Analysis

  • max time kernel
    0s
  • max time network
    0s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 10:08

General

  • Target

    2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe

  • Size

    1.1MB

  • MD5

    c1eda0908f76e3d20b494d0c343016ff

  • SHA1

    4d19f9a5212f92610745e7f74211f242a22820f8

  • SHA256

    2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e

  • SHA512

    0baa5bdd0519a2c5677db5eddf209295c1ad27bb5bd7943642e311e130ea0136e1cd4eb654ae55e6987d96e78f51a6aabed7f84499bac2acf95e386602370e20

  • SSDEEP

    12288:gBb+GMoxVp0OyiF9/Rqiz4Ipsss9sXo3H1sgxJFJ+24TImI5atNToB9QbzInkPCB:gMGMun0riF9pqK4IWyaJ+jTm5QToBj1f

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Kills process with taskkill 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe
    "C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svchost.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      PID:2824
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im csrss.exe
      2⤵
      • Kills process with taskkill
      PID:2236
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /fi "pid ne 1"2
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      PID:3000
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im dwm.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      PID:2988
    • C:\Windows\KillMBR_NOMBR.exe
      C:\Windows\KillMBR_NOMBR.exe
      2⤵
        PID:2500
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6FA4.tmp\6FA5.tmp\6FA6.bat C:\Windows\KillMBR_NOMBR.exe"
          3⤵
            PID:2152
            • C:\Windows\system32\rundll32.exe
              rundll32.exe MBRMurderer1.0.dll
              4⤵
                PID:2084
          • C:\Windows\SysWOW64\regini.exe
            regini www.ini
            2⤵
              PID:1476

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\6FA4.tmp\6FA5.tmp\6FA6.bat

                  Filesize

                  59B

                  MD5

                  c094f79dcec995a0e74caaba79c31c66

                  SHA1

                  6f945de199f031f916052248aed4db7a102d0d24

                  SHA256

                  cc5a5186bda9d77870064adeea221aac9d9e311a70d60e32c4050fd37c33d690

                  SHA512

                  19518c4dafb0c9d313872881f25ec8fa4e6eceac00783aa862b2c4eb6f89f852d0297f2aa1087c38e72b5418154b77824896acaacbf628ad2c3586b067fa8d3e

                • C:\Users\Admin\AppData\Local\Temp\www.ini

                  Filesize

                  101B

                  MD5

                  df98f458d660ecdf388d0d7098b92879

                  SHA1

                  4bf6e30eb206475678d13860b72fd89792e177cd

                  SHA256

                  ce80722c95f952938a53b800a0633bf85625c06ad7d6cc9c9c3a8d5ee1f4d979

                  SHA512

                  0ce2c057b5ae123d8d98f6032b80ea273573223976a60fb86a29ffeff4234598d828da6d28476f12e9938887d2c11fbb1fd3b18290efdc102b210c9146803778

                • C:\Windows\KillMBR_NOMBR.exe

                  Filesize

                  114KB

                  MD5

                  3e042d9063ae6207a48056daf9c85b80

                  SHA1

                  0e39e67cac20f9c55e234da58564cbc931b00703

                  SHA256

                  e269b6df6e17256ac9f844e065d00e157b5aa7ea885803e94f7feee6fdb43774

                  SHA512

                  03ca2a8fc9f2b1f5208c64f981c3ecfbd7e07232104e012c567c69c74dc7b51e346fb38075f0f79e5b89e4b4a3f2764fbc3880f4418166d40b1e1a879d7ad4e2

                • \Users\Admin\AppData\Local\Temp\ExtraDll.dll

                  Filesize

                  97KB

                  MD5

                  c35425ad1f0c32225d307310deccc335

                  SHA1

                  b2e347b244e40ffa113dffaffd1895777e3ac30a

                  SHA256

                  48773d597155dc39dd172c26867972da89dd61fcee0d138433eda26a2d8633b7

                  SHA512

                  47b6a7447fcc4f9f21018f608fcbdb5650f16cbd869cae5d4ed5d9b88ca1e944de1cac10e9a252aa7b210f1a31456c0ed91728b8a7e24def99d7e3f9683e2bae

                • memory/2944-4-0x0000000074340000-0x000000007437C000-memory.dmp

                  Filesize

                  240KB