acprotect
behavioral2/files/0x000700000002343b-35.dat	acprotect
behavioral2/files/0x0007000000023434-33.dat	acprotect
behavioral2/files/0x0007000000023439-30.dat	acprotect
behavioral2/files/0x000700000002343d-27.dat	acprotect
behavioral2/files/0x0007000000023432-21.dat	acprotect
behavioral2/files/0x0007000000023438-17.dat	acprotect

Loads dropped DLL 7 IoCs

pid	Process
2176	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
2176	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
2176	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
2176	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
2176	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
2176	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
2176	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2176-19-0x00000000758B0000-0x0000000075B61000-memory.dmp	upx
behavioral2/files/0x0007000000023438-18.dat	upx
behavioral2/files/0x0007000000023433-23.dat	upx
behavioral2/memory/2176-29-0x000000001E980000-0x000000001E9A1000-memory.dmp	upx
behavioral2/files/0x000700000002343b-35.dat	upx
behavioral2/memory/2176-48-0x0000000075710000-0x00000000757A0000-memory.dmp	upx
behavioral2/memory/2176-47-0x00000000757A0000-0x00000000757B5000-memory.dmp	upx
behavioral2/memory/2176-46-0x000000001E7A0000-0x000000001E7C7000-memory.dmp	upx
behavioral2/memory/2176-45-0x000000001E980000-0x000000001E9A1000-memory.dmp	upx
behavioral2/memory/2176-44-0x00000000757C0000-0x00000000757D1000-memory.dmp	upx
behavioral2/memory/2176-43-0x00000000757E0000-0x00000000757FE000-memory.dmp	upx
behavioral2/memory/2176-42-0x00000000758B0000-0x0000000075B61000-memory.dmp	upx
behavioral2/memory/2176-37-0x0000000075710000-0x00000000757A0000-memory.dmp	upx
behavioral2/memory/2176-36-0x00000000757A0000-0x00000000757B5000-memory.dmp	upx
behavioral2/files/0x0007000000023434-33.dat	upx
behavioral2/memory/2176-32-0x000000001E7A0000-0x000000001E7C7000-memory.dmp	upx
behavioral2/files/0x0007000000023439-30.dat	upx
behavioral2/files/0x000700000002343d-27.dat	upx
behavioral2/memory/2176-25-0x00000000757C0000-0x00000000757D1000-memory.dmp	upx
behavioral2/memory/2176-24-0x00000000757E0000-0x00000000757FE000-memory.dmp	upx
behavioral2/files/0x0007000000023432-21.dat	upx
behavioral2/files/0x0007000000023438-17.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Graphic Driver Extension Loader Service = "C:\\ProgramData\\Intel\\IntelGFX.exe"	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2176	1056	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe	81
PID 1056 wrote to memory of 2176	1056	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe	81
PID 1056 wrote to memory of 2176	1056	c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe	81

C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
"C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe
  "C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI10562\IntelGFX.exe.manifest

Filesize
1KB

MD5
6d9baafd6ebcbaf5127448f0b334b7ae

SHA1
dcc0d1c77b913d81e0ebdc97069525c84f5bc59c

SHA256
64431ef89972f5c64a96499a4e972d66ce870008c2471edd696d2fc99e746ac2

SHA512
9989056b9a77e2434a5c48daf99cd24fe15c85d55b7ec87ea141f55417e9e1e7394585778efdb035c822b361a97da364c2c59090817050a84c2e76d4bb92eb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10562\_ctypes.pyd

Filesize
36KB

MD5
892b1c64bd2d6455ccee13bed8f7372c

SHA1
570700b3019d6eb4846bed288fa9cff3663d77f5

SHA256
fc813a3c6294feef54d36fff55d8e8fd23527a67e71b4c275094a1529863ac15

SHA512
0a72db9be613525889abd1556875d79806ebd000682c7b82ce2f7ea8397987ba8d461bafc0770a4fd32ba805a018fc49c3a50804479eeeb1b7475c1f2f696c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10562\_socket.pyd

Filesize
21KB

MD5
8811517fe8d6a2c32ebfb512ac431177

SHA1
91cc8ac9d82bc7e21965035ba31ee5bef44a6403

SHA256
90afba4a6d54e8a079e51a77e76be48485d1cd20118369745e0b6a9d08444f35

SHA512
5241836f9a8d1d60bbc8cd3f7ffe9125c3f7cb37aaa8090713e18ab1d8423a427c641f9523675ab951aea608e96ed32c6a8fbc14ffe804b57158b477a14b9239

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10562\_sqlite3.pyd

Filesize
22KB

MD5
0c070d68f24a1d645259319ad6f98ef4

SHA1
e8882fa93829caf674e69b16497f7808c8eedca7

SHA256
91053a6c100d8d5df8552202f3223aea67822b32a4ad7d8697608e6d23f508a4

SHA512
89284b4a55b87c4871123030b542f1ccc83609d693e1ea1799fefe954ffbce8636962f3f87fb6907fbd1058618364306b7776ba3eb9e2bbe91414dad13fd5cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10562\python27.dll

Filesize
878KB

MD5
83fcb4eb099c82f84d684b2bc2765f8d

SHA1
5a576f5e50d7b2cbcf227bdee94db2dbf0e87e83

SHA256
2f5f4c9264e935f7b7cf9079ee0ed01eaf1c4a5dd71b6c0db7273780d9c2f529

SHA512
f0718e308fa2db25a8898a91f2950c377c2a6132a1f5cae4d4a254bc6f0d364d5166c8a95a2d0331b93fd3fd238aeb196fdfe7a9f8818dfa899659aa73f3bab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10562\python27.dll

Filesize
448KB

MD5
5bbdf87ce9c35f18ec7e302062a9ed8a

SHA1
bc749574cd233006e19fa1c17e73b37eec97e38c

SHA256
cc5aef66d9c01b6788f2c8a32d1e863fa9dc2856d4932ce7968d4820cdfd6be5

SHA512
f569211564e3c0abc1bcf10386ac46a3fc0f8fb9a3e1fc430cadf64231df07d3a64bb49ae2eaf3befd36642df7c81d502c054fa5126f8513c13c1a2237e87e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10562\pywintypes27.dll

Filesize
51KB

MD5
66731fcba577b47bf97fa0e36a539ff5

SHA1
759dfa167ea71fdbeb6275ef341ae7e52fba2e53

SHA256
d8c4796d11acb3583c3b3359b4b4e0f93d33af9aebd4bdaadb301c37b1df1dae

SHA512
f6a476621236abc66518cab9b2acfe975306fa84769d0149ebbe5420d9b625ce80f57f4ad9c7111604f2e7ce8fc1946828468cd38aadc320f43bae64879e5f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10562\sqlite3.dll

Filesize
252KB

MD5
2a999115993593c76466f8c4f351d43c

SHA1
193841fd5a2bda36ac3e82cada19f6accde30b33

SHA256
1514c1981fe724bf5bf42e3800b7ea86235821973a70ca046de2dcd8ed82d17a

SHA512
4918c584c5da52ccd543e5bf0df23f429611afac3c3ee7081022e93f85a443932e484a3ccabbf7708aed410bd30d1388c81694b33ff59398ec8bcb34c10d4b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10562\win32crypt.pyd

Filesize
37KB

MD5
fd32de25a44ec1f391be5bc4c7ab0711

SHA1
d97d91cc246f1f49293e9567a9c35a06c4359d7f

SHA256
172aed8bf628a97b8fe3c1a6effbe63bd4c60e908d208b9498b2e2aa1bf99e1b

SHA512
fa43cc7ac54312b4ac74c5d07d7a79d8c97fd7c1816d9169601af867698d62e16ade36965831fb0e3e405df8136ddf00578738239be0c2a6f390ff6f55b35dd4

Download Submit
memory/2176-43-0x00000000757E0000-0x00000000757FE000-memory.dmp

Filesize
120KB

Download
memory/2176-45-0x000000001E980000-0x000000001E9A1000-memory.dmp

Filesize
132KB

Download
memory/2176-42-0x00000000758B0000-0x0000000075B61000-memory.dmp

Filesize
2.7MB

Download
memory/2176-37-0x0000000075710000-0x00000000757A0000-memory.dmp

Filesize
576KB

Download
memory/2176-36-0x00000000757A0000-0x00000000757B5000-memory.dmp

Filesize
84KB

Download
memory/2176-44-0x00000000757C0000-0x00000000757D1000-memory.dmp

Filesize
68KB

Download
memory/2176-32-0x000000001E7A0000-0x000000001E7C7000-memory.dmp

Filesize
156KB

Download
memory/2176-19-0x00000000758B0000-0x0000000075B61000-memory.dmp

Filesize
2.7MB

Download
memory/2176-46-0x000000001E7A0000-0x000000001E7C7000-memory.dmp

Filesize
156KB

Download
memory/2176-25-0x00000000757C0000-0x00000000757D1000-memory.dmp

Filesize
68KB

Download
memory/2176-24-0x00000000757E0000-0x00000000757FE000-memory.dmp

Filesize
120KB

Download
memory/2176-47-0x00000000757A0000-0x00000000757B5000-memory.dmp

Filesize
84KB

Download
memory/2176-48-0x0000000075710000-0x00000000757A0000-memory.dmp

Filesize
576KB

Download
memory/2176-29-0x000000001E980000-0x000000001E9A1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads