a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
Size

3.6MB
MD5

7822ba123a33b50ed8d90156e5c70aa0
SHA1

f0294599e3a4a62d068396fc1cb4c88bfd5c9277
SHA256

a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35
SHA512

06ad98e62617f49a7fc6234c86ce541d46fcf405e47518873d4d51c5686afcee40ed533581e50c899fff2e5a36e5b9d17754574f1b67d87024531d7785187403
SSDEEP

98304:8cESJR29eT8qN0PeeM+zcnJQ1VaUFpt74obCo:LD2bqN8e1oj

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000013a31-88.dat	acprotect
behavioral1/files/0x0007000000013a31-89.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
840	wf86.exe
1692	wf86.exe
1964	ÊÍ·ÅÎÞ×¢Èë.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000013a31-88.dat	upx
behavioral1/files/0x0007000000013a31-89.dat	upx
behavioral1/memory/688-90-0x0000000010000000-0x00000000100B5000-memory.dmp	upx

Loads dropped DLL 7 IoCs

pid	Process
1760	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
1760	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
840	wf86.exe
840	wf86.exe
1760	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
1760	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
688	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ÊÍ·ÅÎÞ×¢Èë.exe	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
File opened for modification	C:\WINDOWS\SysWOW64\SkinH_EL.dll	ÊÍ·ÅÎÞ×¢Èë.exe
File created	C:\WINDOWS\SysWOW64\SkinH_EL.dll	ÊÍ·ÅÎÞ×¢Èë.exe
File opened for modification	C:\WINDOWS\SysWOW64\wf86.exe	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
File created	C:\WINDOWS\SysWOW64\wf86.exe	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
File opened for modification	C:\WINDOWS\SysWOW64\ÊÍ·ÅÎÞ×¢Èë.exe	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 688	1964	ÊÍ·ÅÎÞ×¢Èë.exe	30

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	svchost.exe
Token: SeDebugPrivilege	688	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1760	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
1760	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
1964	ÊÍ·ÅÎÞ×¢Èë.exe
1964	ÊÍ·ÅÎÞ×¢Èë.exe
688	svchost.exe
688	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 840	1760	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe	27
PID 1760 wrote to memory of 840	1760	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe	27
PID 1760 wrote to memory of 840	1760	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe	27
PID 1760 wrote to memory of 840	1760	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe	27
PID 840 wrote to memory of 1692	840	wf86.exe	28
PID 840 wrote to memory of 1692	840	wf86.exe	28
PID 840 wrote to memory of 1692	840	wf86.exe	28
PID 840 wrote to memory of 1692	840	wf86.exe	28
PID 1760 wrote to memory of 1964	1760	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe	29
PID 1760 wrote to memory of 1964	1760	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe	29
PID 1760 wrote to memory of 1964	1760	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe	29
PID 1760 wrote to memory of 1964	1760	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe	29
PID 1964 wrote to memory of 688	1964	ÊÍ·ÅÎÞ×¢Èë.exe	30
PID 1964 wrote to memory of 688	1964	ÊÍ·ÅÎÞ×¢Èë.exe	30
PID 1964 wrote to memory of 688	1964	ÊÍ·ÅÎÞ×¢Èë.exe	30
PID 1964 wrote to memory of 688	1964	ÊÍ·ÅÎÞ×¢Èë.exe	30
PID 1964 wrote to memory of 688	1964	ÊÍ·ÅÎÞ×¢Èë.exe	30
PID 1964 wrote to memory of 688	1964	ÊÍ·ÅÎÞ×¢Èë.exe	30
PID 1964 wrote to memory of 688	1964	ÊÍ·ÅÎÞ×¢Èë.exe	30
PID 1964 wrote to memory of 688	1964	ÊÍ·ÅÎÞ×¢Èë.exe	30
PID 1964 wrote to memory of 688	1964	ÊÍ·ÅÎÞ×¢Èë.exe	30
PID 1964 wrote to memory of 688	1964	ÊÍ·ÅÎÞ×¢Èë.exe	30

C:\Users\Admin\AppData\Local\Temp\a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
"C:\Users\Admin\AppData\Local\Temp\a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760
- C:\WINDOWS\SysWOW64\wf86.exe
  C:\WINDOWS\system32\wf86.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\WINDOWS\SysWOW64\wf86.exe
    C:\WINDOWS\system32\wf86.exe
    3⤵
    - Executes dropped EXE
    PID:1692
- C:\WINDOWS\SysWOW64\ÊÍ·ÅÎÞ×¢Èë.exe
  C:\WINDOWS\system32\ÊÍ·ÅÎÞ×¢Èë.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\WINDOWS\SysWOW64\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\SkinH_EL.dll

Filesize
130KB

MD5
4529a158ba13571b9d3168175f58c088

SHA1
ea54deff00110a0c7229dc51f2d56dd0a1643a2d

SHA256
1a73b8440e3dd250b0ef8294f07eff5cf30ba2f308aeb42d301be7104e497a5b

SHA512
ed522c80d50c48ff775e5f09257b76a44d5bcada56be282597f9ff1e0b2e4c12522eadb49df8dfb5d44cab0a9fa4eece25babdb8e7901dfd2882c044681c8fc2

Download Submit
C:\WINDOWS\SysWOW64\wf86.exe

Filesize
150KB

MD5
d79ee318fd01fad32a25ab15bee6710f

SHA1
9e7da9a344d3b165eab5bcbe10617f4986803ffb

SHA256
9428827c34133e933b30ae404608b0e6c96325f0b3416358f4243405e70309b4

SHA512
224ae18ce8b64da2985d15383d3efbd68b7b3d075477738cc2ab4c6656f79357dd99a7baaebb9ecabdded3cc78cef46585e3945c4fbb14037fac00770fb70a95

Download Submit
C:\Windows\SysWOW64\wf86.exe

Filesize
150KB

MD5
d79ee318fd01fad32a25ab15bee6710f

SHA1
9e7da9a344d3b165eab5bcbe10617f4986803ffb

SHA256
9428827c34133e933b30ae404608b0e6c96325f0b3416358f4243405e70309b4

SHA512
224ae18ce8b64da2985d15383d3efbd68b7b3d075477738cc2ab4c6656f79357dd99a7baaebb9ecabdded3cc78cef46585e3945c4fbb14037fac00770fb70a95

Download Submit
C:\Windows\SysWOW64\wf86.exe

Filesize
150KB

MD5
d79ee318fd01fad32a25ab15bee6710f

SHA1
9e7da9a344d3b165eab5bcbe10617f4986803ffb

SHA256
9428827c34133e933b30ae404608b0e6c96325f0b3416358f4243405e70309b4

SHA512
224ae18ce8b64da2985d15383d3efbd68b7b3d075477738cc2ab4c6656f79357dd99a7baaebb9ecabdded3cc78cef46585e3945c4fbb14037fac00770fb70a95

Download Submit
C:\Windows\SysWOW64\ÊÍ·ÅÎÞ×¢Èë.exe

Filesize
3.0MB

MD5
5d89fd4e1fd3166592dc9baef37a6e29

SHA1
aa5bee54d1a946484858679d1dd83a443dabc8ad

SHA256
2f590bed78f6bd32225686a276edfe253e5eaf8443ded6b4b7b84b1a032e2660

SHA512
ba082667ce08e99b9df971e994e5ecf31b60388fa1748c144e389226e19b2307cc47880114415f048400013e0fe1c445a0af4c489c14b9c148fb2f0de489dabb

Download Submit
\Windows\SysWOW64\SkinH_EL.dll

Filesize
130KB

MD5
4529a158ba13571b9d3168175f58c088

SHA1
ea54deff00110a0c7229dc51f2d56dd0a1643a2d

SHA256
1a73b8440e3dd250b0ef8294f07eff5cf30ba2f308aeb42d301be7104e497a5b

SHA512
ed522c80d50c48ff775e5f09257b76a44d5bcada56be282597f9ff1e0b2e4c12522eadb49df8dfb5d44cab0a9fa4eece25babdb8e7901dfd2882c044681c8fc2

Download Submit
\Windows\SysWOW64\wf86.exe

Filesize
150KB

MD5
d79ee318fd01fad32a25ab15bee6710f

SHA1
9e7da9a344d3b165eab5bcbe10617f4986803ffb

SHA256
9428827c34133e933b30ae404608b0e6c96325f0b3416358f4243405e70309b4

SHA512
224ae18ce8b64da2985d15383d3efbd68b7b3d075477738cc2ab4c6656f79357dd99a7baaebb9ecabdded3cc78cef46585e3945c4fbb14037fac00770fb70a95

Download Submit
\Windows\SysWOW64\wf86.exe

Filesize
150KB

MD5
d79ee318fd01fad32a25ab15bee6710f

SHA1
9e7da9a344d3b165eab5bcbe10617f4986803ffb

SHA256
9428827c34133e933b30ae404608b0e6c96325f0b3416358f4243405e70309b4

SHA512
224ae18ce8b64da2985d15383d3efbd68b7b3d075477738cc2ab4c6656f79357dd99a7baaebb9ecabdded3cc78cef46585e3945c4fbb14037fac00770fb70a95

Download Submit
\Windows\SysWOW64\wf86.exe

Filesize
150KB

MD5
d79ee318fd01fad32a25ab15bee6710f

SHA1
9e7da9a344d3b165eab5bcbe10617f4986803ffb

SHA256
9428827c34133e933b30ae404608b0e6c96325f0b3416358f4243405e70309b4

SHA512
224ae18ce8b64da2985d15383d3efbd68b7b3d075477738cc2ab4c6656f79357dd99a7baaebb9ecabdded3cc78cef46585e3945c4fbb14037fac00770fb70a95

Download Submit
\Windows\SysWOW64\wf86.exe

Filesize
150KB

MD5
d79ee318fd01fad32a25ab15bee6710f

SHA1
9e7da9a344d3b165eab5bcbe10617f4986803ffb

SHA256
9428827c34133e933b30ae404608b0e6c96325f0b3416358f4243405e70309b4

SHA512
224ae18ce8b64da2985d15383d3efbd68b7b3d075477738cc2ab4c6656f79357dd99a7baaebb9ecabdded3cc78cef46585e3945c4fbb14037fac00770fb70a95

Download Submit
\Windows\SysWOW64\ÊÍ·ÅÎÞ×¢Èë.exe

Filesize
3.0MB

MD5
5d89fd4e1fd3166592dc9baef37a6e29

SHA1
aa5bee54d1a946484858679d1dd83a443dabc8ad

SHA256
2f590bed78f6bd32225686a276edfe253e5eaf8443ded6b4b7b84b1a032e2660

SHA512
ba082667ce08e99b9df971e994e5ecf31b60388fa1748c144e389226e19b2307cc47880114415f048400013e0fe1c445a0af4c489c14b9c148fb2f0de489dabb

Download Submit
\Windows\SysWOW64\ÊÍ·ÅÎÞ×¢Èë.exe

Filesize
3.0MB

MD5
5d89fd4e1fd3166592dc9baef37a6e29

SHA1
aa5bee54d1a946484858679d1dd83a443dabc8ad

SHA256
2f590bed78f6bd32225686a276edfe253e5eaf8443ded6b4b7b84b1a032e2660

SHA512
ba082667ce08e99b9df971e994e5ecf31b60388fa1748c144e389226e19b2307cc47880114415f048400013e0fe1c445a0af4c489c14b9c148fb2f0de489dabb

Download Submit
memory/688-70-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/688-87-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/688-90-0x0000000010000000-0x00000000100B5000-memory.dmp

Filesize
724KB

Download
memory/688-74-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/688-80-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/688-71-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/688-77-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/688-83-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/1692-72-0x0000000000210000-0x000000000022E000-memory.dmp

Filesize
120KB

Download
memory/1692-91-0x0000000000210000-0x000000000022E000-memory.dmp

Filesize
120KB

Download
memory/1692-92-0x0000000000210000-0x000000000022E000-memory.dmp

Filesize
120KB

Download
memory/1760-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download