e46141f1d741192361966ffa93790c3032ac6123d49a78c7271c101488b8848c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f36dde1cc56c41c6bf0da63a023acf0N.exe
Size

2.7MB
MD5

8f36dde1cc56c41c6bf0da63a023acf0
SHA1

001634af373b3bd9017a62ecae71214b7b9c6156
SHA256

e46141f1d741192361966ffa93790c3032ac6123d49a78c7271c101488b8848c
SHA512

32771304c83ad649b947c9b5d102db43bcf01c2c1c3d4920bf82325f96fbc6c1aa6fc4c274c50cd6d44621ec2ef9b3e39ac8c48bbbf9cb7554d1ee247fe15f1e
SSDEEP

49152:1KG0pl7yM9RTw0Pelu8G5UoeBJksdUD0f+GWeIWmRlo0:134H9RtPeoVOoOmZQVWtWm3Z

Score

8^/10

discovery upx

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
4	2840	rundll32.exe
7	2840	rundll32.exe
9	2840	rundll32.exe
12	2328	rundll32.exe
15	2916	rundll32.exe
16	2916	rundll32.exe
18	1244	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000017093-68.dat	acprotect

Loads dropped DLL 29 IoCs

pid	Process
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2328	rundll32.exe
2328	rundll32.exe
2328	rundll32.exe
2328	rundll32.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2916	rundll32.exe
2916	rundll32.exe
2916	rundll32.exe
2916	rundll32.exe
1244	rundll32.exe
1244	rundll32.exe
1244	rundll32.exe
1244	rundll32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000017093-68.dat	upx

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f36dde1cc56c41c6bf0da63a023acf0N.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe
2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2840	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	30
PID 2208 wrote to memory of 2840	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	30
PID 2208 wrote to memory of 2840	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	30
PID 2208 wrote to memory of 2840	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	30
PID 2208 wrote to memory of 2840	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	30
PID 2208 wrote to memory of 2840	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	30
PID 2208 wrote to memory of 2840	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	30
PID 2208 wrote to memory of 2328	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	31
PID 2208 wrote to memory of 2328	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	31
PID 2208 wrote to memory of 2328	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	31
PID 2208 wrote to memory of 2328	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	31
PID 2208 wrote to memory of 2328	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	31
PID 2208 wrote to memory of 2328	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	31
PID 2208 wrote to memory of 2328	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	31
PID 2208 wrote to memory of 2916	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	32
PID 2208 wrote to memory of 2916	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	32
PID 2208 wrote to memory of 2916	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	32
PID 2208 wrote to memory of 2916	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	32
PID 2208 wrote to memory of 2916	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	32
PID 2208 wrote to memory of 2916	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	32
PID 2208 wrote to memory of 2916	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	32
PID 2208 wrote to memory of 1244	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	33
PID 2208 wrote to memory of 1244	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	33
PID 2208 wrote to memory of 1244	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	33
PID 2208 wrote to memory of 1244	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	33
PID 2208 wrote to memory of 1244	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	33
PID 2208 wrote to memory of 1244	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	33
PID 2208 wrote to memory of 1244	2208	8f36dde1cc56c41c6bf0da63a023acf0N.exe	33

C:\Users\Admin\AppData\Local\Temp\8f36dde1cc56c41c6bf0da63a023acf0N.exe
"C:\Users\Admin\AppData\Local\Temp\8f36dde1cc56c41c6bf0da63a023acf0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\C655A098-2838-334A-ACE5-867ED0B0ADEF\InstSupp.dll",CmdProc --Level --Supp 563 --Ver 157
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\C655A098-2838-334A-ACE5-867ED0B0ADEF\InstSupp.dll",CmdProc --Goo --Proc checkinstall --Supp 563 --Cid 3816143B-30DF-2142-80C4-DA880AA9BED2
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\C655A098-2838-334A-ACE5-867ED0B0ADEF\InstSupp.dll",CmdProc --Check --Supp 563 --Uid 52A56D460055DC469EFF988A4BFE3127 --Ver 157
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  PID:2916
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\C655A098-2838-334A-ACE5-867ED0B0ADEF\InstSupp.dll",CmdProc --Res "C:\Users\Admin\AppData\Local\Temp\C655A098-2838-334A-ACE5-867ED0B0ADEF\nst7F11.tmp" --Ver 157 --Supp 563 --Err 5
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
2d0a2e5dd2ff4bb2df0457d6492bc174

SHA1
15003f5fbfb2932a4b66a1f523fcefe68cdf2d72

SHA256
5a9e18e34843a73c106b7b537eda7f320cce8be948be1c3fe28fa12f1b928f4c

SHA512
70c8f3e21037f12f8ca7efb85c1e8c45a4f757435046b79b1ba6da367a9f73471b8bdaef65c3c25258500de635b5652ffe1339f759d93eba9532ffa929e5c57b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bd9943987357f806da7f57e50d415bb

SHA1
dcdb8a9e99ebe01b309e5ec57bfe8dbbd554dcff

SHA256
f4e4fc9c95c3bcf7495ee0e75ad3734682aaaf64c7b89655d85adc616c9c403d

SHA512
77f70a9a58d435e8f6c1242e72e0a137481fcd39de6e592fea440f0299ceb87ffea67cf79baa4a1b8a096211600d955c0f80184efec93e6e7bf1cd3ec758460d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
79731c673acc62c4a5e15ef42f22a513

SHA1
93e55c3122feb0d43a69a9853e649afafd3ca9f2

SHA256
89823fa8073f43c53c6fca9dea67aafb5fd9dd6605216a07df2c7674be15fc10

SHA512
df2ea28b35c2f68b8b05e94d96424fce467d7752a75b68dee7a7f3892dcdf7b3e24583266a9b3890c10167c0a7e112a7c63961fb880385189ad0aac4a5e07ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C655A098-2838-334A-ACE5-867ED0B0ADEF\InstSupp.dll

Filesize
365KB

MD5
3ad18e6d9662a366e1c8ebd31f059da5

SHA1
2782f844625a824bd7509785bc8621db24d3ae39

SHA256
887517b5ea27a815d0a026d925bb402e14fb9256c5ef22e57baa5f48247245a6

SHA512
a200a69ba098f1a2d72e313874f600b0d7d54b425e98c3b434baadeeb65c85d9de70b9c905515e7843c5528c41de16273fe93fa5f0bab2bf933b9ff793c01a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\C655A098-2838-334A-ACE5-867ED0B0ADEF\nst7F11.tmp

Filesize
1KB

MD5
03dcc33fde8e0a66a0002f209db3f075

SHA1
051c5189078bf5a5af35f673a3bfe17030148ba6

SHA256
fc413320af8781270a142f2a428fa4b55e02a3ad5e9b41488777b58f9ac1a23e

SHA512
dc6d96e31b34a75b0de4037a57ce27d5d3bcb17a07bfa9c19d2257f29da1206085a30411843352427b948c98f98353ebd507881ed2838564d7378e37c12d6fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\C655A098-2838-334A-ACE5-867ED0B0ADEF\nst7F11.tmp

Filesize
1KB

MD5
5d4e8334e4f9700ea8a2e036560f6bd3

SHA1
cf9f7ac7ce3e3f4a90ce1c00245825319ffa689b

SHA256
1815680ae59da7c53897e4a3e15a59fa47b52e9a37887dc1d9e98e515c743064

SHA512
b3a0369cc21163a3b890c60f4f8e5a83270bec822260733d0efea88150c54ee656f664e789ac0dbf072537f14579856785ee97fd6958bf9fd3df7860b07e01b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab82B7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7B58.tmp\System.dll

Filesize
11KB

MD5
3e6bf00b3ac976122f982ae2aadb1c51

SHA1
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

SHA256
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

SHA512
1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7B58.tmp\md5dll.dll

Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
memory/2208-118-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2208-76-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2208-112-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2208-113-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2208-114-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2208-115-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2208-116-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2208-117-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2208-75-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download