5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe
Size

397KB
MD5

42daaa0329c972b758f396ba98fed461
SHA1

d68b783e3198ea363f76159d40bf6d17b4aeeb20
SHA256

5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d
SHA512

00259ae7de0541fe3b084c296e328225a2f3856e4e58bc36a6a02e8424812aabec2f0a86077dce922c976fb0d96f2205b6c1ec0c85f929700d1cb8310a908224
SSDEEP

12288:AjjkArEN249AyE/rbaMct4bO2/Cwt3d/piH15:AoFE//Tct4bOsCIhiH15

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022e1c-155.dat	acprotect
behavioral2/files/0x0006000000022e1c-154.dat	acprotect

Executes dropped EXE 5 IoCs

pid	Process
2256	ÎÞµÐ°æ.exe
4340	1.exe
2084	WinHelp32.exe
4344	WinHelp32.exe
2432	上网助手1.0.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000022e0e-133.dat	upx
behavioral2/files/0x000a000000022e0e-134.dat	upx
behavioral2/memory/2256-138-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/files/0x0006000000022e1b-145.dat	upx
behavioral2/files/0x0006000000022e1b-146.dat	upx
behavioral2/memory/2432-151-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2256-152-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/2432-153-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x0006000000022e1c-155.dat	upx
behavioral2/files/0x0006000000022e1c-154.dat	upx
behavioral2/memory/2432-156-0x0000000010000000-0x0000000010017000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
2432	上网助手1.0.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2256-152-0x0000000000400000-0x00000000004BB000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4344 set thread context of 4520	4344	WinHelp32.exe	89

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\WinHelp32.exe	1.exe
File opened for modification	C:\Windows\WinHelp32.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2668	4520	WerFault.exe	89

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4340	1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1408	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe
2432	上网助手1.0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4520	explorer.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 2256	1408	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe	81
PID 1408 wrote to memory of 2256	1408	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe	81
PID 1408 wrote to memory of 2256	1408	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe	81
PID 1408 wrote to memory of 4340	1408	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe	82
PID 1408 wrote to memory of 4340	1408	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe	82
PID 1408 wrote to memory of 4340	1408	5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe	82
PID 4340 wrote to memory of 2084	4340	1.exe	85
PID 4340 wrote to memory of 2084	4340	1.exe	85
PID 4340 wrote to memory of 2084	4340	1.exe	85
PID 4340 wrote to memory of 4184	4340	1.exe	86
PID 4340 wrote to memory of 4184	4340	1.exe	86
PID 4340 wrote to memory of 4184	4340	1.exe	86
PID 2256 wrote to memory of 2432	2256	ÎÞµÐ°æ.exe	88
PID 2256 wrote to memory of 2432	2256	ÎÞµÐ°æ.exe	88
PID 2256 wrote to memory of 2432	2256	ÎÞµÐ°æ.exe	88
PID 4344 wrote to memory of 4520	4344	WinHelp32.exe	89
PID 4344 wrote to memory of 4520	4344	WinHelp32.exe	89
PID 4344 wrote to memory of 4520	4344	WinHelp32.exe	89
PID 4344 wrote to memory of 4520	4344	WinHelp32.exe	89
PID 4344 wrote to memory of 4520	4344	WinHelp32.exe	89

C:\Users\Admin\AppData\Local\Temp\5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe
"C:\Users\Admin\AppData\Local\Temp\5fb9fb50acd2a1e88e6900da0038c74012ed5f0da4b028f0549dd1bd6dce007d.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\ÎÞµÐ°æ.exe
  "C:\Users\Admin\AppData\Local\Temp\ÎÞµÐ°æ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\无敌版\上网助手1.0.exe
    C:\Users\Admin\AppData\Local\Temp\无敌版\上网助手1.0.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2432
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\WinHelp32.exe
    "C:\Windows\WinHelp32.exe"
    3⤵
    - Executes dropped EXE
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1.exe > nul
    3⤵
    PID:4184

C:\Windows\WinHelp32.exe
C:\Windows\WinHelp32.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  - Suspicious use of UnmapMainImage
  PID:4520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 12
    3⤵
    - Program crash
    PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4520 -ip 4520
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
28KB

MD5
b035154d7ec466cb88de079a0c91d19d

SHA1
8b1116c384a2ee4c37668e4bd12ca557e3830e87

SHA256
98aa7d80faeda8a08234d86d925fd1a864d92275cf0505612bf30a365a19e43c

SHA512
d9b22482c7573cd014b129b79ab1170e01fc3f673d62b4d2db14c15a7efec6f0ff44fb1130826cf500e36428da8e90cc95bcaed6bde7e47d6b9b25b31454e251

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
28KB

MD5
b035154d7ec466cb88de079a0c91d19d

SHA1
8b1116c384a2ee4c37668e4bd12ca557e3830e87

SHA256
98aa7d80faeda8a08234d86d925fd1a864d92275cf0505612bf30a365a19e43c

SHA512
d9b22482c7573cd014b129b79ab1170e01fc3f673d62b4d2db14c15a7efec6f0ff44fb1130826cf500e36428da8e90cc95bcaed6bde7e47d6b9b25b31454e251

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÎÞµÐ°æ.exe

Filesize
349KB

MD5
98ff36a38f71e6ed62af203e58ea4437

SHA1
013c65426963c915c0d19ed2bd7e444ce11c8e21

SHA256
9e6f1ca8114b17e79f1d9b2bff7ce86b459a37bfee2ef8b26899c5137323002a

SHA512
1e221114ed4a09821101efa15a2125ef3de0be2b16afd4a3a04a9d9f5f4b1d22daab68c5ecf1e649dc844da9de43daff8e360e47ff218de2d141de8c625e9d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÎÞµÐ°æ.exe

Filesize
349KB

MD5
98ff36a38f71e6ed62af203e58ea4437

SHA1
013c65426963c915c0d19ed2bd7e444ce11c8e21

SHA256
9e6f1ca8114b17e79f1d9b2bff7ce86b459a37bfee2ef8b26899c5137323002a

SHA512
1e221114ed4a09821101efa15a2125ef3de0be2b16afd4a3a04a9d9f5f4b1d22daab68c5ecf1e649dc844da9de43daff8e360e47ff218de2d141de8c625e9d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\无敌版\Hook.dll

Filesize
37KB

MD5
d0f935ae9d2f2cc058a7ebec3d4e3e69

SHA1
f798abce9fe3ac34011912061967f254a0077a51

SHA256
b110539d9afde697bed6ae9444a883fadf1895f6d12b90970c3e430ace2aca06

SHA512
1f17c7f65bbd9055a0d0495c696f8b2e4ce0d188a531c0e6597342ab6d14855b9e3c69e62fdeceb468ab84a5016e1462743d00e80e04ee424f8b919c9e21537c

Download Submit
C:\Users\Admin\AppData\Local\Temp\无敌版\hook.dll

Filesize
37KB

MD5
d0f935ae9d2f2cc058a7ebec3d4e3e69

SHA1
f798abce9fe3ac34011912061967f254a0077a51

SHA256
b110539d9afde697bed6ae9444a883fadf1895f6d12b90970c3e430ace2aca06

SHA512
1f17c7f65bbd9055a0d0495c696f8b2e4ce0d188a531c0e6597342ab6d14855b9e3c69e62fdeceb468ab84a5016e1462743d00e80e04ee424f8b919c9e21537c

Download Submit
C:\Users\Admin\AppData\Local\Temp\无敌版\上网助手1.0.exe

Filesize
37KB

MD5
925efeefdc362488042e483fae146179

SHA1
d7a0b9ec6e51074a03b8f8a7cec8f4b59f62fb15

SHA256
74b4018b382dcaafeaca2dc1def4e9f99efad980a8e98abd8d802664654d0ebc

SHA512
76fc215d6bb9d5a1f5ebe08cb2a2e75c350c8c263fd5d1c9a32dc25359896f4dfbe47ba91fa969dd3ced48a4a930630a0a6586750a45bd555c3b210afd0d11b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\无敌版\上网助手1.0.exe

Filesize
37KB

MD5
925efeefdc362488042e483fae146179

SHA1
d7a0b9ec6e51074a03b8f8a7cec8f4b59f62fb15

SHA256
74b4018b382dcaafeaca2dc1def4e9f99efad980a8e98abd8d802664654d0ebc

SHA512
76fc215d6bb9d5a1f5ebe08cb2a2e75c350c8c263fd5d1c9a32dc25359896f4dfbe47ba91fa969dd3ced48a4a930630a0a6586750a45bd555c3b210afd0d11b4

Download Submit
C:\Windows\WinHelp32.exe

Filesize
28KB

MD5
b035154d7ec466cb88de079a0c91d19d

SHA1
8b1116c384a2ee4c37668e4bd12ca557e3830e87

SHA256
98aa7d80faeda8a08234d86d925fd1a864d92275cf0505612bf30a365a19e43c

SHA512
d9b22482c7573cd014b129b79ab1170e01fc3f673d62b4d2db14c15a7efec6f0ff44fb1130826cf500e36428da8e90cc95bcaed6bde7e47d6b9b25b31454e251

Download Submit
C:\Windows\WinHelp32.exe

Filesize
28KB

MD5
b035154d7ec466cb88de079a0c91d19d

SHA1
8b1116c384a2ee4c37668e4bd12ca557e3830e87

SHA256
98aa7d80faeda8a08234d86d925fd1a864d92275cf0505612bf30a365a19e43c

SHA512
d9b22482c7573cd014b129b79ab1170e01fc3f673d62b4d2db14c15a7efec6f0ff44fb1130826cf500e36428da8e90cc95bcaed6bde7e47d6b9b25b31454e251

Download Submit
C:\Windows\WinHelp32.exe

Filesize
28KB

MD5
b035154d7ec466cb88de079a0c91d19d

SHA1
8b1116c384a2ee4c37668e4bd12ca557e3830e87

SHA256
98aa7d80faeda8a08234d86d925fd1a864d92275cf0505612bf30a365a19e43c

SHA512
d9b22482c7573cd014b129b79ab1170e01fc3f673d62b4d2db14c15a7efec6f0ff44fb1130826cf500e36428da8e90cc95bcaed6bde7e47d6b9b25b31454e251

Download Submit
memory/2256-138-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2256-152-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2432-153-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2432-156-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2432-151-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4520-149-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download