a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35

General

Target

a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
Size

3.6MB
MD5

7822ba123a33b50ed8d90156e5c70aa0
SHA1

f0294599e3a4a62d068396fc1cb4c88bfd5c9277
SHA256

a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35
SHA512

06ad98e62617f49a7fc6234c86ce541d46fcf405e47518873d4d51c5686afcee40ed533581e50c899fff2e5a36e5b9d17754574f1b67d87024531d7785187403
SSDEEP

98304:8cESJR29eT8qN0PeeM+zcnJQ1VaUFpt74obCo:LD2bqN8e1oj

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0002000000022e06-148.dat	acprotect
behavioral2/files/0x0002000000022e06-149.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
3308	wf86.exe
3616	wf86.exe
2404	ÊÍ·ÅÎÞ×¢Èë.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000022e06-148.dat	upx
behavioral2/files/0x0002000000022e06-149.dat	upx
behavioral2/memory/2516-150-0x0000000010000000-0x00000000100B5000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
2516	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\ÊÍ·ÅÎÞ×¢Èë.exe	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
File created	C:\WINDOWS\SysWOW64\ÊÍ·ÅÎÞ×¢Èë.exe	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
File opened for modification	C:\WINDOWS\SysWOW64\SkinH_EL.dll	ÊÍ·ÅÎÞ×¢Èë.exe
File created	C:\WINDOWS\SysWOW64\SkinH_EL.dll	ÊÍ·ÅÎÞ×¢Èë.exe
File opened for modification	C:\WINDOWS\SysWOW64\wf86.exe	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
File created	C:\WINDOWS\SysWOW64\wf86.exe	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2404 set thread context of 2516	2404	ÊÍ·ÅÎÞ×¢Èë.exe	87

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	svchost.exe
Token: SeDebugPrivilege	2516	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1736	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
1736	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
2404	ÊÍ·ÅÎÞ×¢Èë.exe
2404	ÊÍ·ÅÎÞ×¢Èë.exe
2516	svchost.exe
2516	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 3308	1736	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe	84
PID 1736 wrote to memory of 3308	1736	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe	84
PID 1736 wrote to memory of 3308	1736	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe	84
PID 3308 wrote to memory of 3616	3308	wf86.exe	85
PID 3308 wrote to memory of 3616	3308	wf86.exe	85
PID 3308 wrote to memory of 3616	3308	wf86.exe	85
PID 1736 wrote to memory of 2404	1736	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe	86
PID 1736 wrote to memory of 2404	1736	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe	86
PID 1736 wrote to memory of 2404	1736	a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe	86
PID 2404 wrote to memory of 2516	2404	ÊÍ·ÅÎÞ×¢Èë.exe	87
PID 2404 wrote to memory of 2516	2404	ÊÍ·ÅÎÞ×¢Èë.exe	87
PID 2404 wrote to memory of 2516	2404	ÊÍ·ÅÎÞ×¢Èë.exe	87
PID 2404 wrote to memory of 2516	2404	ÊÍ·ÅÎÞ×¢Èë.exe	87
PID 2404 wrote to memory of 2516	2404	ÊÍ·ÅÎÞ×¢Èë.exe	87
PID 2404 wrote to memory of 2516	2404	ÊÍ·ÅÎÞ×¢Èë.exe	87
PID 2404 wrote to memory of 2516	2404	ÊÍ·ÅÎÞ×¢Èë.exe	87
PID 2404 wrote to memory of 2516	2404	ÊÍ·ÅÎÞ×¢Èë.exe	87
PID 2404 wrote to memory of 2516	2404	ÊÍ·ÅÎÞ×¢Èë.exe	87

C:\Users\Admin\AppData\Local\Temp\a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe
"C:\Users\Admin\AppData\Local\Temp\a218f83d05ce19f35f854cbf7b6d811916bfd3a9eae6eecb13f785cab1d88b35.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\WINDOWS\SysWOW64\wf86.exe
  C:\WINDOWS\system32\wf86.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\WINDOWS\SysWOW64\wf86.exe
    C:\WINDOWS\system32\wf86.exe
    3⤵
    - Executes dropped EXE
    PID:3616
- C:\WINDOWS\SysWOW64\ÊÍ·ÅÎÞ×¢Èë.exe
  C:\WINDOWS\system32\ÊÍ·ÅÎÞ×¢Èë.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\WINDOWS\SysWOW64\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2516

Network

DNS

rpt2.21civ.com

wf86.exe

Remote address:

8.8.8.8:53

Request

rpt2.21civ.com

IN A

Response

8.253.135.112:80

322 B
7
8.253.135.112:80

322 B
7
104.80.225.205:443

322 B
7
20.189.173.4:443

322 B
7
178.79.208.1:80

322 B
7
178.79.208.1:80

322 B
7
178.79.208.1:80

322 B
7

8.8.8.8:53

rpt2.21civ.com

dns

wf86.exe

60 B
133 B
1
1

DNS Request

rpt2.21civ.com

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\SkinH_EL.dll

Filesize
130KB

MD5
4529a158ba13571b9d3168175f58c088

SHA1
ea54deff00110a0c7229dc51f2d56dd0a1643a2d

SHA256
1a73b8440e3dd250b0ef8294f07eff5cf30ba2f308aeb42d301be7104e497a5b

SHA512
ed522c80d50c48ff775e5f09257b76a44d5bcada56be282597f9ff1e0b2e4c12522eadb49df8dfb5d44cab0a9fa4eece25babdb8e7901dfd2882c044681c8fc2

Download Submit
C:\WINDOWS\SysWOW64\wf86.exe

Filesize
150KB

MD5
d79ee318fd01fad32a25ab15bee6710f

SHA1
9e7da9a344d3b165eab5bcbe10617f4986803ffb

SHA256
9428827c34133e933b30ae404608b0e6c96325f0b3416358f4243405e70309b4

SHA512
224ae18ce8b64da2985d15383d3efbd68b7b3d075477738cc2ab4c6656f79357dd99a7baaebb9ecabdded3cc78cef46585e3945c4fbb14037fac00770fb70a95

Download Submit
C:\WINDOWS\SysWOW64\ÊÍ·ÅÎÞ×¢Èë.exe

Filesize
3.0MB

MD5
5d89fd4e1fd3166592dc9baef37a6e29

SHA1
aa5bee54d1a946484858679d1dd83a443dabc8ad

SHA256
2f590bed78f6bd32225686a276edfe253e5eaf8443ded6b4b7b84b1a032e2660

SHA512
ba082667ce08e99b9df971e994e5ecf31b60388fa1748c144e389226e19b2307cc47880114415f048400013e0fe1c445a0af4c489c14b9c148fb2f0de489dabb

Download Submit
C:\Windows\SysWOW64\SkinH_EL.dll

Filesize
130KB

MD5
4529a158ba13571b9d3168175f58c088

SHA1
ea54deff00110a0c7229dc51f2d56dd0a1643a2d

SHA256
1a73b8440e3dd250b0ef8294f07eff5cf30ba2f308aeb42d301be7104e497a5b

SHA512
ed522c80d50c48ff775e5f09257b76a44d5bcada56be282597f9ff1e0b2e4c12522eadb49df8dfb5d44cab0a9fa4eece25babdb8e7901dfd2882c044681c8fc2

Download Submit
C:\Windows\SysWOW64\wf86.exe

Filesize
150KB

MD5
d79ee318fd01fad32a25ab15bee6710f

SHA1
9e7da9a344d3b165eab5bcbe10617f4986803ffb

SHA256
9428827c34133e933b30ae404608b0e6c96325f0b3416358f4243405e70309b4

SHA512
224ae18ce8b64da2985d15383d3efbd68b7b3d075477738cc2ab4c6656f79357dd99a7baaebb9ecabdded3cc78cef46585e3945c4fbb14037fac00770fb70a95

Download Submit
C:\Windows\SysWOW64\wf86.exe

Filesize
150KB

MD5
d79ee318fd01fad32a25ab15bee6710f

SHA1
9e7da9a344d3b165eab5bcbe10617f4986803ffb

SHA256
9428827c34133e933b30ae404608b0e6c96325f0b3416358f4243405e70309b4

SHA512
224ae18ce8b64da2985d15383d3efbd68b7b3d075477738cc2ab4c6656f79357dd99a7baaebb9ecabdded3cc78cef46585e3945c4fbb14037fac00770fb70a95

Download Submit
C:\Windows\SysWOW64\ÊÍ·ÅÎÞ×¢Èë.exe

Filesize
3.0MB

MD5
5d89fd4e1fd3166592dc9baef37a6e29

SHA1
aa5bee54d1a946484858679d1dd83a443dabc8ad

SHA256
2f590bed78f6bd32225686a276edfe253e5eaf8443ded6b4b7b84b1a032e2660

SHA512
ba082667ce08e99b9df971e994e5ecf31b60388fa1748c144e389226e19b2307cc47880114415f048400013e0fe1c445a0af4c489c14b9c148fb2f0de489dabb

Download Submit
memory/2516-141-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/2516-143-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/2516-144-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/2516-145-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/2516-147-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/2516-150-0x0000000010000000-0x00000000100B5000-memory.dmp

Filesize
724KB

Download
memory/3616-142-0x0000000000B10000-0x0000000000B2E000-memory.dmp

Filesize
120KB

Download
memory/3616-151-0x0000000000B10000-0x0000000000B2E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing