5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d

Analysis

max time kernel
49s
max time network
59s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe
Size

397KB
MD5

42daaa0329c972b758f396ba98fed461
SHA1

d68b783e3198ea363f76159d40bf6d17b4aeeb20
SHA256

5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d
SHA512

00259ae7de0541fe3b084c296e328225a2f3856e4e58bc36a6a02e8424812aabec2f0a86077dce922c976fb0d96f2205b6c1ec0c85f929700d1cb8310a908224
SSDEEP

12288:AjjkArEN249AyE/rbaMct4bO2/Cwt3d/piH15:AoFE//Tct4bOsCIhiH15

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000122f5-92.dat	acprotect
behavioral1/files/0x00080000000122f5-91.dat	acprotect

Executes dropped EXE 5 IoCs

pid	Process
1904	ÎÞµÐ°æ.exe
1624	1.exe
1764	WinHelp32.exe
1396	上网助手1.0.exe
1572	WinHelp32.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-54.dat	upx
behavioral1/files/0x000c0000000054a8-56.dat	upx
behavioral1/memory/1904-61-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-66.dat	upx
behavioral1/files/0x00080000000122f3-73.dat	upx
behavioral1/files/0x00080000000122f3-71.dat	upx
behavioral1/files/0x00080000000122f3-70.dat	upx
behavioral1/memory/1904-75-0x00000000001D0000-0x00000000001EA000-memory.dmp	upx
behavioral1/memory/1396-77-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1904-81-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/1396-83-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x00080000000122f5-92.dat	upx
behavioral1/files/0x00080000000122f5-91.dat	upx
behavioral1/memory/1396-93-0x0000000010000000-0x0000000010017000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
968	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe
968	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe
968	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe
1904	ÎÞµÐ°æ.exe
1904	ÎÞµÐ°æ.exe
1396	上网助手1.0.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1904-81-0x0000000000400000-0x00000000004BB000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1572 set thread context of 1068	1572	WinHelp32.exe	35

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\WinHelp32.exe	1.exe
File opened for modification	C:\Windows\WinHelp32.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1624	1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
968	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe
1396	上网助手1.0.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 1904	968	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe	28
PID 968 wrote to memory of 1904	968	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe	28
PID 968 wrote to memory of 1904	968	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe	28
PID 968 wrote to memory of 1904	968	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe	28
PID 968 wrote to memory of 1624	968	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe	29
PID 968 wrote to memory of 1624	968	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe	29
PID 968 wrote to memory of 1624	968	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe	29
PID 968 wrote to memory of 1624	968	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe	29
PID 1624 wrote to memory of 1764	1624	1.exe	30
PID 1624 wrote to memory of 1764	1624	1.exe	30
PID 1624 wrote to memory of 1764	1624	1.exe	30
PID 1624 wrote to memory of 1764	1624	1.exe	30
PID 1904 wrote to memory of 1396	1904	ÎÞµÐ°æ.exe	32
PID 1904 wrote to memory of 1396	1904	ÎÞµÐ°æ.exe	32
PID 1904 wrote to memory of 1396	1904	ÎÞµÐ°æ.exe	32
PID 1904 wrote to memory of 1396	1904	ÎÞµÐ°æ.exe	32
PID 1624 wrote to memory of 1404	1624	1.exe	31
PID 1624 wrote to memory of 1404	1624	1.exe	31
PID 1624 wrote to memory of 1404	1624	1.exe	31
PID 1624 wrote to memory of 1404	1624	1.exe	31
PID 1572 wrote to memory of 1068	1572	WinHelp32.exe	35
PID 1572 wrote to memory of 1068	1572	WinHelp32.exe	35
PID 1572 wrote to memory of 1068	1572	WinHelp32.exe	35
PID 1572 wrote to memory of 1068	1572	WinHelp32.exe	35
PID 1572 wrote to memory of 1068	1572	WinHelp32.exe	35
PID 1572 wrote to memory of 1068	1572	WinHelp32.exe	35

C:\Users\Admin\AppData\Local\Temp\5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe
"C:\Users\Admin\AppData\Local\Temp\5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\ÎÞµÐ°æ.exe
  "C:\Users\Admin\AppData\Local\Temp\ÎÞµÐ°æ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\无敌版\上网助手1.0.exe
    C:\Users\Admin\AppData\Local\Temp\无敌版\上网助手1.0.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1396
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\WinHelp32.exe
    "C:\Windows\WinHelp32.exe"
    3⤵
    - Executes dropped EXE
    PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1.exe > nul
    3⤵
    PID:1404

C:\Windows\WinHelp32.exe
C:\Windows\WinHelp32.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
28KB

MD5
b035154d7ec466cb88de079a0c91d19d

SHA1
8b1116c384a2ee4c37668e4bd12ca557e3830e87

SHA256
98aa7d80faeda8a08234d86d925fd1a864d92275cf0505612bf30a365a19e43c

SHA512
d9b22482c7573cd014b129b79ab1170e01fc3f673d62b4d2db14c15a7efec6f0ff44fb1130826cf500e36428da8e90cc95bcaed6bde7e47d6b9b25b31454e251

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
28KB

MD5
b035154d7ec466cb88de079a0c91d19d

SHA1
8b1116c384a2ee4c37668e4bd12ca557e3830e87

SHA256
98aa7d80faeda8a08234d86d925fd1a864d92275cf0505612bf30a365a19e43c

SHA512
d9b22482c7573cd014b129b79ab1170e01fc3f673d62b4d2db14c15a7efec6f0ff44fb1130826cf500e36428da8e90cc95bcaed6bde7e47d6b9b25b31454e251

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÎÞµÐ°æ.exe

Filesize
349KB

MD5
98ff36a38f71e6ed62af203e58ea4437

SHA1
013c65426963c915c0d19ed2bd7e444ce11c8e21

SHA256
9e6f1ca8114b17e79f1d9b2bff7ce86b459a37bfee2ef8b26899c5137323002a

SHA512
1e221114ed4a09821101efa15a2125ef3de0be2b16afd4a3a04a9d9f5f4b1d22daab68c5ecf1e649dc844da9de43daff8e360e47ff218de2d141de8c625e9d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÎÞµÐ°æ.exe

Filesize
349KB

MD5
98ff36a38f71e6ed62af203e58ea4437

SHA1
013c65426963c915c0d19ed2bd7e444ce11c8e21

SHA256
9e6f1ca8114b17e79f1d9b2bff7ce86b459a37bfee2ef8b26899c5137323002a

SHA512
1e221114ed4a09821101efa15a2125ef3de0be2b16afd4a3a04a9d9f5f4b1d22daab68c5ecf1e649dc844da9de43daff8e360e47ff218de2d141de8c625e9d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\无敌版\hook.dll

Filesize
37KB

MD5
d0f935ae9d2f2cc058a7ebec3d4e3e69

SHA1
f798abce9fe3ac34011912061967f254a0077a51

SHA256
b110539d9afde697bed6ae9444a883fadf1895f6d12b90970c3e430ace2aca06

SHA512
1f17c7f65bbd9055a0d0495c696f8b2e4ce0d188a531c0e6597342ab6d14855b9e3c69e62fdeceb468ab84a5016e1462743d00e80e04ee424f8b919c9e21537c

Download Submit
C:\Users\Admin\AppData\Local\Temp\无敌版\上网助手1.0.exe

Filesize
37KB

MD5
925efeefdc362488042e483fae146179

SHA1
d7a0b9ec6e51074a03b8f8a7cec8f4b59f62fb15

SHA256
74b4018b382dcaafeaca2dc1def4e9f99efad980a8e98abd8d802664654d0ebc

SHA512
76fc215d6bb9d5a1f5ebe08cb2a2e75c350c8c263fd5d1c9a32dc25359896f4dfbe47ba91fa969dd3ced48a4a930630a0a6586750a45bd555c3b210afd0d11b4

Download Submit
C:\Windows\WinHelp32.exe

Filesize
28KB

MD5
b035154d7ec466cb88de079a0c91d19d

SHA1
8b1116c384a2ee4c37668e4bd12ca557e3830e87

SHA256
98aa7d80faeda8a08234d86d925fd1a864d92275cf0505612bf30a365a19e43c

SHA512
d9b22482c7573cd014b129b79ab1170e01fc3f673d62b4d2db14c15a7efec6f0ff44fb1130826cf500e36428da8e90cc95bcaed6bde7e47d6b9b25b31454e251

Download Submit
C:\Windows\WinHelp32.exe

Filesize
28KB

MD5
b035154d7ec466cb88de079a0c91d19d

SHA1
8b1116c384a2ee4c37668e4bd12ca557e3830e87

SHA256
98aa7d80faeda8a08234d86d925fd1a864d92275cf0505612bf30a365a19e43c

SHA512
d9b22482c7573cd014b129b79ab1170e01fc3f673d62b4d2db14c15a7efec6f0ff44fb1130826cf500e36428da8e90cc95bcaed6bde7e47d6b9b25b31454e251

Download Submit
C:\Windows\WinHelp32.exe

Filesize
28KB

MD5
b035154d7ec466cb88de079a0c91d19d

SHA1
8b1116c384a2ee4c37668e4bd12ca557e3830e87

SHA256
98aa7d80faeda8a08234d86d925fd1a864d92275cf0505612bf30a365a19e43c

SHA512
d9b22482c7573cd014b129b79ab1170e01fc3f673d62b4d2db14c15a7efec6f0ff44fb1130826cf500e36428da8e90cc95bcaed6bde7e47d6b9b25b31454e251

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
28KB

MD5
b035154d7ec466cb88de079a0c91d19d

SHA1
8b1116c384a2ee4c37668e4bd12ca557e3830e87

SHA256
98aa7d80faeda8a08234d86d925fd1a864d92275cf0505612bf30a365a19e43c

SHA512
d9b22482c7573cd014b129b79ab1170e01fc3f673d62b4d2db14c15a7efec6f0ff44fb1130826cf500e36428da8e90cc95bcaed6bde7e47d6b9b25b31454e251

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
28KB

MD5
b035154d7ec466cb88de079a0c91d19d

SHA1
8b1116c384a2ee4c37668e4bd12ca557e3830e87

SHA256
98aa7d80faeda8a08234d86d925fd1a864d92275cf0505612bf30a365a19e43c

SHA512
d9b22482c7573cd014b129b79ab1170e01fc3f673d62b4d2db14c15a7efec6f0ff44fb1130826cf500e36428da8e90cc95bcaed6bde7e47d6b9b25b31454e251

Download Submit
\Users\Admin\AppData\Local\Temp\ÎÞµÐ°æ.exe

Filesize
349KB

MD5
98ff36a38f71e6ed62af203e58ea4437

SHA1
013c65426963c915c0d19ed2bd7e444ce11c8e21

SHA256
9e6f1ca8114b17e79f1d9b2bff7ce86b459a37bfee2ef8b26899c5137323002a

SHA512
1e221114ed4a09821101efa15a2125ef3de0be2b16afd4a3a04a9d9f5f4b1d22daab68c5ecf1e649dc844da9de43daff8e360e47ff218de2d141de8c625e9d23

Download Submit
\Users\Admin\AppData\Local\Temp\无敌版\Hook.dll

Filesize
37KB

MD5
d0f935ae9d2f2cc058a7ebec3d4e3e69

SHA1
f798abce9fe3ac34011912061967f254a0077a51

SHA256
b110539d9afde697bed6ae9444a883fadf1895f6d12b90970c3e430ace2aca06

SHA512
1f17c7f65bbd9055a0d0495c696f8b2e4ce0d188a531c0e6597342ab6d14855b9e3c69e62fdeceb468ab84a5016e1462743d00e80e04ee424f8b919c9e21537c

Download Submit
\Users\Admin\AppData\Local\Temp\无敌版\上网助手1.0.exe

Filesize
37KB

MD5
925efeefdc362488042e483fae146179

SHA1
d7a0b9ec6e51074a03b8f8a7cec8f4b59f62fb15

SHA256
74b4018b382dcaafeaca2dc1def4e9f99efad980a8e98abd8d802664654d0ebc

SHA512
76fc215d6bb9d5a1f5ebe08cb2a2e75c350c8c263fd5d1c9a32dc25359896f4dfbe47ba91fa969dd3ced48a4a930630a0a6586750a45bd555c3b210afd0d11b4

Download Submit
\Users\Admin\AppData\Local\Temp\无敌版\上网助手1.0.exe

Filesize
37KB

MD5
925efeefdc362488042e483fae146179

SHA1
d7a0b9ec6e51074a03b8f8a7cec8f4b59f62fb15

SHA256
74b4018b382dcaafeaca2dc1def4e9f99efad980a8e98abd8d802664654d0ebc

SHA512
76fc215d6bb9d5a1f5ebe08cb2a2e75c350c8c263fd5d1c9a32dc25359896f4dfbe47ba91fa969dd3ced48a4a930630a0a6586750a45bd555c3b210afd0d11b4

Download Submit
memory/968-58-0x0000000000490000-0x000000000054B000-memory.dmp

Filesize
748KB

Download
memory/1068-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1068-89-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1396-93-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/1396-77-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1396-83-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1904-75-0x00000000001D0000-0x00000000001EA000-memory.dmp

Filesize
104KB

Download
memory/1904-61-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1904-62-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1904-82-0x00000000001D0000-0x00000000001EA000-memory.dmp

Filesize
104KB

Download
memory/1904-81-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1904-76-0x00000000001D0000-0x00000000001EA000-memory.dmp

Filesize
104KB

Download