Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 10:15

General

  • Target

    3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe

  • Size

    91KB

  • MD5

    6cf0be1c084f30d940c08a4835462bb0

  • SHA1

    2feeab23cd078f98fac5ba6f8a28efa0b62df49d

  • SHA256

    3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263

  • SHA512

    c9b4f1f1acd823f16bebc3d0c72de0993d6b3eee5b9fc4103b78734fbb9ff23d116edb4955a93fa14befc78b5212f5d54886edc3dc4f99848535dd0f6c4df006

  • SSDEEP

    1536:mmsAYBdTU9fEAIS2PEtu3ZUKT/HlAZ5NsyavLTWVP0n/W73A5xO:1fY/TU9fE9PEtupUKT/lATFYWd0nOUm

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of SetThreadContext 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe
    "C:\Users\Admin\AppData\Local\Temp\3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\SCHTASKS.exe
        SCHTASKS /DELETE /TN PCAppStoreUpdater /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1100
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\system32\explorer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabA549.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarA55C.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Local\Temp\nsoA1EC.tmp\SelfDel.dll

    Filesize

    5KB

    MD5

    ca8bcdded6b265453cf68bae8bbd0b3a

    SHA1

    9dbe872ac53e075c0954c882d034aa009c733092

    SHA256

    299ba97dda721cc9216bda218769eb269a239c8bcf09bd6acc774ff935849184

    SHA512

    a9b19434c35236a049036f0153a5c7184c95249fdb04ef7605484551d40a8aba37462eb617e96301cd4363a324f0282e26179ce4b78973ca43e0a63b4dffb33c

  • \Users\Admin\AppData\Local\Temp\nsoA1EC.tmp\System.dll

    Filesize

    12KB

    MD5

    cff85c549d536f651d4fb8387f1976f2

    SHA1

    d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    SHA256

    8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    SHA512

    531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

  • \Users\Admin\AppData\Local\Temp\nsoA1EC.tmp\inetc.dll

    Filesize

    38KB

    MD5

    a35cdc9cf1d17216c0ab8c5282488ead

    SHA1

    ed8e8091a924343ad8791d85e2733c14839f0d36

    SHA256

    a793929232afb78b1c5b2f45d82094098bcf01523159fad1032147d8d5f9c4df

    SHA512

    0f15b00d0bf2aabd194302e599d69962147b4b3ef99e5a5f8d5797a7a56fd75dd9db0a667cfba9c758e6f0dab9ced126a9b43948935fe37fc31d96278a842bdf

  • \Users\Admin\AppData\Local\Temp\nsoA1EC.tmp\nsExec.dll

    Filesize

    7KB

    MD5

    675c4948e1efc929edcabfe67148eddd

    SHA1

    f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

    SHA256

    1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

    SHA512

    61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

  • \Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

    Filesize

    91KB

    MD5

    6cf0be1c084f30d940c08a4835462bb0

    SHA1

    2feeab23cd078f98fac5ba6f8a28efa0b62df49d

    SHA256

    3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263

    SHA512

    c9b4f1f1acd823f16bebc3d0c72de0993d6b3eee5b9fc4103b78734fbb9ff23d116edb4955a93fa14befc78b5212f5d54886edc3dc4f99848535dd0f6c4df006

  • memory/2556-174-0x00000000746B0000-0x00000000746B9000-memory.dmp

    Filesize

    36KB