f15d7db8f78a1eeb3f3530b84f766715cbbc10f7119cf64476f121c61aa9c2d2

Analysis

max time kernel
68s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 04:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f15d7db8f78a1eeb3f3530b84f766715cbbc10f7119cf64476f121c61aa9c2d2.exe
Size

34KB
MD5

807e597f2cffded27321013e16b0fcf5
SHA1

467f966e901a444077ca700f46ef5ce9b16b749c
SHA256

f15d7db8f78a1eeb3f3530b84f766715cbbc10f7119cf64476f121c61aa9c2d2
SHA512

c8434e76a76e86e03c51a93cf1e4979e7b8f9682a0caa6e18637f5feae05f60853f2dfbcf5b44cf60f1358fd79010e1e0a2f5b3376d2291f3c6de66ed277d0f3
SSDEEP

768:REjoldIsxKGrhdnIECnbcuyD7UF2rTQEf06e4FSMKv2ICAiOLM:REIdPxBrIECnouy8FiQ+JecW2ICAiO4

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0009000000022f71-136.dat	acprotect
behavioral2/files/0x0009000000022f71-137.dat	acprotect

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5016-132-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0009000000022f71-136.dat	upx
behavioral2/files/0x0009000000022f71-137.dat	upx
behavioral2/memory/4292-138-0x00000000701A0000-0x00000000701AB000-memory.dmp	upx
behavioral2/memory/5016-139-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
4292	regsvr32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\DA0O449153.dll	f15d7db8f78a1eeb3f3530b84f766715cbbc10f7119cf64476f121c61aa9c2d2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\DA0O449153.dll	regsvr32.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1FE6762-FC48-11D0-883A-3C8B00C10000}\InprocServer32\Original = "C:\\Windows\\SysWOW64\\Dxtrans.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1FE6762-FC48-11D0-883A-3C8B00C10000}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\DA0O449153.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEFFD4A5-FC5D-4427-920D-E4917AAD09EE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B8A2D95-0AC9-11D1-896C-00C04FB6BFC4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7b8a2d95-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32\Original = "C:\\Windows\\SysWOW64\\urlmon.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7b8a2d95-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\DA0O449153.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1FE6762-FC48-11D0-883A-3C8B00C10000}\InprocServer32	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4292	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5016	f15d7db8f78a1eeb3f3530b84f766715cbbc10f7119cf64476f121c61aa9c2d2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4292	5016	f15d7db8f78a1eeb3f3530b84f766715cbbc10f7119cf64476f121c61aa9c2d2.exe	81
PID 5016 wrote to memory of 4292	5016	f15d7db8f78a1eeb3f3530b84f766715cbbc10f7119cf64476f121c61aa9c2d2.exe	81
PID 5016 wrote to memory of 4292	5016	f15d7db8f78a1eeb3f3530b84f766715cbbc10f7119cf64476f121c61aa9c2d2.exe	81

C:\Users\Admin\AppData\Local\Temp\f15d7db8f78a1eeb3f3530b84f766715cbbc10f7119cf64476f121c61aa9c2d2.exe
"C:\Users\Admin\AppData\Local\Temp\f15d7db8f78a1eeb3f3530b84f766715cbbc10f7119cf64476f121c61aa9c2d2.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /n /s /i:"-f 7b8a2d95-0ac9-11d1-896c-00c04Fb6bfc4 -f D1FE6762-FC48-11D0-883A-3C8B00C10000" "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\DA0O449153.dll"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\DA0O449153.dll

Filesize
15KB

MD5
1039ad6780b900e1fe90e1ad47efab2b

SHA1
e163e0cd55b193530de79317edc77dd2cfd6bf4e

SHA256
93eec25e74fdf3cdf87c26f4985486881ff1e1bf1c6973060a9dbc7fa54a7f82

SHA512
adba7c18e87846917d56ea61352a27a5c81134b98bda97e16b84e4a22dcbb2cd51bd85d1bd9563a7a08f61d546466d5d373d788e2655de2092e01d4c9351f418

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\DA0O449153.dll

Filesize
15KB

MD5
1039ad6780b900e1fe90e1ad47efab2b

SHA1
e163e0cd55b193530de79317edc77dd2cfd6bf4e

SHA256
93eec25e74fdf3cdf87c26f4985486881ff1e1bf1c6973060a9dbc7fa54a7f82

SHA512
adba7c18e87846917d56ea61352a27a5c81134b98bda97e16b84e4a22dcbb2cd51bd85d1bd9563a7a08f61d546466d5d373d788e2655de2092e01d4c9351f418

Download Submit
memory/4292-138-0x00000000701A0000-0x00000000701AB000-memory.dmp

Filesize
44KB

Download
memory/5016-132-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5016-139-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download