Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 08:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
97ebf26ba023e3e9ad523e223b3a1040N.dll
Resource
win7-20240704-en
windows7-x64
11 signatures
120 seconds
General
-
Target
97ebf26ba023e3e9ad523e223b3a1040N.dll
-
Size
246KB
-
MD5
97ebf26ba023e3e9ad523e223b3a1040
-
SHA1
8c1d9d3edbb1a94a9ad0fdf0cc432e96e73f7176
-
SHA256
ae48588cc7d3629627fd18edab0f99750cda0bded2d82de2a211685afd2bfdc0
-
SHA512
2f7e9cfacbfa1494237215e0bf9b7883202632c130342f26fa0932057595203e484900538f9fed8cce545970b6217fa1bc857d732aeea126504c030eba217522
-
SSDEEP
6144:1HBE+ePyHSo0mxppi57PggswqGWg4b7uC7d4SPWT3FH:1HBEro7xPidPgT7uCJZeZ
Score
7/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0008000000018736-13.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2084 hrlD21E.tmp 2356 dqhjao.exe -
Loads dropped DLL 4 IoCs
pid Process 2700 rundll32.exe 2700 rundll32.exe 2084 hrlD21E.tmp 2356 dqhjao.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\V: rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dqhjao.exe hrlD21E.tmp File opened for modification C:\Windows\SysWOW64\dqhjao.exe hrlD21E.tmp -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrlD21E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dqhjao.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2084 hrlD21E.tmp 2356 dqhjao.exe -
Suspicious behavior: MapViewOfSection 51 IoCs
pid Process 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2084 hrlD21E.tmp 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe 2356 dqhjao.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2084 hrlD21E.tmp Token: SeDebugPrivilege 2356 dqhjao.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2084 hrlD21E.tmp 2356 dqhjao.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2700 2392 rundll32.exe 30 PID 2392 wrote to memory of 2700 2392 rundll32.exe 30 PID 2392 wrote to memory of 2700 2392 rundll32.exe 30 PID 2392 wrote to memory of 2700 2392 rundll32.exe 30 PID 2392 wrote to memory of 2700 2392 rundll32.exe 30 PID 2392 wrote to memory of 2700 2392 rundll32.exe 30 PID 2392 wrote to memory of 2700 2392 rundll32.exe 30 PID 2700 wrote to memory of 2084 2700 rundll32.exe 31 PID 2700 wrote to memory of 2084 2700 rundll32.exe 31 PID 2700 wrote to memory of 2084 2700 rundll32.exe 31 PID 2700 wrote to memory of 2084 2700 rundll32.exe 31 PID 2084 wrote to memory of 384 2084 hrlD21E.tmp 3 PID 2084 wrote to memory of 384 2084 hrlD21E.tmp 3 PID 2084 wrote to memory of 384 2084 hrlD21E.tmp 3 PID 2084 wrote to memory of 384 2084 hrlD21E.tmp 3 PID 2084 wrote to memory of 384 2084 hrlD21E.tmp 3 PID 2084 wrote to memory of 384 2084 hrlD21E.tmp 3 PID 2084 wrote to memory of 384 2084 hrlD21E.tmp 3 PID 2084 wrote to memory of 392 2084 hrlD21E.tmp 4 PID 2084 wrote to memory of 392 2084 hrlD21E.tmp 4 PID 2084 wrote to memory of 392 2084 hrlD21E.tmp 4 PID 2084 wrote to memory of 392 2084 hrlD21E.tmp 4 PID 2084 wrote to memory of 392 2084 hrlD21E.tmp 4 PID 2084 wrote to memory of 392 2084 hrlD21E.tmp 4 PID 2084 wrote to memory of 392 2084 hrlD21E.tmp 4 PID 2084 wrote to memory of 432 2084 hrlD21E.tmp 5 PID 2084 wrote to memory of 432 2084 hrlD21E.tmp 5 PID 2084 wrote to memory of 432 2084 hrlD21E.tmp 5 PID 2084 wrote to memory of 432 2084 hrlD21E.tmp 5 PID 2084 wrote to memory of 432 2084 hrlD21E.tmp 5 PID 2084 wrote to memory of 432 2084 hrlD21E.tmp 5 PID 2084 wrote to memory of 432 2084 hrlD21E.tmp 5 PID 2084 wrote to memory of 476 2084 hrlD21E.tmp 6 PID 2084 wrote to memory of 476 2084 hrlD21E.tmp 6 PID 2084 wrote to memory of 476 2084 hrlD21E.tmp 6 PID 2084 wrote to memory of 476 2084 hrlD21E.tmp 6 PID 2084 wrote to memory of 476 2084 hrlD21E.tmp 6 PID 2084 wrote to memory of 476 2084 hrlD21E.tmp 6 PID 2084 wrote to memory of 476 2084 hrlD21E.tmp 6 PID 2084 wrote to memory of 492 2084 hrlD21E.tmp 7 PID 2084 wrote to memory of 492 2084 hrlD21E.tmp 7 PID 2084 wrote to memory of 492 2084 hrlD21E.tmp 7 PID 2084 wrote to memory of 492 2084 hrlD21E.tmp 7 PID 2084 wrote to memory of 492 2084 hrlD21E.tmp 7 PID 2084 wrote to memory of 492 2084 hrlD21E.tmp 7 PID 2084 wrote to memory of 492 2084 hrlD21E.tmp 7 PID 2084 wrote to memory of 500 2084 hrlD21E.tmp 8 PID 2084 wrote to memory of 500 2084 hrlD21E.tmp 8 PID 2084 wrote to memory of 500 2084 hrlD21E.tmp 8 PID 2084 wrote to memory of 500 2084 hrlD21E.tmp 8 PID 2084 wrote to memory of 500 2084 hrlD21E.tmp 8 PID 2084 wrote to memory of 500 2084 hrlD21E.tmp 8 PID 2084 wrote to memory of 500 2084 hrlD21E.tmp 8 PID 2084 wrote to memory of 604 2084 hrlD21E.tmp 9 PID 2084 wrote to memory of 604 2084 hrlD21E.tmp 9 PID 2084 wrote to memory of 604 2084 hrlD21E.tmp 9 PID 2084 wrote to memory of 604 2084 hrlD21E.tmp 9 PID 2084 wrote to memory of 604 2084 hrlD21E.tmp 9 PID 2084 wrote to memory of 604 2084 hrlD21E.tmp 9 PID 2084 wrote to memory of 604 2084 hrlD21E.tmp 9 PID 2084 wrote to memory of 684 2084 hrlD21E.tmp 10 PID 2084 wrote to memory of 684 2084 hrlD21E.tmp 10 PID 2084 wrote to memory of 684 2084 hrlD21E.tmp 10 PID 2084 wrote to memory of 684 2084 hrlD21E.tmp 10
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:604
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1576
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:304
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:684
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:756
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:820
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1164
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:848
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:284
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:564
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1076
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1120
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1444
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2992
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2024
-
-
C:\Windows\SysWOW64\dqhjao.exeC:\Windows\SysWOW64\dqhjao.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2356
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\97ebf26ba023e3e9ad523e223b3a1040N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\97ebf26ba023e3e9ad523e223b3a1040N.dll,#13⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\hrlD21E.tmpC:\Users\Admin\AppData\Local\Temp\hrlD21E.tmp4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238KB
MD5d250d6178cb27a3eb21123c7f25eb6d4
SHA1d1b733aa8e97fb9d7edf54f80c25ea85e8ad2959
SHA256152f59369afb57c4f91bed9b920e774963ab0161f952d1e8e00f83627cffd50b
SHA5123f80ccbc42cf5ed593ae03de777ff06058b9e0fbf9358f9941db7aff398a470a6a6060462cc4b3e42a058147dc29f2dc21e8f265d65389754a9a376eafdbf102
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9