3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4

General

Target

3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe
Size

26.2MB
MD5

24547d6a56e78e706f7c49b90922bad9
SHA1

8c7471227faf46abbde06ce0c645800a32f48833
SHA256

3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4
SHA512

756d8e5d5034ef07c2ed1483ba8704c7cc8bb2a84688f937efb3eed8a5aa5549d4b5b754007f5ad977430c1fef6bd1a763c47c053b48be40c347a7bce831acde
SSDEEP

786432:/mSroc1dxc//jYChIgW3a47FNNUaVtlbZytIyLMdoF/:/foc1dxc//jYoIgW3a47FNNUItlb2

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000017226-9.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2800	Tomcat.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	Tomcat.exe

Loads dropped DLL 3 IoCs

pid	Process
2632	3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe
2800	Tomcat.exe
2800	Tomcat.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2800-12-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/files/0x0008000000017226-9.dat	upx
behavioral1/memory/2800-24-0x00000000006B0000-0x00000000006C8000-memory.dmp	upx
behavioral1/memory/2800-26-0x0000000010000000-0x0000000010014000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tomcat.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2632	3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe
2632	3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe
2632	3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe
2632	3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe
2632	3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe
2632	3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe
2800	Tomcat.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	Tomcat.exe
Token: SeLockMemoryPrivilege	2800	Tomcat.exe
Token: SeCreateGlobalPrivilege	2800	Tomcat.exe
Token: SeBackupPrivilege	2800	Tomcat.exe
Token: SeRestorePrivilege	2800	Tomcat.exe
Token: SeShutdownPrivilege	2800	Tomcat.exe
Token: SeCreateTokenPrivilege	2800	Tomcat.exe
Token: SeTakeOwnershipPrivilege	2800	Tomcat.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2632	3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe
2632	3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe
2800	Tomcat.exe
2800	Tomcat.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2800	2632	3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe	31
PID 2632 wrote to memory of 2800	2632	3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe	31
PID 2632 wrote to memory of 2800	2632	3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe	31
PID 2632 wrote to memory of 2800	2632	3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe	31

C:\Users\Admin\AppData\Local\Temp\3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe
"C:\Users\Admin\AppData\Local\Temp\3eaa32bd56639e2269e30486b879cc6e045a6abe8135fa60d1cd4ae0495d83b4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\Documents\Tomcat.exe
  "C:\Users\Admin\Documents\Tomcat.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\conf.ini

Filesize
222B

MD5
130f9ba26f1908e1dbd3a88dd2fdcb91

SHA1
e6b5c95b786f68a3aede002307732f4bd48729e4

SHA256
88ca038f311c14346197748c4514d26474409331e8cc5b89a2b8b8da1d3d902b

SHA512
848e9ed95bb16010011aa087639e65c8b4924f3a76554c4826284e377f17883e926e2e8e65e33041c9fd9088d064e80e3c0621fd611cec7e71a4f0171b319aa8

Download Submit
\Users\Admin\AppData\Roaming\Ling\malloc\L_mimalloc.dll

Filesize
148KB

MD5
051d69a619adca3472e8d7c9b0c0eb5c

SHA1
6cc795ac90e43e408919e19ba6f5633863560459

SHA256
feefc12464985e2057a4cbd54117e9414f2e00a284106fa38b62d63052a1f7dd

SHA512
50daa3344aa4d86cdd22cf5736eec993467e6574c5e341cd0fd95757c739e167b6e76c744b29ae302d08c88d469fea0767640a9257f54f9dec2c5fbb87c23b71

Download Submit
\Users\Admin\AppData\Roaming\zlib.dll

Filesize
27KB

MD5
849e9f3e59daf750db838e885d58c6fa

SHA1
733cb105153e4b83160a52bfa2ddd95d750fb806

SHA256
f94949a6c121a525f661dd8abd917eb37a5cf582c89e3a258170a15d30cc0cc2

SHA512
3feff6db5fc5ae371a4ec60ce13a383668a5accac537a0ae56b9b5b7318a2d5bdb4b79286a519cad3610cb6d1f335a11c09a4d3165c147a00d5a7880ea23e173

Download Submit
\Users\Admin\Documents\Tomcat.exe

Filesize
2.0MB

MD5
8ff0146992f7bded42d2b48cfecfde0d

SHA1
e1318dc1fe0820477d345704aceff686a3c7e318

SHA256
d3915929f529a3968391657aedf8d7211e2cc8cdfd8a13a8cc3dba782d2b7212

SHA512
303227342a0305ec436ddfcd1a1d3f6d408ffefdbbf861b06a3fefa89360e53109246e69b4d42962c169dbeba6879617725ac999d9ab96a897f2a2e72b618a43

Download Submit
memory/2632-7-0x0000000006D00000-0x0000000006F40000-memory.dmp

Filesize
2.2MB

Download
memory/2632-34-0x0000000006D00000-0x0000000006F40000-memory.dmp

Filesize
2.2MB

Download
memory/2800-11-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/2800-13-0x0000000002B60000-0x0000000002C69000-memory.dmp

Filesize
1.0MB

Download
memory/2800-24-0x00000000006B0000-0x00000000006C8000-memory.dmp

Filesize
96KB

Download
memory/2800-25-0x0000000001ED0000-0x0000000001F29000-memory.dmp

Filesize
356KB

Download
memory/2800-26-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2800-33-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/2800-12-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing