Analysis
-
max time kernel
165s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 17:18
Static task
static1
Behavioral task
behavioral1
Sample
19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe
Resource
win7-20220812-en
General
-
Target
19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe
-
Size
3.3MB
-
MD5
43aa5883728a5313f3d9e7a09a9748e6
-
SHA1
85a186323eaf30670bf3d9b1bcbe1b1dbece7290
-
SHA256
19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25
-
SHA512
4e821d5beff9e3ba941abbe71296c3c4b465f2198c6c6d5efb58e3fe24a0603b9b3d7be231d89582891097e6e7f2d2e06422a2be85cc76d4faedc6d6a59bf0ce
-
SSDEEP
98304:lGIXFUKtu0E4JJ4aGUtqTmoAsziWBWXCe9rXm:IA940VD4aZym4zivSObm
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll acprotect C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll acprotect -
Disables RegEdit via registry modification 2 IoCs
Processes:
19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "0" 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll upx C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll upx behavioral2/memory/2552-149-0x0000000002960000-0x000000000299D000-memory.dmp upx -
Processes:
resource yara_rule behavioral2/memory/2552-138-0x0000000002D00000-0x0000000002ECD000-memory.dmp vmprotect behavioral2/memory/2552-140-0x0000000002D00000-0x0000000002ECD000-memory.dmp vmprotect -
Loads dropped DLL 3 IoCs
Processes:
19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exepid process 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe -
Drops file in System32 directory 2 IoCs
Processes:
19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exedescription ioc process File created C:\Windows\SysWOW64\svchost.exe 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe File opened for modification C:\Windows\SysWOW64\svchost.exe 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exepid process 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4004 2552 WerFault.exe 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe 4564 2552 WerFault.exe 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe -
Processes:
19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.2345.com/?kfi1997" 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.2345.com/?28879" 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.2345.com/?28879" 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?kfi1997" 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?28879" 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe -
Modifies registry class 2 IoCs
Processes:
19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exepid process 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exepid process 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exedescription pid process target process PID 2552 wrote to memory of 5032 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe svchost.exe PID 2552 wrote to memory of 5032 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe svchost.exe PID 2552 wrote to memory of 5032 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe svchost.exe PID 2552 wrote to memory of 4232 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe svchost.exe PID 2552 wrote to memory of 4232 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe svchost.exe PID 2552 wrote to memory of 4232 2552 19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe"C:\Users\Admin\AppData\Local\Temp\19bd2ae776b6bc4e984a52377b4c41f400205ed0d525044e4653e1cb6e71db25.exe"1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe2⤵PID:5032
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe2⤵PID:4232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 16682⤵
- Program crash
PID:4004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 16682⤵
- Program crash
PID:4564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2552 -ip 25521⤵PID:2096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2552 -ip 25521⤵PID:2088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dllFilesize
86KB
MD5147127382e001f495d1842ee7a9e7912
SHA192d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA51297f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d
-
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dllFilesize
86KB
MD5147127382e001f495d1842ee7a9e7912
SHA192d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA51297f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d
-
C:\Users\Admin\AppData\Local\Temp\lazycommon.dllFilesize
676KB
MD5033d1db88147b6dab9a1795027a87e74
SHA1f6e9f5e82af3e9546711d42aab705a494e851d44
SHA256a85b830cec14449763cc174d600324372798f2bb8c5276546419cc6b2563db1c
SHA5127689fc5812fc89e27f5691259c15e4109b3ecfd1933393e1d9ce2d63acc37149aa4cf6124c353b62b39352162e9509d7b49caeaabc1618c8e495a14cef095e33
-
memory/2552-140-0x0000000002D00000-0x0000000002ECD000-memory.dmpFilesize
1.8MB
-
memory/2552-135-0x0000000000400000-0x0000000000B6C208-memory.dmpFilesize
7.4MB
-
memory/2552-144-0x0000000010000000-0x00000000100AA000-memory.dmpFilesize
680KB
-
memory/2552-145-0x0000000002D00000-0x0000000002ECD000-memory.dmpFilesize
1.8MB
-
memory/2552-138-0x0000000002D00000-0x0000000002ECD000-memory.dmpFilesize
1.8MB
-
memory/2552-137-0x0000000010000000-0x00000000100AA000-memory.dmpFilesize
680KB
-
memory/2552-149-0x0000000002960000-0x000000000299D000-memory.dmpFilesize
244KB
-
memory/2552-150-0x0000000000400000-0x0000000000B6C208-memory.dmpFilesize
7.4MB
-
memory/2552-151-0x0000000002D00000-0x0000000002ECD000-memory.dmpFilesize
1.8MB
-
memory/2552-153-0x0000000000400000-0x0000000000B6C208-memory.dmpFilesize
7.4MB
-
memory/2552-154-0x0000000002D00000-0x0000000002ECD000-memory.dmpFilesize
1.8MB
-
memory/4232-152-0x0000000000000000-mapping.dmp
-
memory/5032-148-0x0000000000000000-mapping.dmp