c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4

General

Target

c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
Size

5.8MB
MD5

346e0ac45834c74b3758c40f1ba241a4
SHA1

6e6a1bb289c61eaae4057e55ab39bc2fb8a7aeaa
SHA256

c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4
SHA512

0a6bc39b62af357b0a19260ba20684636b2b6812316e6e857fd59ab0e97a554b5877e4665a3f20b2d22eafb19fa5ab8e61d8294db8330c7c2e68e75e36bc5556
SSDEEP

98304:05JhC3y1DpFy+5evLhYXvyiaVwnHVzArOSqeDalc6de:vivgLy6i7c9BDal2

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023c6f-15.dat	acprotect
behavioral2/files/0x000c000000023ada-26.dat	acprotect
behavioral2/files/0x0008000000023c69-36.dat	acprotect

Loads dropped DLL 8 IoCs

pid	Process
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3152-6-0x0000000010000000-0x000000001000B000-memory.dmp	upx
behavioral2/memory/3152-5-0x0000000010000000-0x000000001000B000-memory.dmp	upx
behavioral2/files/0x0007000000023c6f-15.dat	upx
behavioral2/memory/3152-19-0x00000000047C0000-0x0000000004B47000-memory.dmp	upx
behavioral2/memory/3152-18-0x00000000047C0000-0x0000000004B47000-memory.dmp	upx
behavioral2/files/0x000c000000023ada-26.dat	upx
behavioral2/memory/3152-30-0x00000000737F0000-0x0000000073A28000-memory.dmp	upx
behavioral2/memory/3152-40-0x0000000073790000-0x00000000737C0000-memory.dmp	upx
behavioral2/files/0x0008000000023c69-36.dat	upx
behavioral2/memory/3152-46-0x00000000737F0000-0x0000000073A28000-memory.dmp	upx
behavioral2/memory/3152-49-0x0000000073790000-0x00000000737C0000-memory.dmp	upx
behavioral2/memory/3152-48-0x00000000047C0000-0x0000000004B47000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
320	3152	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4728	cmd.exe
2884	NETSTAT.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2884	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	NETSTAT.EXE
Token: SeDebugPrivilege	3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 4728	3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe	88
PID 3152 wrote to memory of 4728	3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe	88
PID 3152 wrote to memory of 4728	3152	c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe	88
PID 4728 wrote to memory of 2884	4728	cmd.exe	90
PID 4728 wrote to memory of 2884	4728	cmd.exe	90
PID 4728 wrote to memory of 2884	4728	cmd.exe	90
PID 4728 wrote to memory of 4792	4728	cmd.exe	91
PID 4728 wrote to memory of 4792	4728	cmd.exe	91
PID 4728 wrote to memory of 4792	4728	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe
"C:\Users\Admin\AppData\Local\Temp\c606b93e5cfc761f7c4d17144cbb5981f07c3795dee8a1ae677c1c48c1766eb4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c netstat -ano | find ":41200 "
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Connections Discovery
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -ano
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Connections Discovery
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\SysWOW64\find.exe
    find ":41200 "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 932
  2⤵
  - Program crash
  PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3152 -ip 3152
1⤵
PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Connections Discovery

1

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dll

Filesize
8.4MB

MD5
8b6c94bbdbfb213e94a5dcb4fac28ce3

SHA1
b56102ca4f03556f387f8b30e2b404efabe0cb65

SHA256
982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53

SHA512
9d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wv2++.dll

Filesize
1.5MB

MD5
860a922b27e5ff77c5ae3ef0092b17db

SHA1
58dc7a6e37d5eb0e017b480295b0a057f9274973

SHA256
48f8328a6135e7910c5ceeb05626d1d66dcdcd867b7dc7e1cc87d627d9e8790f

SHA512
302a736c1b8aa93fe118372dc8d25b84d69f7154be8110317ca289a5c3c2c6002f9e29ea1497b0cc80c61f27b6657292f6b17e8f34b25a0605e5185c9a85f7bf

Download Submit
C:\Users\Admin\Documents\ee\Plugins\WebView2Loader.dll

Filesize
112KB

MD5
e12389f7769a1b1d3328493518658cd0

SHA1
9b40a6bb34f1335f40d1e2fcb8e1a44d114e7d54

SHA256
3d2226dc9994f49c14de623233a99be1f3717cfda927fbde8d6e21908c279b72

SHA512
97323931a273626fb6904d5893915914c92043a7b0e13776d2bb518326cb846c9c374e6975253a4eabcdb1e526bcb081c9ff404d64787f475ba20a934a9c60a2

Download Submit
C:\Users\Admin\Documents\ee\Plugins\WebView2Runtime.dll

Filesize
56KB

MD5
b723e0277663c415c7b862f18c4bd160

SHA1
caa8d11ffcee0cf310ec9e512fb07d16ae34e6ee

SHA256
4429c11eefc4e40274e7ad6c6c6f7dff16298b44e7fb8c618a32d2bf70f708cc

SHA512
9994a05f61e309387dabdc1bf75d180b3f987ad9444deac0afdf538bd51e4a06e69edf675a3c40b5164a30e79a64446e71b72646a55904af8086c694cb3f1a44

Download Submit
C:\Users\Admin\Documents\ee\Plugins\hps4c.dll

Filesize
792KB

MD5
6637599f87ab11b6238f2f24c55797fc

SHA1
a84090bed39c91503300ab3bd78883001bf71aac

SHA256
65e65ccfe5b7fc075e06a5cf58507253a92dd9b7ab7a1a2b9e6b31fe7810e6ac

SHA512
8edecfb2ac6865bd3886f5ff77c78ccd44a4362d2305b69397526a1e463207430bd838d390979cbdc498040a2fbca21ccdab679df506efec07be400f6b42d828

Download Submit
C:\Users\Admin\Documents\ee\Plugins\rdjson.dll

Filesize
192KB

MD5
2244857ed4d33e3ab8b32c1a09eaff39

SHA1
9af9d5bc1be9c202471075b5222500c409428fd0

SHA256
e345f88529b2337bb2719550985a049c61a6bca84c113c7b07f7ec5313446f7d

SHA512
c88af689b603c22dac0be5cdb0922d0bb58325ee57d736b6fa090e967704edb5fa535100149fd5d02ac764ab32b0ccea99310dd28101ffc907a58414e8867590

Download Submit
C:\Users\Admin\Documents\ee\Plugins\yyjson.dll

Filesize
456KB

MD5
f7e8a4be9dc7a7c3e7a75f861223cac2

SHA1
7e77900ac2fe952fba12ec88f1c92d3a13e534b6

SHA256
32e91c06f7aa35f6dde3f753b1066752db87a9bca0a33e5e043e0493f32cc4fe

SHA512
5c32d9be1c3ed0814c65af48fff0faa9d3200c8424f098f6df7f49e8ccc87880ebe891d4f19481d7870e93e5732870b02ed153125749e911a8199ec7e8388be6

Download Submit
memory/3152-19-0x00000000047C0000-0x0000000004B47000-memory.dmp

Filesize
3.5MB

Download
memory/3152-18-0x00000000047C0000-0x0000000004B47000-memory.dmp

Filesize
3.5MB

Download
memory/3152-30-0x00000000737F0000-0x0000000073A28000-memory.dmp

Filesize
2.2MB

Download
memory/3152-5-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/3152-40-0x0000000073790000-0x00000000737C0000-memory.dmp

Filesize
192KB

Download
memory/3152-6-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/3152-46-0x00000000737F0000-0x0000000073A28000-memory.dmp

Filesize
2.2MB

Download
memory/3152-49-0x0000000073790000-0x00000000737C0000-memory.dmp

Filesize
192KB

Download
memory/3152-48-0x00000000047C0000-0x0000000004B47000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing