Analysis Overview
SHA256
2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e
Threat Level: Shows suspicious behavior
The file 2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Enumerates connected drives
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates system info in registry
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 10:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 10:08
Reported
2024-11-07 10:11
Platform
win7-20241010-en
Max time kernel
0s
Max time network
0s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe
"C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im svchost.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im csrss.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /fi "pid ne 1"2
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im dwm.exe
C:\Windows\KillMBR_NOMBR.exe
C:\Windows\KillMBR_NOMBR.exe
C:\Windows\SysWOW64\regini.exe
regini www.ini
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6FA4.tmp\6FA5.tmp\6FA6.bat C:\Windows\KillMBR_NOMBR.exe"
C:\Windows\system32\rundll32.exe
rundll32.exe MBRMurderer1.0.dll
Network
Files
memory/2944-4-0x0000000074340000-0x000000007437C000-memory.dmp
\Users\Admin\AppData\Local\Temp\ExtraDll.dll
| MD5 | c35425ad1f0c32225d307310deccc335 |
| SHA1 | b2e347b244e40ffa113dffaffd1895777e3ac30a |
| SHA256 | 48773d597155dc39dd172c26867972da89dd61fcee0d138433eda26a2d8633b7 |
| SHA512 | 47b6a7447fcc4f9f21018f608fcbdb5650f16cbd869cae5d4ed5d9b88ca1e944de1cac10e9a252aa7b210f1a31456c0ed91728b8a7e24def99d7e3f9683e2bae |
C:\Windows\KillMBR_NOMBR.exe
| MD5 | 3e042d9063ae6207a48056daf9c85b80 |
| SHA1 | 0e39e67cac20f9c55e234da58564cbc931b00703 |
| SHA256 | e269b6df6e17256ac9f844e065d00e157b5aa7ea885803e94f7feee6fdb43774 |
| SHA512 | 03ca2a8fc9f2b1f5208c64f981c3ecfbd7e07232104e012c567c69c74dc7b51e346fb38075f0f79e5b89e4b4a3f2764fbc3880f4418166d40b1e1a879d7ad4e2 |
C:\Users\Admin\AppData\Local\Temp\6FA4.tmp\6FA5.tmp\6FA6.bat
| MD5 | c094f79dcec995a0e74caaba79c31c66 |
| SHA1 | 6f945de199f031f916052248aed4db7a102d0d24 |
| SHA256 | cc5a5186bda9d77870064adeea221aac9d9e311a70d60e32c4050fd37c33d690 |
| SHA512 | 19518c4dafb0c9d313872881f25ec8fa4e6eceac00783aa862b2c4eb6f89f852d0297f2aa1087c38e72b5418154b77824896acaacbf628ad2c3586b067fa8d3e |
C:\Users\Admin\AppData\Local\Temp\www.ini
| MD5 | df98f458d660ecdf388d0d7098b92879 |
| SHA1 | 4bf6e30eb206475678d13860b72fd89792e177cd |
| SHA256 | ce80722c95f952938a53b800a0633bf85625c06ad7d6cc9c9c3a8d5ee1f4d979 |
| SHA512 | 0ce2c057b5ae123d8d98f6032b80ea273573223976a60fb86a29ffeff4234598d828da6d28476f12e9938887d2c11fbb1fd3b18290efdc102b210c9146803778 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 10:08
Reported
2024-11-07 10:09
Platform
win10v2004-20241007-en
Max time kernel
0s
Max time network
9s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe
"C:\Users\Admin\AppData\Local\Temp\2331583b82f6f05f16c885ef387b8753c84e5bc835b79e703bb05ab4d2d0536e.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im svchost.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im csrss.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /fi "pid ne 1"2
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im dwm.exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\ExtraDll.dll
| MD5 | c35425ad1f0c32225d307310deccc335 |
| SHA1 | b2e347b244e40ffa113dffaffd1895777e3ac30a |
| SHA256 | 48773d597155dc39dd172c26867972da89dd61fcee0d138433eda26a2d8633b7 |
| SHA512 | 47b6a7447fcc4f9f21018f608fcbdb5650f16cbd869cae5d4ed5d9b88ca1e944de1cac10e9a252aa7b210f1a31456c0ed91728b8a7e24def99d7e3f9683e2bae |
memory/4464-5-0x00000000743B0000-0x00000000743EC000-memory.dmp