a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/11/2022, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe
Size

3.4MB
MD5

c0ed142606278ab623d47b65efd45687
SHA1

2b6df6ebb05b06b3efa3f8f7437af51c777fe872
SHA256

a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275
SHA512

b8a1d2a35dae39ae48f16454f8f0b87141d7531541c0c373f99257c385939fc7a52816dd815d80cfd790263695e52ace491a2b9d183884e9eac19c1f7aeeb6af
SSDEEP

98304:gMs6glG4KBj1kHG5SbWf+YFCwDpmyXXTW7BCsS0IIe:bomQaf+Hw1mg0LS0te

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000005c51-55.dat	acprotect
behavioral1/files/0x000500000001a472-60.dat	acprotect
behavioral1/files/0x000500000001a472-61.dat	acprotect
behavioral1/files/0x000500000001a472-62.dat	acprotect
behavioral1/files/0x000a000000013482-65.dat	acprotect
behavioral1/files/0x000a000000013482-66.dat	acprotect

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000005c51-55.dat	upx
behavioral1/files/0x000500000001a472-60.dat	upx
behavioral1/files/0x000500000001a472-61.dat	upx
behavioral1/files/0x000500000001a472-62.dat	upx
behavioral1/files/0x000a000000013482-65.dat	upx
behavioral1/files/0x000a000000013482-66.dat	upx
behavioral1/memory/1200-67-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1476-69-0x0000000010000000-0x0000000010176000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe
900	regsvr32.exe
1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe
1476	regsvr32.exe

Modifies registry class 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TP\\dm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TP\\"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TP\\dm.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kernel32.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kernel32.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe
1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe
1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1056	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	27
PID 1200 wrote to memory of 1056	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	27
PID 1200 wrote to memory of 1056	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	27
PID 1200 wrote to memory of 1056	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	27
PID 1200 wrote to memory of 1056	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	27
PID 1200 wrote to memory of 1056	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	27
PID 1200 wrote to memory of 1056	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	27
PID 1200 wrote to memory of 900	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	28
PID 1200 wrote to memory of 900	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	28
PID 1200 wrote to memory of 900	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	28
PID 1200 wrote to memory of 900	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	28
PID 1200 wrote to memory of 900	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	28
PID 1200 wrote to memory of 900	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	28
PID 1200 wrote to memory of 900	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	28
PID 1200 wrote to memory of 1476	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	29
PID 1200 wrote to memory of 1476	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	29
PID 1200 wrote to memory of 1476	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	29
PID 1200 wrote to memory of 1476	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	29
PID 1200 wrote to memory of 1476	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	29
PID 1200 wrote to memory of 1476	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	29
PID 1200 wrote to memory of 1476	1200	a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe	29

C:\Users\Admin\AppData\Local\Temp\a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe
"C:\Users\Admin\AppData\Local\Temp\a19582346dbc0ca79f74269d61f635fb92aa3d0ff7b376a79c226de38a03b275.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /u /s
  2⤵
  PID:1056
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\kernel32.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:900
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Users\Admin\AppData\Local\Temp\TP\dm.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TP\dm.dll

Filesize
804KB

MD5
c578b6820bda5689940560147c6e5ffc

SHA1
922e50d89c9c44bdc205ef17aa57212b64e58852

SHA256
3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389

SHA512
9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\kernel32.dll

Filesize
798KB

MD5
02b50a7623fa16c16551d9db31504752

SHA1
de3ee4348e8d75dae39a7375f2904b1f3ed9cd0e

SHA256
1532a8668ae962a992032ecf05d476bedfaa636cc7a4008f6c486882cf986947

SHA512
3d742cc170e955e7836ab189f3edafc4869ad5cdf39ebb4abc751bc16bce56eddcb7b3ffdac2d074060fff99cc625db205df6fc4037e3478d379e6b92feaa44d

Download Submit
\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
\Users\Admin\AppData\Local\Temp\TP\dm.dll

Filesize
804KB

MD5
c578b6820bda5689940560147c6e5ffc

SHA1
922e50d89c9c44bdc205ef17aa57212b64e58852

SHA256
3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389

SHA512
9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

Download Submit
\Users\Admin\AppData\Local\Temp\kernel32.dll

Filesize
798KB

MD5
02b50a7623fa16c16551d9db31504752

SHA1
de3ee4348e8d75dae39a7375f2904b1f3ed9cd0e

SHA256
1532a8668ae962a992032ecf05d476bedfaa636cc7a4008f6c486882cf986947

SHA512
3d742cc170e955e7836ab189f3edafc4869ad5cdf39ebb4abc751bc16bce56eddcb7b3ffdac2d074060fff99cc625db205df6fc4037e3478d379e6b92feaa44d

Download Submit
\Users\Admin\AppData\Local\Temp\kernel32.dll

Filesize
798KB

MD5
02b50a7623fa16c16551d9db31504752

SHA1
de3ee4348e8d75dae39a7375f2904b1f3ed9cd0e

SHA256
1532a8668ae962a992032ecf05d476bedfaa636cc7a4008f6c486882cf986947

SHA512
3d742cc170e955e7836ab189f3edafc4869ad5cdf39ebb4abc751bc16bce56eddcb7b3ffdac2d074060fff99cc625db205df6fc4037e3478d379e6b92feaa44d

Download Submit
memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1200-67-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1200-68-0x0000000003270000-0x00000000033DC000-memory.dmp

Filesize
1.4MB

Download
memory/1200-70-0x0000000003270000-0x00000000033DC000-memory.dmp

Filesize
1.4MB

Download
memory/1476-69-0x0000000010000000-0x0000000010176000-memory.dmp

Filesize
1.5MB

Download