01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043

Analysis

max time kernel
142s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
Size

1.6MB
MD5

33abf90163eebf23b75e2877fdc38960
SHA1

a00171ada9b7c63b1a48179443885635f0f20008
SHA256

01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043
SHA512

d8bad79fecd8dbc19b75d75893c71d5edb7dd7763b01ac37942fbf94dc04bfe5e2bd7f1a380b75bd1d036c99f16698d13f2f4973442aa733138abde08cba9054
SSDEEP

24576:Q0MpIg8RLbWpFfA5HFezJUptJVYJgnBNfr9BJLOqmu3yVg+VkXF:Q0CEezebhnBpr7JLOqmu3yg+VA

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0003000000022ab1-12.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4000-0-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral2/memory/4000-2-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral2/memory/4000-5-0x0000000002B10000-0x0000000002B28000-memory.dmp	upx
behavioral2/files/0x0003000000022ab1-12.dat	upx
behavioral2/memory/4000-17-0x00000000047E0000-0x000000000487F000-memory.dmp	upx
behavioral2/memory/4000-152-0x00000000047E0000-0x000000000487F000-memory.dmp	upx
behavioral2/memory/4000-153-0x0000000010000000-0x0000000010018000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 2624	4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe	86
PID 4000 wrote to memory of 2624	4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe	86
PID 4000 wrote to memory of 2624	4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe	86
PID 4000 wrote to memory of 1632	4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe	88
PID 4000 wrote to memory of 1632	4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe	88
PID 4000 wrote to memory of 1632	4000	01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe	88

C:\Users\Admin\AppData\Local\Temp\01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe
"C:\Users\Admin\AppData\Local\Temp\01a01670e8afbfeef2a2e81f7553ba239ee1e97891d4e019fff86ee5818c7043.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\cacls.exe
  cacls "" /e /p everyone:n
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Windows\SysWOW64\cacls.exe
  cacls "" /e /p everyone:n
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7-zip32_2.dll

Filesize
233KB

MD5
ea3df059beae86a3e186b2b179755e77

SHA1
babdcd6b5082c02fa2f5ebc2020f2cb3bbd77e8d

SHA256
1ab68a0c296281437fe638c8535309c6241ded4852608d940f5efcb8cc2d91a6

SHA512
1406d8083cfbd26e18aba74f6b45a09137bb3960f7afce5c5d0d790b0edb7277b7b885ed2ded9def12b667bcb37cbfb335884b2d7b8f08565743b674d1f053bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57aae6.tmp\data.ini

Filesize
1KB

MD5
9d093674b80ed207ceb92c59de8d5a92

SHA1
f26f7ed8b7e8a930531b1d96649e53f0f7aaeadd

SHA256
683c4bbb85359ae25d7c473cb5c5cb80be72beea2b0e207594208765d98455f4

SHA512
c05d123dc1a76275a61dd7e5a54bb2c73d78648c46ea1146d710250713e6b71f27d4dadd70b9bacd514eb8f9f3152e94ffb1797f8179d48cdae130b69a0c2809

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57aae6.tmp\data.ini

Filesize
1KB

MD5
a12f8b132978d0c68a813cc441d8ca4c

SHA1
222025325e972dfcc6f94d12baadb3334e138e70

SHA256
cea6158cde1c817fb56430a465399973a9a310f9c205b49ecce2cc3072b8c8fd

SHA512
9ce2b680fa9df9f9adac5af2407495ace5acb352193f0daf7d0ec219048c732b030dc533194a98a5baec085dc044aca58ae64bb6244635338e54c52b68281d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57aae6.tmp\variable.ini

Filesize
761B

MD5
21fa746f8d554d0f4fd1257bb77fed19

SHA1
ef818ec6f9d54b9df90fc1e18fe795f76b22e0de

SHA256
f9834c6a2bde77599fc0df69d74d020d12b865de31176a48ad4404809ead8379

SHA512
cb6c743b07f31ec5611ef332de1b4fdd1f874a2cb024b5a359226df53616b5f329a72b896b8be4f8292d43bc563115ecc9fd35a697f050c17cbb7392dabaf4a2

Download Submit
memory/4000-6-0x0000000077409000-0x000000007740A000-memory.dmp

Filesize
4KB

Download
memory/4000-2-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4000-7-0x00000000773F0000-0x00000000774E0000-memory.dmp

Filesize
960KB

Download
memory/4000-8-0x00000000773F0000-0x00000000774E0000-memory.dmp

Filesize
960KB

Download
memory/4000-5-0x0000000002B10000-0x0000000002B28000-memory.dmp

Filesize
96KB

Download
memory/4000-17-0x00000000047E0000-0x000000000487F000-memory.dmp

Filesize
636KB

Download
memory/4000-3-0x0000000002870000-0x0000000002A11000-memory.dmp

Filesize
1.6MB

Download
memory/4000-0-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4000-1-0x00000000026E0000-0x0000000002868000-memory.dmp

Filesize
1.5MB

Download
memory/4000-151-0x00000000773F0000-0x00000000774E0000-memory.dmp

Filesize
960KB

Download
memory/4000-152-0x00000000047E0000-0x000000000487F000-memory.dmp

Filesize
636KB

Download
memory/4000-153-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4000-154-0x0000000002870000-0x0000000002A11000-memory.dmp

Filesize
1.6MB

Download
memory/4000-156-0x00000000773F0000-0x00000000774E0000-memory.dmp

Filesize
960KB

Download
memory/4000-157-0x00000000773F0000-0x00000000774E0000-memory.dmp

Filesize
960KB

Download
memory/4000-158-0x00000000773F0000-0x00000000774E0000-memory.dmp

Filesize
960KB

Download