e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32

Analysis

max time kernel
17s
max time network
19s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe
Size

6.4MB
MD5

3e129091f24edf63142c709688a82aa9
SHA1

91b82ce9e53773c76e3aa6929c442f6b260810b6
SHA256

e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32
SHA512

d5439b173ef77db597539f18b7ee6815cf48cf0f4b1e359b042e6e224306c5a07c8586a282e7a1c3c996bf316e721ee4631f4d2e1c37f81e51876e5fb571dc6f
SSDEEP

196608:zhxRPAu3seOhqXP3KtBllnyB/lV9kLIVec0e/TCdnZ56Ac:tzPIhwXP6tBl6/lsLPc/ynZ56Ac

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00090000000120fa-8.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
1896	e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1896-0-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/1896-2-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/1896-10-0x00000000056F0000-0x000000000578F000-memory.dmp	upx
behavioral1/files/0x00090000000120fa-8.dat	upx
behavioral1/memory/1896-40-0x00000000056F0000-0x000000000578F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1896	e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe
1896	e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe
1896	e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2224	1896	e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe	29
PID 1896 wrote to memory of 2224	1896	e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe	29
PID 1896 wrote to memory of 2224	1896	e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe	29
PID 1896 wrote to memory of 2224	1896	e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe	29

C:\Users\Admin\AppData\Local\Temp\e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe
"C:\Users\Admin\AppData\Local\Temp\e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\cacls.exe
  cacls "" /e /p everyone:n
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f79784b.tmp\data.ini

Filesize
2KB

MD5
e4d15adb53f915ec9d8eb01498a13fd5

SHA1
e1b803a091773c1b604252903a7240720de93dc1

SHA256
3d37404c803e12094dd5f0399fbd81c600873a94e8f88268386aca2e010c13e7

SHA512
c52c8234ef79ba4c2904dd36a3689431ff2c3a13e583399ad6bb69994b4b0af33cb56ab71a1a48a2671c0272448c2b1f4fe5cb24b1d56c20bc6a08c0b76d0c8f

Download Submit
\Users\Admin\AppData\Local\Temp\7-zip32_2.dll

Filesize
233KB

MD5
ea3df059beae86a3e186b2b179755e77

SHA1
babdcd6b5082c02fa2f5ebc2020f2cb3bbd77e8d

SHA256
1ab68a0c296281437fe638c8535309c6241ded4852608d940f5efcb8cc2d91a6

SHA512
1406d8083cfbd26e18aba74f6b45a09137bb3960f7afce5c5d0d790b0edb7277b7b885ed2ded9def12b667bcb37cbfb335884b2d7b8f08565743b674d1f053bb

Download Submit
memory/1896-0-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1896-3-0x000000007752D000-0x000000007752E000-memory.dmp

Filesize
4KB

Download
memory/1896-2-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1896-4-0x0000000077500000-0x0000000077610000-memory.dmp

Filesize
1.1MB

Download
memory/1896-10-0x00000000056F0000-0x000000000578F000-memory.dmp

Filesize
636KB

Download
memory/1896-40-0x00000000056F0000-0x000000000578F000-memory.dmp

Filesize
636KB

Download
memory/1896-42-0x0000000077500000-0x0000000077610000-memory.dmp

Filesize
1.1MB

Download
memory/1896-41-0x0000000077500000-0x0000000077610000-memory.dmp

Filesize
1.1MB

Download
memory/1896-43-0x0000000077500000-0x0000000077610000-memory.dmp

Filesize
1.1MB

Download