Overview
overview
7Static
static
73f5b0fbbf8...63.exe
windows7-x64
73f5b0fbbf8...63.exe
windows10-2004-x64
7$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-09-2024 10:15
Behavioral task
behavioral1
Sample
3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
General
-
Target
3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe
-
Size
91KB
-
MD5
6cf0be1c084f30d940c08a4835462bb0
-
SHA1
2feeab23cd078f98fac5ba6f8a28efa0b62df49d
-
SHA256
3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263
-
SHA512
c9b4f1f1acd823f16bebc3d0c72de0993d6b3eee5b9fc4103b78734fbb9ff23d116edb4955a93fa14befc78b5212f5d54886edc3dc4f99848535dd0f6c4df006
-
SSDEEP
1536:mmsAYBdTU9fEAIS2PEtu3ZUKT/HlAZ5NsyavLTWVP0n/W73A5xO:1fY/TU9fE9PEtupUKT/lATFYWd0nOUm
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0017000000016caa-172.dat acprotect behavioral1/memory/2556-174-0x00000000746B0000-0x00000000746B9000-memory.dmp acprotect -
resource yara_rule behavioral1/files/0x0017000000016caa-172.dat upx behavioral1/memory/2556-174-0x00000000746B0000-0x00000000746B9000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2556 set thread context of 2216 2556 Un_A.exe 35 -
Executes dropped EXE 1 IoCs
pid Process 2556 Un_A.exe -
Loads dropped DLL 6 IoCs
pid Process 2908 3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe 2556 Un_A.exe 2556 Un_A.exe 2556 Un_A.exe 2556 Un_A.exe 2556 Un_A.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Un_A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCHTASKS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2556 Un_A.exe 2556 Un_A.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2556 2908 3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe 30 PID 2908 wrote to memory of 2556 2908 3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe 30 PID 2908 wrote to memory of 2556 2908 3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe 30 PID 2908 wrote to memory of 2556 2908 3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe 30 PID 2908 wrote to memory of 2556 2908 3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe 30 PID 2908 wrote to memory of 2556 2908 3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe 30 PID 2908 wrote to memory of 2556 2908 3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe 30 PID 2556 wrote to memory of 1100 2556 Un_A.exe 33 PID 2556 wrote to memory of 1100 2556 Un_A.exe 33 PID 2556 wrote to memory of 1100 2556 Un_A.exe 33 PID 2556 wrote to memory of 1100 2556 Un_A.exe 33 PID 2556 wrote to memory of 2216 2556 Un_A.exe 35 PID 2556 wrote to memory of 2216 2556 Un_A.exe 35 PID 2556 wrote to memory of 2216 2556 Un_A.exe 35 PID 2556 wrote to memory of 2216 2556 Un_A.exe 35 PID 2556 wrote to memory of 2216 2556 Un_A.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe"C:\Users\Admin\AppData\Local\Temp\3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /DELETE /TN PCAppStoreUpdater /f3⤵
- System Location Discovery: System Language Discovery
PID:1100
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
5KB
MD5ca8bcdded6b265453cf68bae8bbd0b3a
SHA19dbe872ac53e075c0954c882d034aa009c733092
SHA256299ba97dda721cc9216bda218769eb269a239c8bcf09bd6acc774ff935849184
SHA512a9b19434c35236a049036f0153a5c7184c95249fdb04ef7605484551d40a8aba37462eb617e96301cd4363a324f0282e26179ce4b78973ca43e0a63b4dffb33c
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
38KB
MD5a35cdc9cf1d17216c0ab8c5282488ead
SHA1ed8e8091a924343ad8791d85e2733c14839f0d36
SHA256a793929232afb78b1c5b2f45d82094098bcf01523159fad1032147d8d5f9c4df
SHA5120f15b00d0bf2aabd194302e599d69962147b4b3ef99e5a5f8d5797a7a56fd75dd9db0a667cfba9c758e6f0dab9ced126a9b43948935fe37fc31d96278a842bdf
-
Filesize
7KB
MD5675c4948e1efc929edcabfe67148eddd
SHA1f5bdd2c4329ed2732ecfe3423c3cc482606eb28e
SHA2561076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906
SHA51261737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683
-
Filesize
91KB
MD56cf0be1c084f30d940c08a4835462bb0
SHA12feeab23cd078f98fac5ba6f8a28efa0b62df49d
SHA2563f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263
SHA512c9b4f1f1acd823f16bebc3d0c72de0993d6b3eee5b9fc4103b78734fbb9ff23d116edb4955a93fa14befc78b5212f5d54886edc3dc4f99848535dd0f6c4df006