Analysis

  • max time kernel
    0s
  • max time network
    9s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2024, 10:08

Errors

Reason
Machine shutdown

General

  • Target

    2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe

  • Size

    1.1MB

  • MD5

    c1eda0908f76e3d20b494d0c343016ff

  • SHA1

    4d19f9a5212f92610745e7f74211f242a22820f8

  • SHA256

    2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e

  • SHA512

    0baa5bdd0519a2c5677db5eddf209295c1ad27bb5bd7943642e311e130ea0136e1cd4eb654ae55e6987d96e78f51a6aabed7f84499bac2acf95e386602370e20

  • SSDEEP

    12288:gBb+GMoxVp0OyiF9/Rqiz4Ipsss9sXo3H1sgxJFJ+24TImI5atNToB9QbzInkPCB:gMGMun0riF9pqK4IWyaJ+jTm5QToBj1f

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Kills process with taskkill 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe
    "C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svchost.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      PID:624
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im csrss.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      PID:4264
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /fi "pid ne 1"2
      2⤵
      • Kills process with taskkill
      PID:4672
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im dwm.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      PID:1572

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ExtraDll.dll

          Filesize

          97KB

          MD5

          c35425ad1f0c32225d307310deccc335

          SHA1

          b2e347b244e40ffa113dffaffd1895777e3ac30a

          SHA256

          48773d597155dc39dd172c26867972da89dd61fcee0d138433eda26a2d8633b7

          SHA512

          47b6a7447fcc4f9f21018f608fcbdb5650f16cbd869cae5d4ed5d9b88ca1e944de1cac10e9a252aa7b210f1a31456c0ed91728b8a7e24def99d7e3f9683e2bae

        • memory/4464-5-0x00000000743B0000-0x00000000743EC000-memory.dmp

          Filesize

          240KB