7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216

General

Target

7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216.exe
Size

4.8MB
MD5

8d8c8f7ba9c8d1e7050ff6d9b1c4c6ab
SHA1

76bc5ae06e2398dcebe0be197abaf488a2f4ce44
SHA256

7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216
SHA512

b7bbe2b60920b405b2f9d5fba87367e982b645fbd301e6390cf2ad634bfbf0d14cb22d8abbcb2dbe464af95051a3d1bbc97fac4700fdfb6870c8711174354376
SSDEEP

98304:OINwxm9ZnKjrYqdEiwVBd4KBdvYs/cxoO65dssQ:exm9oK4CdtTx3ss

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0011000000012251-24.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2900	AQuO6ix.exe

Executes dropped EXE 1 IoCs

pid	Process
2900	AQuO6ix.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216.exe
2900	AQuO6ix.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0011000000012251-24.dat	upx
behavioral1/memory/2900-26-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2900-29-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2900-46-0x0000000010000000-0x000000001003E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AQuO6ix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216.exe
Token: SeDebugPrivilege	2900	AQuO6ix.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2876	7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216.exe
2876	7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216.exe
2876	7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216.exe
2900	AQuO6ix.exe
2900	AQuO6ix.exe
2900	AQuO6ix.exe
2900	AQuO6ix.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2900	2876	7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216.exe	31
PID 2876 wrote to memory of 2900	2876	7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216.exe	31
PID 2876 wrote to memory of 2900	2876	7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216.exe	31
PID 2876 wrote to memory of 2900	2876	7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216.exe	31

C:\Users\Admin\AppData\Local\Temp\7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216.exe
"C:\Users\Admin\AppData\Local\Temp\7c1488e9775da8c9a463806f32dc9c66fc45acbeb15357379859004e514c5216.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\AQuO6ix.exe
  %43%3A%5C%55%73%65%72%73%5C%41%64%6D%69%6E%5C%41%70%70%44%61%74%61%5C%4C%6F%63%61%6C%5C%54%65%6D%70%5C%37%63%31%34%38%38%65%39%37%37%35%64%61%38%63%39%61%34%36%33%38%30%36%66%33%32%64%63%39%63%36%36%66%63%34%35%61%63%62%65%62%31%35%33%35%37%33%37%39%38%35%39%30%30%34%65%35%31%34%63%35%32%31%36%2E%65%78%65
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.bms

Filesize
1KB

MD5
62070d7e3825e9e5ecfecdc72149d35b

SHA1
ebf1c359224b976522bce7f482b8d3a8f72be5cc

SHA256
108137fc7b260e5eebe49b95b901253e49133e0b0f9837f7366182670875157b

SHA512
fa5ca552b663bda6fe336d3f5268c0acfe3381dfba5128ace0830627f264982cdf2fc16dcfb75748209d92e0fe670ae2285775ddc10a4db698294f8d365abff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C3E0E01

Filesize
1KB

MD5
4ae32af863cfae4a593beae8433b7bd7

SHA1
c0ed7ba1475516ad2aa049778398ce10b4f800a7

SHA256
415cdfabc8c1960c0f5b7ece6922ee9b799db21723e22a59f28fb0d469bfb0ff

SHA512
920bfd9e038aa8b75e53b5d5d560f6353967537ac4f37a158112fda11b5af50cc6369964c6dc9516c7a7a6a8c9df0deb45aedbdc829e36672a06a3732d76f998

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C3E0E01

Filesize
1KB

MD5
2665e06960c0f06fe20b29f2db91b999

SHA1
01790fde5ead8d211efd1625f2b8dffbbaad13c9

SHA256
cedeba26a8b9e08be530fb5f8257d6ae37cb5bea03679e26e4b78b3211c071a9

SHA512
654c47b97cf900b01756aeab476764c5721f4e9ac2b3bbc6538e360242d1d0d489f26a1388ec41a08721325d44fba8c68d6e0da1fab80b6f8e6194dcda3f697e

Download Submit
\Users\Admin\AppData\Local\Temp\AQuO6ix.exe

Filesize
4.8MB

MD5
be0c3c92be934180d1b31a78fb428fc1

SHA1
c902546a076ba425ca62f066ee2011cee062ba6a

SHA256
e2bc5dd568d1b77e8c9afb20b4b920d5e94b1db8dfabf8099f5cd3b3fb279b2e

SHA512
4bcf2a2ee8300bac18af5b1273cb3f1c0f4d43027d6098c5110246b1ad32d221f003868a92083aed39ccfb5e54cb759dc241eb5ed0cc10856e90fee6af5783d8

Download Submit
\Users\Admin\AppData\Local\Temp\Skin.dll

Filesize
86KB

MD5
114054313070472cd1a6d7d28f7c5002

SHA1
9a044986e6101df1a126035da7326a50c3fe9a23

SHA256
e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

SHA512
a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

Download Submit
memory/2900-26-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2900-28-0x0000000010009000-0x000000001000A000-memory.dmp

Filesize
4KB

Download
memory/2900-29-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2900-46-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2900-48-0x0000000010009000-0x000000001000A000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing