5641362511a32a806a5bf59e45b34628917e5ecfcc9fa48b8468c83811098467

General

Target

source_prepared.exe
Size

6.8MB
MD5

30adcdd08f9f8b2ab6d3ed01886bcda2
SHA1

f56ccc967730fc6139fff1dc19b033c07f60c424
SHA256

5641362511a32a806a5bf59e45b34628917e5ecfcc9fa48b8468c83811098467
SHA512

fa01f284c1d1e8e7c98646904689848ea5adaef6a898bdb37f1264f465edae52e2502784683841acc61e56bad9ddad88bcabbed4e8c77173478c22f7755c44ac
SSDEEP

196608:Elb8ijtW5Pd3PKXkZSJ1D3qU+S+ZzzvVvIcv4RJ:E58H3PdZq2zzpn0

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000001941a-24.dat	acprotect
behavioral1/files/0x0005000000019278-30.dat	acprotect
behavioral1/files/0x000500000001938b-33.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
1824	source_prepared.exe
1824	source_prepared.exe
1824	source_prepared.exe
1824	source_prepared.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001941a-24.dat	upx
behavioral1/memory/1824-26-0x0000000074070000-0x00000000743D1000-memory.dmp	upx
behavioral1/files/0x0005000000019278-30.dat	upx
behavioral1/memory/1824-32-0x0000000074050000-0x0000000074070000-memory.dmp	upx
behavioral1/files/0x000500000001938b-33.dat	upx
behavioral1/memory/1824-35-0x0000000073F20000-0x0000000074041000-memory.dmp	upx
behavioral1/memory/1824-38-0x0000000073F20000-0x0000000074041000-memory.dmp	upx
behavioral1/memory/1824-37-0x0000000074050000-0x0000000074070000-memory.dmp	upx
behavioral1/memory/1824-36-0x0000000074070000-0x00000000743D1000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	source_prepared.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	source_prepared.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	1824	source_prepared.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1824	1044	source_prepared.exe	31
PID 1044 wrote to memory of 1824	1044	source_prepared.exe	31
PID 1044 wrote to memory of 1824	1044	source_prepared.exe	31
PID 1044 wrote to memory of 1824	1044	source_prepared.exe	31

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
  "C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI10442\VCRUNTIME140.dll

Filesize
81KB

MD5
a2523ea6950e248cbdf18c9ea1a844f6

SHA1
549c8c2a96605f90d79a872be73efb5d40965444

SHA256
6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4

SHA512
2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\_ctypes.pyd

Filesize
46KB

MD5
b3902e73edbb237fcc536534f447f8f7

SHA1
7885e95b77e07f77b85d9001a498748fc3c29349

SHA256
eef4408ffbbc2f604d1bcda684574b75c2e33a0a2b245f4dc3aeec19365cd208

SHA512
f106fe46100ec7c5f4bddf41d0f6fea138483af06063d1fbdf480552ad7fa3650728f8819879773efe31c4695c13a66bd63100ffb5d2fc6d1ced32cdb4ab9737

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\_hashlib.pyd

Filesize
380KB

MD5
66ab04583ac01afab5786a4f1a19b9da

SHA1
88094f6b0654c548e236eb42b5063b01dc5473a5

SHA256
b9c58f6433706d7d7555b536d9173b65331764d119c85426a162b813518c4fd8

SHA512
c036b404daa660f1d0533db14c34d4a9e361f850f10a6ad576d6340f8ad61fc77386c561ae71335992817c2c0f597b944d3e4492e2ca9fca71a0fec2e37a777d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\base_library.zip

Filesize
767KB

MD5
7f140c03ce0c97bffe1edc25a0959aab

SHA1
da0f6d0ceb9065ead732f9a06eaca760c3561e5c

SHA256
381a4cadee2d853addfa09d6ed826ce737da5259fec3e9c8604678368595b1c3

SHA512
8f4873f1049efa0686be6b90d5e0cf20483f2dfd5b53ec7a4b38de6785f8b132b42cb3acc1b23f362b35dc15a7f05e0ed543b0ac42d3057cd80481ae19afb868

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\python36.dll

Filesize
1.0MB

MD5
fe0fcf4d9d1556dec7a2beabab2b20c7

SHA1
179142f2a75cad94f83715ecec208e1f5da8c28e

SHA256
6a286fbb58df95a7fdb517c67d6c278f41bebc9e6463e709dcdb3c6e7aed2dee

SHA512
2667a294b0ec8c9f8199d8582769ffab555605747ac10e7c55a6a0b54e2d321f1aa265bebe8ad20441b993ceca29475bb1ff2856741bcca88581e342fcc579d2

Download Submit
memory/1824-26-0x0000000074070000-0x00000000743D1000-memory.dmp

Filesize
3.4MB

Download
memory/1824-32-0x0000000074050000-0x0000000074070000-memory.dmp

Filesize
128KB

Download
memory/1824-35-0x0000000073F20000-0x0000000074041000-memory.dmp

Filesize
1.1MB

Download
memory/1824-38-0x0000000073F20000-0x0000000074041000-memory.dmp

Filesize
1.1MB

Download
memory/1824-37-0x0000000074050000-0x0000000074070000-memory.dmp

Filesize
128KB

Download
memory/1824-36-0x0000000074070000-0x00000000743D1000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing