c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4

Analysis

max time kernel
19s
max time network
25s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
Size

5.8MB
MD5

346e0ac45834c74b3758c40f1ba241a4
SHA1

6e6a1bb289c61eaae4057e55ab39bc2fb8a7aeaa
SHA256

c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4
SHA512

0a6bc39b62af357b0a19260ba20684636b2b6812316e6e857fd59ab0e97a554b5877e4665a3f20b2d22eafb19fa5ab8e61d8294db8330c7c2e68e75e36bc5556
SSDEEP

98304:05JhC3y1DpFy+5evLhYXvyiaVwnHVzArOSqeDalc6de:vivgLy6i7c9BDal2

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000194d2-11.dat	acprotect
behavioral1/files/0x00060000000194e3-19.dat	acprotect
behavioral1/files/0x000700000001958e-27.dat	acprotect

Loads dropped DLL 9 IoCs

pid	Process
2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
916	WerFault.exe
916	WerFault.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2528-5-0x0000000010000000-0x000000001000B000-memory.dmp	upx
behavioral1/memory/2528-4-0x0000000010000000-0x000000001000B000-memory.dmp	upx
behavioral1/files/0x00060000000194d2-11.dat	upx
behavioral1/memory/2528-13-0x0000000003C00000-0x0000000003F87000-memory.dmp	upx
behavioral1/files/0x00060000000194e3-19.dat	upx
behavioral1/memory/2528-22-0x0000000073E00000-0x0000000074038000-memory.dmp	upx
behavioral1/memory/2528-30-0x0000000074390000-0x00000000743C0000-memory.dmp	upx
behavioral1/files/0x000700000001958e-27.dat	upx
behavioral1/memory/2528-211-0x0000000010000000-0x000000001000B000-memory.dmp	upx
behavioral1/memory/2528-212-0x0000000003C00000-0x0000000003F87000-memory.dmp	upx
behavioral1/memory/2528-215-0x0000000074390000-0x00000000743C0000-memory.dmp	upx
behavioral1/memory/2528-216-0x0000000073E00000-0x0000000074038000-memory.dmp	upx
behavioral1/memory/2528-223-0x0000000003C00000-0x0000000003F87000-memory.dmp	upx
behavioral1/memory/2528-224-0x0000000073E00000-0x0000000074038000-memory.dmp	upx
behavioral1/memory/2528-225-0x0000000074390000-0x00000000743C0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
916	2528	WerFault.exe	28

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2064	cmd.exe
1840	NETSTAT.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1840	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	NETSTAT.EXE
Token: SeDebugPrivilege	2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2064	2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe	30
PID 2528 wrote to memory of 2064	2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe	30
PID 2528 wrote to memory of 2064	2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe	30
PID 2528 wrote to memory of 2064	2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe	30
PID 2064 wrote to memory of 1840	2064	cmd.exe	32
PID 2064 wrote to memory of 1840	2064	cmd.exe	32
PID 2064 wrote to memory of 1840	2064	cmd.exe	32
PID 2064 wrote to memory of 1840	2064	cmd.exe	32
PID 2064 wrote to memory of 2480	2064	cmd.exe	33
PID 2064 wrote to memory of 2480	2064	cmd.exe	33
PID 2064 wrote to memory of 2480	2064	cmd.exe	33
PID 2064 wrote to memory of 2480	2064	cmd.exe	33
PID 2528 wrote to memory of 916	2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe	34
PID 2528 wrote to memory of 916	2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe	34
PID 2528 wrote to memory of 916	2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe	34
PID 2528 wrote to memory of 916	2528	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe	34

C:\Users\Admin\AppData\Local\Temp\c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
"C:\Users\Admin\AppData\Local\Temp\c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c netstat -ano | find ":41200 "
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Connections Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -ano
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Connections Discovery
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Windows\SysWOW64\find.exe
    find ":41200 "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 468
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar83D7.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
\Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dll

Filesize
8.4MB

MD5
8b6c94bbdbfb213e94a5dcb4fac28ce3

SHA1
b56102ca4f03556f387f8b30e2b404efabe0cb65

SHA256
982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53

SHA512
9d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a

Download Submit
\Users\Admin\AppData\Local\Temp\wv2++.dll

Filesize
1.5MB

MD5
860a922b27e5ff77c5ae3ef0092b17db

SHA1
58dc7a6e37d5eb0e017b480295b0a057f9274973

SHA256
48f8328a6135e7910c5ceeb05626d1d66dcdcd867b7dc7e1cc87d627d9e8790f

SHA512
302a736c1b8aa93fe118372dc8d25b84d69f7154be8110317ca289a5c3c2c6002f9e29ea1497b0cc80c61f27b6657292f6b17e8f34b25a0605e5185c9a85f7bf

Download Submit
\Users\Admin\Documents\ee\Plugins\WebView2Loader.dll

Filesize
112KB

MD5
e12389f7769a1b1d3328493518658cd0

SHA1
9b40a6bb34f1335f40d1e2fcb8e1a44d114e7d54

SHA256
3d2226dc9994f49c14de623233a99be1f3717cfda927fbde8d6e21908c279b72

SHA512
97323931a273626fb6904d5893915914c92043a7b0e13776d2bb518326cb846c9c374e6975253a4eabcdb1e526bcb081c9ff404d64787f475ba20a934a9c60a2

Download Submit
\Users\Admin\Documents\ee\Plugins\WebView2Runtime.dll

Filesize
56KB

MD5
b723e0277663c415c7b862f18c4bd160

SHA1
caa8d11ffcee0cf310ec9e512fb07d16ae34e6ee

SHA256
4429c11eefc4e40274e7ad6c6c6f7dff16298b44e7fb8c618a32d2bf70f708cc

SHA512
9994a05f61e309387dabdc1bf75d180b3f987ad9444deac0afdf538bd51e4a06e69edf675a3c40b5164a30e79a64446e71b72646a55904af8086c694cb3f1a44

Download Submit
\Users\Admin\Documents\ee\Plugins\hps4c.dll

Filesize
792KB

MD5
6637599f87ab11b6238f2f24c55797fc

SHA1
a84090bed39c91503300ab3bd78883001bf71aac

SHA256
65e65ccfe5b7fc075e06a5cf58507253a92dd9b7ab7a1a2b9e6b31fe7810e6ac

SHA512
8edecfb2ac6865bd3886f5ff77c78ccd44a4362d2305b69397526a1e463207430bd838d390979cbdc498040a2fbca21ccdab679df506efec07be400f6b42d828

Download Submit
\Users\Admin\Documents\ee\Plugins\rdjson.dll

Filesize
192KB

MD5
2244857ed4d33e3ab8b32c1a09eaff39

SHA1
9af9d5bc1be9c202471075b5222500c409428fd0

SHA256
e345f88529b2337bb2719550985a049c61a6bca84c113c7b07f7ec5313446f7d

SHA512
c88af689b603c22dac0be5cdb0922d0bb58325ee57d736b6fa090e967704edb5fa535100149fd5d02ac764ab32b0ccea99310dd28101ffc907a58414e8867590

Download Submit
\Users\Admin\Documents\ee\Plugins\yyjson.dll

Filesize
456KB

MD5
f7e8a4be9dc7a7c3e7a75f861223cac2

SHA1
7e77900ac2fe952fba12ec88f1c92d3a13e534b6

SHA256
32e91c06f7aa35f6dde3f753b1066752db87a9bca0a33e5e043e0493f32cc4fe

SHA512
5c32d9be1c3ed0814c65af48fff0faa9d3200c8424f098f6df7f49e8ccc87880ebe891d4f19481d7870e93e5732870b02ed153125749e911a8199ec7e8388be6

Download Submit
memory/2528-30-0x0000000074390000-0x00000000743C0000-memory.dmp

Filesize
192KB

Download
memory/2528-22-0x0000000073E00000-0x0000000074038000-memory.dmp

Filesize
2.2MB

Download
memory/2528-13-0x0000000003C00000-0x0000000003F87000-memory.dmp

Filesize
3.5MB

Download
memory/2528-4-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/2528-5-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/2528-211-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/2528-212-0x0000000003C00000-0x0000000003F87000-memory.dmp

Filesize
3.5MB

Download
memory/2528-215-0x0000000074390000-0x00000000743C0000-memory.dmp

Filesize
192KB

Download
memory/2528-216-0x0000000073E00000-0x0000000074038000-memory.dmp

Filesize
2.2MB

Download
memory/2528-223-0x0000000003C00000-0x0000000003F87000-memory.dmp

Filesize
3.5MB

Download
memory/2528-224-0x0000000073E00000-0x0000000074038000-memory.dmp

Filesize
2.2MB

Download
memory/2528-225-0x0000000074390000-0x00000000743C0000-memory.dmp

Filesize
192KB

Download