3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263

General

Target

3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe
Size

91KB
MD5

6cf0be1c084f30d940c08a4835462bb0
SHA1

2feeab23cd078f98fac5ba6f8a28efa0b62df49d
SHA256

3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263
SHA512

c9b4f1f1acd823f16bebc3d0c72de0993d6b3eee5b9fc4103b78734fbb9ff23d116edb4955a93fa14befc78b5212f5d54886edc3dc4f99848535dd0f6c4df006
SSDEEP

1536:mmsAYBdTU9fEAIS2PEtu3ZUKT/HlAZ5NsyavLTWVP0n/W73A5xO:1fY/TU9fE9PEtupUKT/lATFYWd0nOUm

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0017000000016caa-172.dat	acprotect
behavioral1/memory/2556-174-0x00000000746B0000-0x00000000746B9000-memory.dmp	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0017000000016caa-172.dat	upx
behavioral1/memory/2556-174-0x00000000746B0000-0x00000000746B9000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 2216	2556	Un_A.exe	35

Executes dropped EXE 1 IoCs

pid	Process
2556	Un_A.exe

Loads dropped DLL 6 IoCs

pid	Process
2908	3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe
2556	Un_A.exe
2556	Un_A.exe
2556	Un_A.exe
2556	Un_A.exe
2556	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un_A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2556	Un_A.exe
2556	Un_A.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2556	2908	3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe	30
PID 2908 wrote to memory of 2556	2908	3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe	30
PID 2908 wrote to memory of 2556	2908	3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe	30
PID 2908 wrote to memory of 2556	2908	3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe	30
PID 2908 wrote to memory of 2556	2908	3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe	30
PID 2908 wrote to memory of 2556	2908	3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe	30
PID 2908 wrote to memory of 2556	2908	3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe	30
PID 2556 wrote to memory of 1100	2556	Un_A.exe	33
PID 2556 wrote to memory of 1100	2556	Un_A.exe	33
PID 2556 wrote to memory of 1100	2556	Un_A.exe	33
PID 2556 wrote to memory of 1100	2556	Un_A.exe	33
PID 2556 wrote to memory of 2216	2556	Un_A.exe	35
PID 2556 wrote to memory of 2216	2556	Un_A.exe	35
PID 2556 wrote to memory of 2216	2556	Un_A.exe	35
PID 2556 wrote to memory of 2216	2556	Un_A.exe	35
PID 2556 wrote to memory of 2216	2556	Un_A.exe	35

C:\Users\Admin\AppData\Local\Temp\3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe
"C:\Users\Admin\AppData\Local\Temp\3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\SCHTASKS.exe
    SCHTASKS /DELETE /TN PCAppStoreUpdater /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1100
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\system32\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabA549.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA55C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA1EC.tmp\SelfDel.dll

Filesize
5KB

MD5
ca8bcdded6b265453cf68bae8bbd0b3a

SHA1
9dbe872ac53e075c0954c882d034aa009c733092

SHA256
299ba97dda721cc9216bda218769eb269a239c8bcf09bd6acc774ff935849184

SHA512
a9b19434c35236a049036f0153a5c7184c95249fdb04ef7605484551d40a8aba37462eb617e96301cd4363a324f0282e26179ce4b78973ca43e0a63b4dffb33c

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA1EC.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA1EC.tmp\inetc.dll

Filesize
38KB

MD5
a35cdc9cf1d17216c0ab8c5282488ead

SHA1
ed8e8091a924343ad8791d85e2733c14839f0d36

SHA256
a793929232afb78b1c5b2f45d82094098bcf01523159fad1032147d8d5f9c4df

SHA512
0f15b00d0bf2aabd194302e599d69962147b4b3ef99e5a5f8d5797a7a56fd75dd9db0a667cfba9c758e6f0dab9ced126a9b43948935fe37fc31d96278a842bdf

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA1EC.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
91KB

MD5
6cf0be1c084f30d940c08a4835462bb0

SHA1
2feeab23cd078f98fac5ba6f8a28efa0b62df49d

SHA256
3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263

SHA512
c9b4f1f1acd823f16bebc3d0c72de0993d6b3eee5b9fc4103b78734fbb9ff23d116edb4955a93fa14befc78b5212f5d54886edc3dc4f99848535dd0f6c4df006

Download Submit
memory/2556-174-0x00000000746B0000-0x00000000746B9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing