d0e1dd3bcaa049d699ac095e9598f7a7aba7d80e611139f9614dcd9aff6ca2d3

General

Target

e771cf7262b3e3ef6dda7030d20fec70N.exe
Size

4.6MB
MD5

e771cf7262b3e3ef6dda7030d20fec70
SHA1

2f9dfd7eabce9d4103f4d29f18310b6add3478de
SHA256

d0e1dd3bcaa049d699ac095e9598f7a7aba7d80e611139f9614dcd9aff6ca2d3
SHA512

30118a01b2ececbf9c3c90ff0527b76d3a14f874df34fe9c9423c8ff06c502a2645b2543c8ef3d0a9c3f2ba800d7b8718d52f21b8790d0604bc941fce93cc7f3
SSDEEP

98304:ItN109OzAArmi9ZnZxVFJh7ebZMGiLX3h:IRkOzA09bFatMnV

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023382-20.dat	acprotect

Loads dropped DLL 26 IoCs

pid	Process
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023382-20.dat	upx
behavioral2/memory/3140-102-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-100-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-94-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-93-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-87-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-81-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-76-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-72-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-66-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-62-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-57-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-55-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-49-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-44-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-40-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-36-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-35-0x00000000052F0000-0x000000000534B000-memory.dmp	upx
behavioral2/memory/3140-29-0x00000000052F0000-0x000000000534B000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2168 set thread context of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e771cf7262b3e3ef6dda7030d20fec70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e771cf7262b3e3ef6dda7030d20fec70N.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\e771cf7262b3e3ef6dda7030d20fec70N.DynamicNS\Clsid\ = "{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}"	e771cf7262b3e3ef6dda7030d20fec70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\ProgID	e771cf7262b3e3ef6dda7030d20fec70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\ProgID\ = "e771cf7262b3e3ef6dda7030d20fec70N.DynamicNS"	e771cf7262b3e3ef6dda7030d20fec70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}	e771cf7262b3e3ef6dda7030d20fec70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\ = "DynamicNS"	e771cf7262b3e3ef6dda7030d20fec70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\LocalServer32	e771cf7262b3e3ef6dda7030d20fec70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e771cf7262b3e3ef6dda7030d20fec70N.exe"	e771cf7262b3e3ef6dda7030d20fec70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\e771cf7262b3e3ef6dda7030d20fec70N.DynamicNS\Clsid	e771cf7262b3e3ef6dda7030d20fec70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\e771cf7262b3e3ef6dda7030d20fec70N.DynamicNS	e771cf7262b3e3ef6dda7030d20fec70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\e771cf7262b3e3ef6dda7030d20fec70N.DynamicNS\ = "DynamicNS"	e771cf7262b3e3ef6dda7030d20fec70N.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe
3140	e771cf7262b3e3ef6dda7030d20fec70N.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89
PID 2168 wrote to memory of 3140	2168	e771cf7262b3e3ef6dda7030d20fec70N.exe	89

C:\Users\Admin\AppData\Local\Temp\e771cf7262b3e3ef6dda7030d20fec70N.exe
"C:\Users\Admin\AppData\Local\Temp\e771cf7262b3e3ef6dda7030d20fec70N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\e771cf7262b3e3ef6dda7030d20fec70N.exe
  tasdext
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is86D3.tmp

Filesize
40KB

MD5
ab749fd18d56d3c271d5eab107e6acac

SHA1
58b1e3a7fb30e8b9340611c888d237ea38eed95e

SHA256
988ba42209c731a0b47faeafedd1fea0fe739093fcac1909ef33ede4813d5266

SHA512
b027fa1fba70994a825e569febc5579d7628a2d82e1710046abe12aa2b9e1b054a211115791597eb10c09b37ef53a7080ded6b35cf4faaa4c45b185d94ef6c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ACEC25F8-80D9-4678-9DED-63503DED27D2}.dll

Filesize
120KB

MD5
c9f333d1ff898672a34805f94a265329

SHA1
2deaac66698fb2e9b3868d23034c3211c508b739

SHA256
07e546811635574c77edfda126b0e5f5292b4ea13f35158eddedcfc3cbf74b6b

SHA512
048c71e48e2def0bfc69ebfb69b834d650a9377082782333f50728fdfd6675df8093d0c87e606022e55d09f81549d4ca3b640bcdd33b9ddc9aace03ee1466add

Download Submit
memory/2168-15-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/2168-0-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3140-87-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-81-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-16-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3140-12-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3140-4-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3140-2-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3140-1-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3140-6-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3140-13-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3140-102-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-103-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-100-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-94-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-93-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-9-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3140-14-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3140-76-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-72-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-66-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-104-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-105-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-62-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-57-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-55-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-49-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-44-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-40-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-8-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3140-36-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-35-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-29-0x00000000052F0000-0x000000000534B000-memory.dmp

Filesize
364KB

Download
memory/3140-106-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing