Analysis
-
max time kernel
0s -
max time network
9s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 10:08
Static task
static1
Behavioral task
behavioral1
Sample
2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe
Resource
win7-20241010-en
Errors
General
-
Target
2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe
-
Size
1.1MB
-
MD5
c1eda0908f76e3d20b494d0c343016ff
-
SHA1
4d19f9a5212f92610745e7f74211f242a22820f8
-
SHA256
2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e
-
SHA512
0baa5bdd0519a2c5677db5eddf209295c1ad27bb5bd7943642e311e130ea0136e1cd4eb654ae55e6987d96e78f51a6aabed7f84499bac2acf95e386602370e20
-
SSDEEP
12288:gBb+GMoxVp0OyiF9/Rqiz4Ipsss9sXo3H1sgxJFJ+24TImI5atNToB9QbzInkPCB:gMGMun0riF9pqK4IWyaJ+jTm5QToBj1f
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000e000000023a3a-1.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe -
resource yara_rule behavioral2/files/0x000e000000023a3a-1.dat upx behavioral2/memory/4464-5-0x00000000743B0000-0x00000000743EC000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe -
Kills process with taskkill 4 IoCs
pid Process 4264 taskkill.exe 624 taskkill.exe 1572 taskkill.exe 4672 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4464 wrote to memory of 624 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe 85 PID 4464 wrote to memory of 624 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe 85 PID 4464 wrote to memory of 624 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe 85 PID 4464 wrote to memory of 4264 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe 86 PID 4464 wrote to memory of 4264 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe 86 PID 4464 wrote to memory of 4264 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe 86 PID 4464 wrote to memory of 4672 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe 87 PID 4464 wrote to memory of 4672 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe 87 PID 4464 wrote to memory of 4672 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe 87 PID 4464 wrote to memory of 1572 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe 88 PID 4464 wrote to memory of 1572 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe 88 PID 4464 wrote to memory of 1572 4464 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe"C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im svchost.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:624
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im csrss.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4264
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /fi "pid ne 1"22⤵
- Kills process with taskkill
PID:4672
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im dwm.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5c35425ad1f0c32225d307310deccc335
SHA1b2e347b244e40ffa113dffaffd1895777e3ac30a
SHA25648773d597155dc39dd172c26867972da89dd61fcee0d138433eda26a2d8633b7
SHA51247b6a7447fcc4f9f21018f608fcbdb5650f16cbd869cae5d4ed5d9b88ca1e944de1cac10e9a252aa7b210f1a31456c0ed91728b8a7e24def99d7e3f9683e2bae