c61b5607b44767ddefc0bffe8defe80e632309d82196b335bfd7f30dd59fd165

General

Target

Megpoid_sweet/Megpoid_sweet.exe
Size

5.0MB
MD5

e7c475266cc53cde788b5bfd5eade9dd
SHA1

caff489650833e6bcb5173a3db9f61e5a046b85e
SHA256

6dfbc11d8209b76c3556333f9476672d1b63cc8626ae28b03042969c9e2d4fe7
SHA512

7d2de3da52e04dbc4f37aa4a4f1f7cca99d0a1ab3a6ea0ff957686b157c1dd92ac229228ba487155044c00b0249ed7263a5c65b23a43828a5b5d7488562429e9
SSDEEP

98304:PkSuxagH7OD8a8a6kHkEDLmYD1dmr4kAoVjna5fAt+YzW45IzXWX9h8pR4too9:fgHCD8NCkVYxdmMkAoVjnsC+YS/XWz3r

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0011000000018676-31.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2516	Megpoid_sweet.tmp

Loads dropped DLL 7 IoCs

pid	Process
1956	Megpoid_sweet.exe
2516	Megpoid_sweet.tmp
2516	Megpoid_sweet.tmp
2516	Megpoid_sweet.tmp
2516	Megpoid_sweet.tmp
2516	Megpoid_sweet.tmp
2516	Megpoid_sweet.tmp

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0011000000018676-31.dat	upx
behavioral1/memory/2516-33-0x0000000004B30000-0x0000000004B61000-memory.dmp	upx
behavioral1/memory/2516-41-0x0000000004B30000-0x0000000004B61000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VoiceDB\Megpoid_sweet\BCCDC6XZLSZHZCB4\Megpoid_Sweet.ddi	Megpoid_sweet.tmp
File opened for modification	C:\Program Files (x86)\VoiceDB\Megpoid_sweet\BCCDC6XZLSZHZCB4\Megpoid_Sweet.ddi	Megpoid_sweet.tmp
File created	C:\Program Files (x86)\VoiceDB\unins000.dat	Megpoid_sweet.tmp
File created	C:\Program Files (x86)\VoiceDB\is-D63V3.tmp	Megpoid_sweet.tmp
File opened for modification	C:\Program Files (x86)\VoiceDB\Megpoid_sweet	Megpoid_sweet.tmp
File created	C:\Program Files (x86)\VoiceDB\Megpoid_sweet\BCCDC6XZLSZHZCB4\Megpoid_Sweet.vvd	Megpoid_sweet.tmp
File created	C:\Program Files (x86)\VoiceDB\Megpoid_sweet\BCCDC6XZLSZHZCB4\Megpoid_Sweet.ddb	Megpoid_sweet.tmp
File opened for modification	C:\Program Files (x86)\VoiceDB\unins000.dat	Megpoid_sweet.tmp
File opened for modification	C:\Program Files (x86)\VoiceDB\Megpoid_sweet\BCCDC6XZLSZHZCB4	Megpoid_sweet.tmp
File opened for modification	C:\Program Files (x86)\VoiceDB\Megpoid_sweet\BCCDC6XZLSZHZCB4\Megpoid_Sweet.vvd	Megpoid_sweet.tmp
File opened for modification	C:\Program Files (x86)\VoiceDB\Megpoid_sweet\BCCDC6XZLSZHZCB4\Megpoid_Sweet.ddb	Megpoid_sweet.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2516	Megpoid_sweet.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2516	Megpoid_sweet.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2516	1956	Megpoid_sweet.exe	31
PID 1956 wrote to memory of 2516	1956	Megpoid_sweet.exe	31
PID 1956 wrote to memory of 2516	1956	Megpoid_sweet.exe	31
PID 1956 wrote to memory of 2516	1956	Megpoid_sweet.exe	31
PID 1956 wrote to memory of 2516	1956	Megpoid_sweet.exe	31
PID 1956 wrote to memory of 2516	1956	Megpoid_sweet.exe	31
PID 1956 wrote to memory of 2516	1956	Megpoid_sweet.exe	31

C:\Users\Admin\AppData\Local\Temp\Megpoid_sweet\Megpoid_sweet.exe
"C:\Users\Admin\AppData\Local\Temp\Megpoid_sweet\Megpoid_sweet.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\is-O0GPK.tmp\Megpoid_sweet.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-O0GPK.tmp\Megpoid_sweet.tmp" /SL5="$4010A,4854253,60928,C:\Users\Admin\AppData\Local\Temp\Megpoid_sweet\Megpoid_sweet.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-RHUIH.tmp\gumi_sweet.bmp

Filesize
4.2MB

MD5
eec39118faddbc1396a58db4e330a9f4

SHA1
3cf98c6e385fb8e5a29a4d88b8a8b4bb8a6cabbe

SHA256
a4d11891e9b1d389ed5d255900af592dc28888af16044301a0d0f68159c75a95

SHA512
5949a424a87777d283b5ce48df1fd991f2f7adbdd76134df5a2acab184670d40a9f8abf7accc75aeaed79e3af7aa846a42e27fc9215a5364890c78336196a120

Download Submit
\Users\Admin\AppData\Local\Temp\is-O0GPK.tmp\Megpoid_sweet.tmp

Filesize
694KB

MD5
fe09f5ac4f69487b64388151c6af14cb

SHA1
6612616ebde43e8f492d3b3e0356fe0770588a50

SHA256
4c36492448db48c20bda63fbc42456218ede1e283e7e001db39a87a22ed411f0

SHA512
57862f62eae1f17af707eac45ab145dc1e637571cd1310d2df08606e45094effbe3eb62fd0ea0f5c365dab41a7df9d65abdb0102a3e109ff490e1e0f917b254b

Download Submit
\Users\Admin\AppData\Local\Temp\is-RHUIH.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RHUIH.tmp\bass.dll

Filesize
91KB

MD5
26295a0baf87955f2e37735af135ca45

SHA1
97f468d3ebaca4774ce69f6f55c998b93a912540

SHA256
0bd42c13dd0a5c881e80f161f7548b093c4fd99a747c13568af983e2c76cd71a

SHA512
6760c5fe3621b1d9c84a5c974c28d796cfba83dba4ff0e9f9eb0ed19cb47a6fc6a1322f58193eb4d638e214f7e61e9543f6f9235c2be8888bcd075fa7650b20a

Download Submit
\Users\Admin\AppData\Local\Temp\is-RHUIH.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-RHUIH.tmp\isgsg.dll

Filesize
34KB

MD5
09974eaff6defadde38b1328754dbe09

SHA1
001cfb5514444188e455b97acc369f037079ca9d

SHA256
9eeef28d82fc4db7d1269dfbc0ea282768ce5e2e4e4bdc867d80d6847468dca7

SHA512
da29b01ebebb454c004420c6b29bb8dca9fb50554a7a5db30035a5ec458d766049bf5502f708bf7eb210a4f9cbdb308cc0c8dcdad9f745b01a9e4f1455bbc846

Download Submit
\Users\Admin\AppData\Local\Temp\is-RHUIH.tmp\unarc.dll

Filesize
214KB

MD5
97553f17f620de864a3297153e3711fa

SHA1
8834d5b74ccecd15ef3bc5bfeb7ea6faa6e641b8

SHA256
2adcfd5fc9d6c62ea98beab6aac230d5d828ead4403ba930b24326cd81db40ac

SHA512
669e76854a44ab4991bb421481c0415cdc6d27378eba720357e5ada2f57698ad86293717723d542ce838a7acdf7b2e4c4e182aa13e9dfa7479955f3dd0df1fd9

Download Submit
memory/1956-42-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1956-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1956-105-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1956-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2516-45-0x00000000003E0000-0x00000000003F5000-memory.dmp

Filesize
84KB

Download
memory/2516-68-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2516-39-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2516-40-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2516-41-0x0000000004B30000-0x0000000004B61000-memory.dmp

Filesize
196KB

Download
memory/2516-33-0x0000000004B30000-0x0000000004B61000-memory.dmp

Filesize
196KB

Download
memory/2516-46-0x0000000061080000-0x00000000610F3000-memory.dmp

Filesize
460KB

Download
memory/2516-23-0x00000000003E0000-0x00000000003F5000-memory.dmp

Filesize
84KB

Download
memory/2516-44-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2516-50-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2516-56-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2516-63-0x00000000003E0000-0x00000000003F5000-memory.dmp

Filesize
84KB

Download
memory/2516-62-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2516-38-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2516-67-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2516-77-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2516-78-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2516-81-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2516-83-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2516-85-0x00000000003E0000-0x00000000003F5000-memory.dmp

Filesize
84KB

Download
memory/2516-84-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2516-86-0x0000000061080000-0x00000000610F3000-memory.dmp

Filesize
460KB

Download
memory/2516-104-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2516-20-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2516-8-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing