Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 00:47

General

  • Target

    aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe

  • Size

    7.4MB

  • MD5

    59b4fb27169c704f1cf37f4ca833aefb

  • SHA1

    630e6606a042801fee759ec216ae3fdbbcd8cce6

  • SHA256

    aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c

  • SHA512

    cc4654fe0d1470c136ce1f4fdd8ce050dc5ce945b81448762094008d1376cd47699ec4b83a37d16e373c34ca5f0590c26aadcf82a25bba983760472c7206b3e5

  • SSDEEP

    196608:Q7Mz/vpMzHQCMFGS/MBL5i6bY56IAO3W0uMYYcp:Q7wZMzaGSqi5AiPup

Score
9/10

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 7 IoCs
  • Modifies AppInit DLL entries 2 TTPs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 9 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe
    "C:\Users\Admin\AppData\Local\Temp\aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3068

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsd2DF4.tmp\ioSpecial.ini
    Filesize

    730B

    MD5

    c57d820ab35c16a67c7cef2ddb3d1df3

    SHA1

    f7edf81d076b578b89750e6031db74cd40d1ecb4

    SHA256

    62bb620e1e180f39c7c8b38161fb24cf997b8fdbdc5a346176bce5b841385822

    SHA512

    4f863b26adfe11179cef08c8fc234bd3e7de01f1148ac1db634290c2d9b3ea0e1955894db89edd9b17e41d654c4338aeec9b070ed78483ed689b1983d54eeedc

  • \Program Files\Common Files\System\symsrv.dll
    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

  • \Users\Admin\AppData\Local\Temp\nsd2DF4.tmp\AdvSplash.dll
    Filesize

    6KB

    MD5

    13cc92f90a299f5b2b2f795d0d2e47dc

    SHA1

    aa69ead8520876d232c6ed96021a4825e79f542f

    SHA256

    eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb

    SHA512

    ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

  • \Users\Admin\AppData\Local\Temp\nsd2DF4.tmp\Bass.dll
    Filesize

    101KB

    MD5

    a8af308ff01b4477657955fbf0cc8408

    SHA1

    0794c059f0326e4a71be8a3ee4ac17a657d90d88

    SHA256

    14a38f56be50a3829eb1eda2a908da2de5913f81d5cb01d8b668593d0fc36594

    SHA512

    9e221967db95d4b86bf311891193dfd1515806aa0d43198d3bc26a17d77f06f212ab9dba1ca8575f50d224380e8b109529faccf2f56daac834da83a83677a0fd

  • \Users\Admin\AppData\Local\Temp\nsd2DF4.tmp\InstallOptions.dll
    Filesize

    14KB

    MD5

    325b008aec81e5aaa57096f05d4212b5

    SHA1

    27a2d89747a20305b6518438eff5b9f57f7df5c3

    SHA256

    c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

    SHA512

    18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

  • \Users\Admin\AppData\Local\Temp\nsd2DF4.tmp\NSIS_SkinCrafter_Plugin.dll
    Filesize

    5.8MB

    MD5

    028251654a4d65509aa8ccb5f2ee284a

    SHA1

    4a4ad468a86df6b903002be4f8919017fea0c152

    SHA256

    8b25cf3f7aa82fadccb2ce615ce0e40c5a8a3ea7bc51180a92173ee113a0ccfe

    SHA512

    f252670bca0da9e8e2c519a6ef4ad6dd0c4e548aeb7566693a7d203e73e63345fc58683072020ef771d836429bed1d7b4fdf105aa3e62a969e9c8d39556e1d2d

  • \Users\Admin\AppData\Local\Temp\nsd2DF4.tmp\SkinCrafter.dll
    Filesize

    792KB

    MD5

    8fea8fd177034b52e6a5886fb5e780bd

    SHA1

    99f511388a2420d53b8406baed48ba550842eaad

    SHA256

    546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de

    SHA512

    5d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696

  • \Users\Admin\AppData\Local\Temp\nsd2DF4.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • \Windows\SysWOW64\mfc71.dll
    Filesize

    1.0MB

    MD5

    1fd3f9722119bdf7b8cff0ecd1e84ea6

    SHA1

    9a4faa258b375e173feaca91a8bd920baf1091eb

    SHA256

    385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823

    SHA512

    109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6

  • \Windows\SysWOW64\msvcr71.dll
    Filesize

    340KB

    MD5

    ca2f560921b7b8be1cf555a5a18d54c3

    SHA1

    432dbcf54b6f1142058b413a9d52668a2bde011d

    SHA256

    c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

    SHA512

    23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

  • memory/3068-48-0x0000000010000000-0x0000000010030000-memory.dmp
    Filesize

    192KB

  • memory/3068-152-0x0000000010000000-0x0000000010030000-memory.dmp
    Filesize

    192KB

  • memory/3068-50-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-51-0x0000000010000000-0x0000000010030000-memory.dmp
    Filesize

    192KB

  • memory/3068-52-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-1-0x0000000000403000-0x0000000000404000-memory.dmp
    Filesize

    4KB

  • memory/3068-58-0x0000000005CE0000-0x00000000062AD000-memory.dmp
    Filesize

    5.8MB

  • memory/3068-47-0x0000000000403000-0x0000000000404000-memory.dmp
    Filesize

    4KB

  • memory/3068-66-0x0000000005660000-0x000000000572C000-memory.dmp
    Filesize

    816KB

  • memory/3068-22-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

  • memory/3068-21-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-6-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

  • memory/3068-4-0x0000000010000000-0x0000000010030000-memory.dmp
    Filesize

    192KB

  • memory/3068-150-0x0000000010000000-0x0000000010030000-memory.dmp
    Filesize

    192KB

  • memory/3068-151-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-49-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

  • memory/3068-153-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-155-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-156-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

  • memory/3068-158-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-160-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-162-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-164-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-166-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-168-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-170-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-172-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-174-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB

  • memory/3068-175-0x0000000010000000-0x0000000010030000-memory.dmp
    Filesize

    192KB

  • memory/3068-176-0x0000000003350000-0x000000000339D000-memory.dmp
    Filesize

    308KB