e849a572a97e2c481768278f885a774bd60291f9d7aa75954470037709252d4a

General

Target

$PLUGINSDIR/calc.exe
Size

1.3MB
MD5

97e47588a35219417f64ee2184e99118
SHA1

37d77f2594d3a5e81f4aebe0efdc24506b17f542
SHA256

fd20d30fb61ae75dfb715837d811250b2dcce0fc40b2bd3af6533dac50860513
SHA512

39c550d772940d06be3dfdd27ae051a895a2e9887a837131b21ac9470f5e9fb929e8c29d4338cdd8b5406c42973d84546312ac3767c28006a1b77192937bfa1a
SSDEEP

24576:3k+aDRGujRURnI9krKmsXKSzEnMG9iN8MQCUT9Kkn7/jLztCS6FExvZK8fRcbKJK:3k+aDRiEmsQnMG0N8MZs3nvQFExBibiK

Score

7^/10

aspackv2 discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral4/files/0x000a000000023ba2-8.dat	acprotect
behavioral4/files/0x000a000000023ba6-12.dat	acprotect

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x000a000000023ba8-32.dat	aspack_v212_v242

Loads dropped DLL 9 IoCs

pid	Process
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/4856-0-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral4/files/0x000a000000023ba2-8.dat	upx
behavioral4/memory/4856-9-0x0000000010000000-0x000000001012A000-memory.dmp	upx
behavioral4/files/0x000a000000023ba6-12.dat	upx
behavioral4/memory/4856-16-0x0000000002390000-0x00000000023E8000-memory.dmp	upx
behavioral4/memory/4856-47-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral4/memory/4856-48-0x0000000010000000-0x000000001012A000-memory.dmp	upx
behavioral4/memory/4856-49-0x0000000002390000-0x00000000023E8000-memory.dmp	upx
behavioral4/memory/4856-51-0x0000000010000000-0x000000001012A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe
4856	calc.exe

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\calc.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\calc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\SkinH_EL.dll

Filesize
107KB

MD5
2c9e22f960ca9c2f4caaa2a37d443eda

SHA1
3b90206f1ebb726013067adba3bc180f3c388f0a

SHA256
fbdb8ece088f95538de2690a630af44709be2c0cc5a1693bb4db2ed71d1661d3

SHA512
e307f5edc36695f10e20692df02fa5de661f7ef57257a2c41cc459cea9430bd162fb9eb7679b19f50e4400abf31413520a0b1a44bfc48261d56a2941094afdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eGrid.fne

Filesize
408KB

MD5
709f1646c30262b9f77a8aa72b29c59f

SHA1
3167a0f7382fdbd7990d63ffc2160b976690f1df

SHA256
7172c513f350e70465f2015e3bfa4e58a1ba69d1bf783c684f40fd8483f1c883

SHA512
3377556481f9c9734fcff765b0d48b38939ac68fe46f7a369fd627acc07d08cfe371847177965b07635c1ad028ff4d03d4bf98505d37233c829d5f996ebabec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\iext.fnr

Filesize
200KB

MD5
c597e19abcd8c10ea2ac0d33c419a93e

SHA1
18df89699e55745ef26bbffafb2ecfc8492a4492

SHA256
5ed76826bd31aa480d6e615da89fd023921810bcdacfdbf5ec090974afe321d6

SHA512
73a9869466e3c59112e22e6ba75f8e4d901fbd6acc6a1c1248963a7371d6a27b197f35ab7605559428262be852291bc78b081259a8a2f0f6ed066be371678c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\iext2.fne

Filesize
113KB

MD5
90598b9170d705d6ba5f4a8fd99359f0

SHA1
154505937c94821696f65c94af869b3393415f6b

SHA256
962dc01fdbe0aa30a0b7c1b235073e8bdf285cceaa7b98e19257d68e5164a0d2

SHA512
7024123f2648258638696a3258932444827dc4ef98453d244d3392e9411369de50a6dc373b2fcc300c9a6a3db9d069f22222168073f632a29dd2c36e1285c000

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
429KB

MD5
4fbc687f3af1e007a5ffabbda393ec7b

SHA1
b714435f7150608adc23d3df4d783bae1066b10e

SHA256
1d4bb9515b54e265985129591a53af9eba38dac98094d352427bd9f819b8c6fe

SHA512
694a43b8cfa41357065f948df1036e954d730038156a079d7528f732b574dc60d0dbd0fc88bbba615e9c26ed04821260a1740f3d15769e8730885a51859d7502

Download Submit
memory/4856-28-0x0000000002640000-0x00000000026B5000-memory.dmp

Filesize
468KB

Download
memory/4856-38-0x0000000004070000-0x00000000040D0000-memory.dmp

Filesize
384KB

Download
memory/4856-16-0x0000000002390000-0x00000000023E8000-memory.dmp

Filesize
352KB

Download
memory/4856-0-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4856-9-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/4856-45-0x0000000004071000-0x00000000040B1000-memory.dmp

Filesize
256KB

Download
memory/4856-46-0x0000000004070000-0x00000000040D0000-memory.dmp

Filesize
384KB

Download
memory/4856-21-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/4856-37-0x0000000004070000-0x00000000040D0000-memory.dmp

Filesize
384KB

Download
memory/4856-43-0x0000000004070000-0x00000000040D0000-memory.dmp

Filesize
384KB

Download
memory/4856-47-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4856-48-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/4856-49-0x0000000002390000-0x00000000023E8000-memory.dmp

Filesize
352KB

Download
memory/4856-51-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing