0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0

General

Target

0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
Size

96KB
MD5

7bc169f57baa48b71cac284aeb3355f4
SHA1

c67f9b901c4ce45d5644197a4a5a6d17d445b180
SHA256

0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0
SHA512

c094e0a24e93d32d5abe31ff696742fa9df8cc54ed68dea4536f69862eafe9d137e6468e9e56fad4d58402b24f1bcb882112cf850d175f423ff108bf62a3ba2e
SSDEEP

1536:V8zMfuhw8iY9FKpmFPRGbHtMxzJpHoabFcmdoJ80RD1a:qz1hw9wFZYHtSDIahDma0

Score

9^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000141f2-56.dat	acprotect
behavioral1/files/0x00060000000141f2-57.dat	acprotect
behavioral1/files/0x00060000000141f2-58.dat	acprotect
behavioral1/files/0x00060000000141f2-59.dat	acprotect
behavioral1/files/0x00060000000141f2-60.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
996	realupdate.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000141f2-56.dat	upx
behavioral1/files/0x00060000000141f2-57.dat	upx
behavioral1/files/0x00060000000141f2-58.dat	upx
behavioral1/files/0x00060000000141f2-59.dat	upx
behavioral1/files/0x00060000000141f2-60.dat	upx
behavioral1/files/0x00070000000141af-62.dat	upx
behavioral1/files/0x00070000000141af-63.dat	upx
behavioral1/memory/2024-64-0x0000000001FB0000-0x0000000001FC0000-memory.dmp	upx
behavioral1/memory/996-65-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2024-68-0x0000000001FB0000-0x0000000001FC0000-memory.dmp	upx
behavioral1/memory/996-69-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1148	rundll32.exe
1148	rundll32.exe
1148	rundll32.exe
1148	rundll32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\msnnt = "C:\\Windows\\winamph.exe"	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\msnnt = "C:\\Windows\\realupdate.exe other"	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\RUN	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\updatereal = "C:\\Windows\\realupdate.exe other"	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pchome\.setupa\libdllhosth.dll.tmp	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\SysWOW64\pchome\.setupa\dllhosth.dll	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File opened for modification	C:\Windows\SysWOW64\pchome\.setupa\libup.dat	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\SysWOW64\pchome\.setupa\verx.dat	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\SysWOW64\pchome\.setupa\libnovel.exe.tmp	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\SysWOW64\pchome\.setupa\librealupdate.exe.tmp	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File opened for modification	C:\Windows\SysWOW64\pchome\.setupa\librealupdate.exe	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File opened for modification	C:\Windows\SysWOW64\pchome\.setupa\libdllhosth.dll	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File opened for modification	C:\Windows\SysWOW64\pchome\.setupa\avph.exe	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\SysWOW64\pchome\.setupa\setup.tmp	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\SysWOW64\pchome\.setupa\up.dat	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\SysWOW64\pchome\.setupa\libverx.dat.tmp	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File opened for modification	C:\Windows\SysWOW64\pchome\.setupa\libverx.dat	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File opened for modification	C:\Windows\SysWOW64\pchome\.setupa\libnovel.exe	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\SysWOW64\pchome\.setupa\winamph.exe	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File opened for modification	C:\Windows\SysWOW64\pchome\.setupa\libwinamph.exe	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\SysWOW64\pchome\.setupa\lib	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\SysWOW64\pchome\.setupa\libup.dat.tmp	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\SysWOW64\pchome\.setupa\realupdate.exe	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\SysWOW64\pchome\.setupa\libwinamph.exe.tmp	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\SysWOW64\pchome\.setupa\avph.exe	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\SysWOW64\pchome\.setupa\novel.exe	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winamph.exe	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
File created	C:\Windows\realupdate.exe	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
996	realupdate.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1148	2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe	26
PID 2024 wrote to memory of 1148	2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe	26
PID 2024 wrote to memory of 1148	2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe	26
PID 2024 wrote to memory of 1148	2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe	26
PID 2024 wrote to memory of 1148	2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe	26
PID 2024 wrote to memory of 1148	2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe	26
PID 2024 wrote to memory of 1148	2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe	26
PID 2024 wrote to memory of 996	2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe	27
PID 2024 wrote to memory of 996	2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe	27
PID 2024 wrote to memory of 996	2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe	27
PID 2024 wrote to memory of 996	2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe	27
PID 2024 wrote to memory of 996	2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe	27
PID 2024 wrote to memory of 996	2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe	27
PID 2024 wrote to memory of 996	2024	0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe	27

C:\Users\Admin\AppData\Local\Temp\0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe
"C:\Users\Admin\AppData\Local\Temp\0d72bf25d51794af9b1fbbbf72b1843fdf391e4c935c31120dfef4fdbc05eef0.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\pchome\.setupa\dllhosth.dll _JustSoSo@16
  2⤵
  - Loads dropped DLL
  PID:1148
- C:\Windows\realupdate.exe
  C:\Windows\realupdate.exe other
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\pchome\.setupa\dllhosth.dll

Filesize
21KB

MD5
36435a9c74beb21a33103c4a4667f0c4

SHA1
d0edb1eb99d2e23dd13ac98a304a4b64618724f9

SHA256
ec7277e5ad2c9872d3652991701776d72ad43a9d5ff44d8494f6285b57379573

SHA512
d1cb479227e3e332b9d0ced077e8d18542cf9e582043b716b0f3265d17d1ed2f24f85535f2335836253e20c3d8c56b35c2e068f875d0ba0b448a7fb35f9a998f

Download Submit
C:\Windows\realupdate.exe

Filesize
19KB

MD5
12cb0676a110d27994117260fd82410e

SHA1
6489ca63d8b8b05543a0ab1b70238ce68644a31f

SHA256
ea5197446ef598c027ffaeb79b6d8848b1eae5da85c4de96da40075b04f3da24

SHA512
f9b4c2e899b6ba99292eb06de161cc1ceb9940a2f35f0d62363d6de8cf34f7b918f2c49c23564ba4ce8262cf98053c10209806987a3b21f4f73e2ae22988cd57

Download Submit
C:\Windows\realupdate.exe

Filesize
19KB

MD5
12cb0676a110d27994117260fd82410e

SHA1
6489ca63d8b8b05543a0ab1b70238ce68644a31f

SHA256
ea5197446ef598c027ffaeb79b6d8848b1eae5da85c4de96da40075b04f3da24

SHA512
f9b4c2e899b6ba99292eb06de161cc1ceb9940a2f35f0d62363d6de8cf34f7b918f2c49c23564ba4ce8262cf98053c10209806987a3b21f4f73e2ae22988cd57

Download Submit
\Windows\SysWOW64\pchome\.setupa\dllhosth.dll

Filesize
21KB

MD5
36435a9c74beb21a33103c4a4667f0c4

SHA1
d0edb1eb99d2e23dd13ac98a304a4b64618724f9

SHA256
ec7277e5ad2c9872d3652991701776d72ad43a9d5ff44d8494f6285b57379573

SHA512
d1cb479227e3e332b9d0ced077e8d18542cf9e582043b716b0f3265d17d1ed2f24f85535f2335836253e20c3d8c56b35c2e068f875d0ba0b448a7fb35f9a998f

Download Submit
\Windows\SysWOW64\pchome\.setupa\dllhosth.dll

Filesize
21KB

MD5
36435a9c74beb21a33103c4a4667f0c4

SHA1
d0edb1eb99d2e23dd13ac98a304a4b64618724f9

SHA256
ec7277e5ad2c9872d3652991701776d72ad43a9d5ff44d8494f6285b57379573

SHA512
d1cb479227e3e332b9d0ced077e8d18542cf9e582043b716b0f3265d17d1ed2f24f85535f2335836253e20c3d8c56b35c2e068f875d0ba0b448a7fb35f9a998f

Download Submit
\Windows\SysWOW64\pchome\.setupa\dllhosth.dll

Filesize
21KB

MD5
36435a9c74beb21a33103c4a4667f0c4

SHA1
d0edb1eb99d2e23dd13ac98a304a4b64618724f9

SHA256
ec7277e5ad2c9872d3652991701776d72ad43a9d5ff44d8494f6285b57379573

SHA512
d1cb479227e3e332b9d0ced077e8d18542cf9e582043b716b0f3265d17d1ed2f24f85535f2335836253e20c3d8c56b35c2e068f875d0ba0b448a7fb35f9a998f

Download Submit
\Windows\SysWOW64\pchome\.setupa\dllhosth.dll

Filesize
21KB

MD5
36435a9c74beb21a33103c4a4667f0c4

SHA1
d0edb1eb99d2e23dd13ac98a304a4b64618724f9

SHA256
ec7277e5ad2c9872d3652991701776d72ad43a9d5ff44d8494f6285b57379573

SHA512
d1cb479227e3e332b9d0ced077e8d18542cf9e582043b716b0f3265d17d1ed2f24f85535f2335836253e20c3d8c56b35c2e068f875d0ba0b448a7fb35f9a998f

Download Submit
memory/996-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/996-67-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/996-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1148-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/2024-64-0x0000000001FB0000-0x0000000001FC0000-memory.dmp

Filesize
64KB

Download
memory/2024-68-0x0000000001FB0000-0x0000000001FC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing