Analysis
-
max time kernel
0s -
max time network
0s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 08:06
Behavioral task
behavioral1
Sample
Info.5394.htm .exe
Resource
win7-20240903-en
General
-
Target
Info.5394.htm .exe
-
Size
31KB
-
MD5
47cc271e765e6cdf0562e692ce805b35
-
SHA1
0f40032c4deeee340b959c919222e255a63e1043
-
SHA256
de9bf3159bd5a7b663e8d8a4dc9f9dd921c044bf0564a795a085f9b730d0cfb5
-
SHA512
5ebbd9b7ef65771c9d95ff12c855da7731f5c4831179e0352841876d71236197596b4d75022f9248fe6bb06c5d166735a825f6af002467cffb6a5ed75bfb61a8
-
SSDEEP
768:OYuwqgY48mWxEgfXmBN0ldWxOFfXFQ30ABVv:OYwIWT+BqldWxUSESv
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000c000000012260-3.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 2324 Info.5394.htm .exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yxtvpiv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Info.5394.htm .exe" Info.5394.htm .exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ika.dll Info.5394.htm .exe File opened for modification C:\Windows\SysWOW64\ikqymej.exe Info.5394.htm .exe File created C:\Windows\SysWOW64\ikqymej.exe Info.5394.htm .exe -
resource yara_rule behavioral1/memory/2324-0-0x00000000004A0000-0x00000000004B1000-memory.dmp upx behavioral1/files/0x000c000000012260-3.dat upx behavioral1/memory/2324-5-0x00000000721F0000-0x00000000721F8000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Info.5394.htm .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Modifies registry class 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ika.dll" Info.5394.htm .exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32 Info.5394.htm .exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID Info.5394.htm .exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153} Info.5394.htm .exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 Info.5394.htm .exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node Info.5394.htm .exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} Info.5394.htm .exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2324 Info.5394.htm .exe 2324 Info.5394.htm .exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2324 Info.5394.htm .exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2324 wrote to memory of 1868 2324 Info.5394.htm .exe 31 PID 2324 wrote to memory of 1868 2324 Info.5394.htm .exe 31 PID 2324 wrote to memory of 1868 2324 Info.5394.htm .exe 31 PID 2324 wrote to memory of 1868 2324 Info.5394.htm .exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Info.5394.htm .exe"C:\Users\Admin\AppData\Local\Temp\Info.5394.htm .exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\notepad.exenotepad "C:\Users\Admin\AppData\Local\Temp\Message"2⤵
- System Location Discovery: System Language Discovery
PID:1868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5bc283ccc713fd089debad8ff9828d097
SHA137a8910e63423b37f67e8ceed82b94ee08c7fb07
SHA2561882821f1b788bc2a58abfaab6a58bd352aaa91f11a2ae91bfdc4c50c9fbc8ef
SHA512dea3bfd81f9b62550930c4dd464123f1e935ee5b511263cb31986e13c66eaf3b1f1da387aa22076395051731764d12222ba05cf43cf3440755d182926aeed0d7
-
Filesize
9KB
MD5388c0ebf65424dcfc1911485fd01647f
SHA12b6e8d949523549e611316a52c7b892bff92af1f
SHA256a29e37c52077bb3dced7b389a3c2e65dd0b51d7bb865d2100a8d5f162fe07c9f
SHA512930fcafd847c4b537852c21a82c05fb34370e64e00128a5d7667165817e2b20d83d0eb225772ecc425d0c902f3c1287475a73a9a464a6f364f539daa0859e9ce