Overview
overview
9Static
static
3aca83fffa6...0c.exe
windows7-x64
9aca83fffa6...0c.exe
windows10-2004-x64
9$PLUGINSDI...sh.dll
windows7-x64
3$PLUGINSDI...sh.dll
windows10-2004-x64
3$PLUGINSDIR/Bass.dll
windows7-x64
1$PLUGINSDIR/Bass.dll
windows10-2004-x64
1$PLUGINSDI...on.dll
windows7-x64
3$PLUGINSDI...on.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...in.dll
windows7-x64
1$PLUGINSDI...in.dll
windows10-2004-x64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/bass.dll
windows7-x64
1$PLUGINSDIR/bass.dll
windows10-2004-x64
1$PROGRAMFI...ll.exe
windows7-x64
3$PROGRAMFI...ll.exe
windows10-2004-x64
3ExSCv3.chm
windows7-x64
1ExSCv3.chm
windows10-2004-x64
1Exsc.exe
windows7-x64
6Exsc.exe
windows10-2004-x64
6license.rtf
windows7-x64
4license.rtf
windows10-2004-x64
1umowa_licencyjna.rtf
windows7-x64
4umowa_licencyjna.rtf
windows10-2004-x64
6uninstall.exe
windows7-x64
3uninstall.exe
windows10-2004-x64
3Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 00:47
Static task
static1
Behavioral task
behavioral1
Sample
aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Bass.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Bass.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/NSIS_SkinCrafter_Plugin.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/NSIS_SkinCrafter_Plugin.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/bass.dll
Resource
win7-20240220-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/bass.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
$PROGRAMFILES/Wlodzimierz Grabowski/Extreme Sample Converter/uninstall.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
$PROGRAMFILES/Wlodzimierz Grabowski/Extreme Sample Converter/uninstall.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
ExSCv3.chm
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
ExSCv3.chm
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
Exsc.exe
Resource
win7-20240611-en
Behavioral task
behavioral22
Sample
Exsc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
license.rtf
Resource
win7-20240611-en
Behavioral task
behavioral24
Sample
license.rtf
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
umowa_licencyjna.rtf
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
umowa_licencyjna.rtf
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
uninstall.exe
Resource
win7-20240508-en
Behavioral task
behavioral28
Sample
uninstall.exe
Resource
win10v2004-20240611-en
General
-
Target
aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe
-
Size
7.4MB
-
MD5
59b4fb27169c704f1cf37f4ca833aefb
-
SHA1
630e6606a042801fee759ec216ae3fdbbcd8cce6
-
SHA256
aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c
-
SHA512
cc4654fe0d1470c136ce1f4fdd8ce050dc5ce945b81448762094008d1376cd47699ec4b83a37d16e373c34ca5f0590c26aadcf82a25bba983760472c7206b3e5
-
SSDEEP
196608:Q7Mz/vpMzHQCMFGS/MBL5i6bY56IAO3W0uMYYcp:Q7wZMzaGSqi5AiPup
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 7 IoCs
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll UPX behavioral2/memory/3628-5-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral2/memory/3628-53-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral2/memory/3628-161-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral2/memory/3628-167-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral2/memory/3628-173-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral2/memory/3628-185-0x0000000010000000-0x0000000010030000-memory.dmp UPX -
Modifies AppInit DLL entries 2 TTPs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll acprotect -
Loads dropped DLL 15 IoCs
Processes:
aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exepid process 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe -
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll upx behavioral2/memory/3628-5-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3628-53-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3628-161-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3628-167-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3628-173-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3628-185-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exedescription ioc process File opened (read-only) \??\e: aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe -
Drops file in System32 directory 2 IoCs
Processes:
aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exedescription ioc process File created C:\Windows\SysWOW64\msvcr71.dll aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe File created C:\Windows\SysWOW64\mfc71.dll aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe -
Drops file in Program Files directory 1 IoCs
Processes:
aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exedescription ioc process File created C:\Program Files\Common Files\System\symsrv.dll aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exepid process 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exepid process 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe Token: 33 828 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 828 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exepid process 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe 3628 aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe"C:\Users\Admin\AppData\Local\Temp\aca83fffa69ba66a87440ce64302dda3bfdfebb1c33ba5c00e3b71eddb6f280c.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2c8 0x4981⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\System\symsrv.dllFilesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
C:\Users\Admin\AppData\Local\Temp\nsz5276.tmp\AdvSplash.dllFilesize
6KB
MD513cc92f90a299f5b2b2f795d0d2e47dc
SHA1aa69ead8520876d232c6ed96021a4825e79f542f
SHA256eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb
SHA512ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3
-
C:\Users\Admin\AppData\Local\Temp\nsz5276.tmp\Bass.dllFilesize
101KB
MD5a8af308ff01b4477657955fbf0cc8408
SHA10794c059f0326e4a71be8a3ee4ac17a657d90d88
SHA25614a38f56be50a3829eb1eda2a908da2de5913f81d5cb01d8b668593d0fc36594
SHA5129e221967db95d4b86bf311891193dfd1515806aa0d43198d3bc26a17d77f06f212ab9dba1ca8575f50d224380e8b109529faccf2f56daac834da83a83677a0fd
-
C:\Users\Admin\AppData\Local\Temp\nsz5276.tmp\InstallOptions.dllFilesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
C:\Users\Admin\AppData\Local\Temp\nsz5276.tmp\NSIS_SkinCrafter_Plugin.dllFilesize
5.8MB
MD5028251654a4d65509aa8ccb5f2ee284a
SHA14a4ad468a86df6b903002be4f8919017fea0c152
SHA2568b25cf3f7aa82fadccb2ce615ce0e40c5a8a3ea7bc51180a92173ee113a0ccfe
SHA512f252670bca0da9e8e2c519a6ef4ad6dd0c4e548aeb7566693a7d203e73e63345fc58683072020ef771d836429bed1d7b4fdf105aa3e62a969e9c8d39556e1d2d
-
C:\Users\Admin\AppData\Local\Temp\nsz5276.tmp\SkinCrafter.dllFilesize
792KB
MD58fea8fd177034b52e6a5886fb5e780bd
SHA199f511388a2420d53b8406baed48ba550842eaad
SHA256546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de
SHA5125d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696
-
C:\Users\Admin\AppData\Local\Temp\nsz5276.tmp\System.dllFilesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
C:\Users\Admin\AppData\Local\Temp\nsz5276.tmp\ioSpecial.iniFilesize
730B
MD582492c0d62cfb23f4522755c9e8c0199
SHA191f7ca2f60ef66e3d9712501d2786e349ce47a51
SHA256900f5f4c4a8bd91dcfc986e3289a215f07bf6147a0fc722769771a6e81f324b1
SHA51242fe047ffc60e4b772ea661e3a04e715695d5d319f6fc97ef0c6e608125d1bcb2a76ac7421d662662b61f95ecd1a936fa7db72e734989505125abefe82f18ea7
-
C:\Users\Admin\AppData\Local\Temp\nsz5276.tmp\ioSpecial.iniFilesize
743B
MD50cedca966051dfef8f87c5e6f3d358c2
SHA1fc659564af60d287c8572657cd1138830be76f93
SHA25663024e90f4fffd461e31c4ac4d5baf9db45295208f6f6178e419adcbe7c19db0
SHA5128cfc86640c3a3e0ec72badd70d606bc983e43ff8af91826f610673d681cfa57269e77f528026b2bd373f57bf081bcd248eaeeb8be280a34a155d9c7359c7d8fd
-
C:\Windows\SysWOW64\mfc71.dllFilesize
1.0MB
MD51fd3f9722119bdf7b8cff0ecd1e84ea6
SHA19a4faa258b375e173feaca91a8bd920baf1091eb
SHA256385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823
SHA512109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6
-
C:\Windows\SysWOW64\msvcr71.dllFilesize
340KB
MD5ca2f560921b7b8be1cf555a5a18d54c3
SHA1432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA51223e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e
-
memory/3628-53-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/3628-166-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-61-0x0000000005930000-0x0000000005EFD000-memory.dmpFilesize
5.8MB
-
memory/3628-1-0x0000000000403000-0x0000000000404000-memory.dmpFilesize
4KB
-
memory/3628-27-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-71-0x0000000005F00000-0x0000000005FCC000-memory.dmpFilesize
816KB
-
memory/3628-28-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3628-26-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-7-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3628-5-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/3628-160-0x0000000000403000-0x0000000000404000-memory.dmpFilesize
4KB
-
memory/3628-161-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/3628-162-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3628-163-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-165-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-54-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-167-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/3628-168-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-170-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-172-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-173-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/3628-174-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-176-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-178-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-180-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-182-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-184-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-185-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/3628-186-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-188-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB
-
memory/3628-190-0x0000000003B40000-0x0000000003B8D000-memory.dmpFilesize
308KB