4b94640e299e724299403da898947e50ddad47ef193f278a4fa10adb3ba92c2f

Analysis

max time kernel
152s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab974b1965fe07bc78a9de1c90972989.exe
Size

11.0MB
MD5

ab974b1965fe07bc78a9de1c90972989
SHA1

c31b7a701b6d9bebd9110bec0a4b599f32a4e35b
SHA256

4b94640e299e724299403da898947e50ddad47ef193f278a4fa10adb3ba92c2f
SHA512

69ecda48e37d7079c6fd505cc4c9338efdd7dab54f76538706a17d6c87211a823f9747af42ab59d4863c90606e768afcf6cd423c870bed5b1c8ffe02fef8bd91
SSDEEP

196608:veGuIMdUOjmoq5PLAn9iVVYNSiTtLFwjfGgRs+DDHSkTfs5z+nGoEr9pno0:2GWUqPADAnwKcuVFwjegRsyDH97mz+Qp

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023255-24.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ab974b1965fe07bc78a9de1c90972989.exe

Executes dropped EXE 1 IoCs

pid	Process
2248	autorun.exe

Loads dropped DLL 1 IoCs

pid	Process
2248	autorun.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023255-24.dat	upx
behavioral2/memory/2248-27-0x0000000010000000-0x000000001007E000-memory.dmp	upx
behavioral2/memory/2248-33-0x0000000010000000-0x000000001007E000-memory.dmp	upx

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\sfx00000\autorun.inf	ab974b1965fe07bc78a9de1c90972989.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2248	1856	ab974b1965fe07bc78a9de1c90972989.exe	91
PID 1856 wrote to memory of 2248	1856	ab974b1965fe07bc78a9de1c90972989.exe	91
PID 1856 wrote to memory of 2248	1856	ab974b1965fe07bc78a9de1c90972989.exe	91

C:\Users\Admin\AppData\Local\Temp\ab974b1965fe07bc78a9de1c90972989.exe
"C:\Users\Admin\AppData\Local\Temp\ab974b1965fe07bc78a9de1c90972989.exe"
1⤵
- Checks computer location settings
- Drops autorun.inf file
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\sfx00000\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\sfx00000\autorun.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\apm3B20.tmp

Filesize
146KB

MD5
3d4839228c7ee77e28832879eeb17340

SHA1
ebe4a6388c8c6831837e232b48b8f4266b7f711e

SHA256
5d6ff8a11cda6d5b1e6d8a5562594379a082cee18f402a8a0a26b8cabe428954

SHA512
f3c534524eaa4b51ee44a6c1d05a142c0d10d9c1c48db79b60903dd948d5712b367479b82cd85fa8ee094dcd2569c0fd85a36c10c97deab59e49e1f1f4da6c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx00000\autorun.apm

Filesize
1.7MB

MD5
3e4015d3cee5ee656c7f5e126a964cfc

SHA1
8d7734ffd45377d372ca2d2bad2f685e575c4a34

SHA256
57932b55f4b55cf075d4d122e5e71d5ee7357b991646a9a0fa3137b5d046fd26

SHA512
c084047a213357ddcc30a353a64422fd4666ddd7666131354d63bac8c5bf2fa3ab7c6965f5353f0ed2e749bd8e98f33b4e9e6e5e279f0acb141ccac7cf89449b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx00000\autorun.exe

Filesize
1.7MB

MD5
c64b44ada8f57fb0a259ceeb6475c43b

SHA1
ba338be45778aaf192b6f32ab21379e5de948877

SHA256
a613426d40fd28523eb3dfb48a3f3c68744309019e374653fee9272ec86e2f0c

SHA512
309c9ec2675800ce3d15079b089bf95d222ff0fd87735c08bec0efb6536457bcd5b9d9dd721e96c4fdf33dadb1b3ba2aa8181969f37a9a4c7236345f52c3bfe5

Download Submit
memory/1856-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1856-21-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2248-22-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/2248-27-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/2248-32-0x0000000000400000-0x00000000005E9000-memory.dmp

Filesize
1.9MB

Download
memory/2248-33-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/2248-36-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads