8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 21:47

Target

8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5.exe
Size

21KB
MD5

08bf616ddf66fd61fed9ce4e2a3da35b
SHA1

25211039f8e3ba1b5a84ba970e7569f2a5dabc03
SHA256

8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5
SHA512

6c941d1d94ff4096aef1fe029135183a778efdd287a51bd85593000824f2d839902fa8f419f3981b3d474552f4b3c537a98931a6fe76f8b178d9ae84f98b6c71
SSDEEP

384:ykXGOu8sCuKy5xqq6c30tbs7PUa7+NNnjClkEHJFTDa4u2zsesZDeCixq:TXfsC2KWQClkyJo2zOeCd

Score

9^/10

upx

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0003000000022e27-132.dat	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0003000000022e27-132.dat	upx
behavioral2/memory/4844-134-0x0000000010000000-0x000000001001D000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
4844	8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\covzmqxc.dll	8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\verclsid.exe	8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D8357F8-F053-42ec-B632-CEB8AC12745C}\	8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D8357F8-F053-42ec-B632-CEB8AC12745C}\InProcServer32	8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D8357F8-F053-42ec-B632-CEB8AC12745C}\InProcServer32\ = "C:\\Windows\\SysWow64\\covzmqxc.dll"	8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D8357F8-F053-42ec-B632-CEB8AC12745C}\InProcServer32\ThreadingModel = "Apartment"	8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D8357F8-F053-42ec-B632-CEB8AC12745C}\InProcServer32\Temp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5.exe"	8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D8357F8-F053-42ec-B632-CEB8AC12745C}	8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4844	8ac209d9a75786c205855834edf13be67b7bd6819bac55cabef50e0cc2a903e5.exe

C:\Windows\SysWOW64\covzmqxc.dll

Filesize
18KB

MD5
3ddc3db7dc7d5b9b955bb44899e4d370

SHA1
f57f6575c06bed8ad8b1ea3d4b8fd2d20a0ce47e

SHA256
0a98f1b67c3f81906892d2e4569b545b9cb6c70e3d28e6d2c67736d962ef50f6

SHA512
fc4eb57a06c7cbe607602a0ba29d17968156b85497fe5d095c96f8dcc7c74aadb10e57890e018aa578ad471965878a7567efe00314f7f8edaa7a57110c4cef58

Download Submit
memory/4844-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4844-134-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download