e189b30166ac4bbcf0b1340b594e6b63e6c4f2a15522111d03303ac1da201453

Analysis

max time kernel
141s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v4050105.exe
Size

3.8MB
MD5

59afe4e60a4794677c392def4ab664f8
SHA1

889aa348a413eec52dd9a43f7d445510c28b75da
SHA256

c39210d58609f36d7ae8eb273ca52f6e03fba78dd82d62e4f621698d150f4e42
SHA512

99d0a61926ec5a4ee8875488ce919723bca9b26340573b5f62acb3822a63a55378218a44f6de5aca85fe5e54f3fa72b4bf0ec793118561409d53f8cb6f152acb
SSDEEP

98304:Y7oOTIqd6+ZFwOSmzRKwkEMgx7TOFbqIeUVUfkvHB:oEh+ZahcmyeNVUcvh

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000016d14-4.dat	acprotect
behavioral1/memory/1820-15-0x0000000030000000-0x0000000030028000-memory.dmp	acprotect

Executes dropped EXE 1 IoCs

pid	Process
3056	install.exe

Loads dropped DLL 5 IoCs

pid	Process
1820	v4050105.exe
1820	v4050105.exe
3056	install.exe
3056	install.exe
3056	install.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016d14-4.dat	upx
behavioral1/memory/1820-15-0x0000000030000000-0x0000000030028000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dunzip32.dll	v4050105.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3056	install.exe
3056	install.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 3056	1820	v4050105.exe	29
PID 1820 wrote to memory of 3056	1820	v4050105.exe	29
PID 1820 wrote to memory of 3056	1820	v4050105.exe	29
PID 1820 wrote to memory of 3056	1820	v4050105.exe	29
PID 1820 wrote to memory of 3056	1820	v4050105.exe	29
PID 1820 wrote to memory of 3056	1820	v4050105.exe	29
PID 1820 wrote to memory of 3056	1820	v4050105.exe	29

C:\Users\Admin\AppData\Local\Temp\v4050105.exe
"C:\Users\Admin\AppData\Local\Temp\v4050105.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\_TempDir\install.exe
  C:\Users\Admin\AppData\Local\Temp\_TempDir\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_TempDir\Readme_Eng.txt

Filesize
421B

MD5
3a43243f48efd76de7ce5e2f1b74e327

SHA1
ef3f9f2bc9e40e8fced7084fd9cc29b20ecca8ce

SHA256
b0452c1718a152a38907bedb505f272b934b1bacb03d0758e6b0e71525c835f3

SHA512
7e5e681f310c9deb0e6f3b4debc6a8c4110c860514f918edda6052cea56270b7b170dc3f4cbf8ae3ac859da026ffc159a75f44e2f0b3932070fdcff3f1cbbc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_TempDir\VrFile.Zip

Filesize
3.4MB

MD5
1a80fd5a82c19382f1fdbe55a40485ec

SHA1
c3e917b03ef8b33c45253e5c839445cf67346fd2

SHA256
db64fae38b7a78394f2e83fd871ba1f52b56f9a088acb3bedd968816ad8132cc

SHA512
881f93c5095b4f4f749f6b8ddafbea9689a28ffbb2567c22c385c0d208e6850a2fbe500acc9dfb68be3ebbb47cf28078eddc4fe3c2c7d73021650d985d926316

Download Submit
C:\Users\Admin\AppData\Local\Temp\_TempDir\vrup.ini

Filesize
1KB

MD5
e4e3a8b6ea5a8a204b90eaf0d7a305f7

SHA1
adca38c074b7346dceb6ef7a00fd5b6dfdbb7ff0

SHA256
08d6248e34b72be977226db2e5af2b882e8cc2936f8cb89eb1af94d3fe876dcc

SHA512
3601dff4da857435d110188a34544e15e792cd27d1b220f251a97ce5f3e0239a163fa95eeb74190fcd661a75059d5b828e9e711e074ddf553ee07cf936dc2197

Download Submit
\Users\Admin\AppData\Local\Temp\_TempDir\Install.exe

Filesize
152KB

MD5
c313c7a7f69103ef1a46ef20ea6b033e

SHA1
3d932b7491ab48c944f5247c198240b39e46c2cf

SHA256
6410937c7c218a95f1380fecddb2d0f72db36c08506c1149c2fb06401073a1cf

SHA512
7f6550edff488a27f98e350057654ed5a7c5664cd6bfe1578e4faceef8c368b3e0b243b6d53ec46bee92ebb934f7c8aededf9223a6a5eae10dd508c778f926f6

Download Submit
\Windows\SysWOW64\Dunzip32.dll

Filesize
47KB

MD5
98a8fbe183b2479a3db3c19fbe4cfa6e

SHA1
04f52ed3f713430583c74ebeabda43c8f66c9cfd

SHA256
3358a089cb443618b9cedbd499efc70f8eca2974e9631907abc1407009c33e3b

SHA512
b77dd0ce11822288db8d18e5ed11dbb88e8b691c11cc68dc2de966094bc7035ccac8cfbbcc2f696762da5d5de5ba2391e4fce37281b6482f25e8cef184f528b6

Download Submit
memory/1820-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1820-15-0x0000000030000000-0x0000000030028000-memory.dmp

Filesize
160KB

Download
memory/1820-155-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download