d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35

Analysis

max time kernel
279s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
Size

3.6MB
MD5

bcba4678473f9b83cb62cfcd720eb40a
SHA1

6678a514e2e63bea790ced4aca6ba5ef2b78ca7b
SHA256

d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35
SHA512

e7a26de1996119539727c7031e3c21aa314f5bfc00c633a8b8bb6f8e44f4bd98da7c030866165976832e9cd2f41b354f563b97399f075828625bd1caac5dca1d
SSDEEP

98304:0ZrogUq+XXIf0KXIYxqLQLBYdqYqdwkLcHHh:0i5qjAh

Score

9^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Program Files\9869\SkinH_EL.dll	acprotect
\Program Files\9869\SkinH_EL.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

buxi.execsrsss.exe

pid process

1488 buxi.exe
1412 csrsss.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files\9869\SkinH_EL.dll	upx
\Program Files\9869\SkinH_EL.dll	upx
behavioral1/memory/1488-75-0x0000000000530000-0x000000000056D000-memory.dmp	upx

Loads dropped DLL 9 IoCs

Processes:

d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exebuxi.execsrsss.exe

pid	process
1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1412	csrsss.exe
1412	csrsss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

buxi.execsrsss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\buxi.exe = "C:\\Program Files\\9869\\buxi.exe"	buxi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrsss.exe = "C:\\Program Files\\9869\\csrsss.exe"	csrsss.exe

Drops file in Program Files directory 15 IoCs

Processes:

buxi.exed4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.execsrsss.exe

description	ioc	process
File opened for modification	C:\Program Files\9869\buxi	buxi.exe
File created	C:\Program Files\9869\1.txt	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
File created	C:\Program Files\9869\internet.fne	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
File created	C:\Program Files\9869\buxi	buxi.exe
File created	C:\Program Files\9869\qd	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
File created	C:\Program Files\Time.ini	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
File created	C:\Program Files\9869\SkinH_EL.dll	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
File created	C:\Program Files\9869\spec.fne	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
File created	C:\Program Files\9869\buxi.exe	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
File created	C:\Program Files\9869\buxi.exe	buxi.exe
File created	C:\Program Files\9869\csrsss.exe	buxi.exe
File created	C:\Program Files\9869\csrsss.exe	csrsss.exe
File created	C:\Program Files\9869\krnln.fnr	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
File created	C:\Program Files\9869\HtmlView.fne	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
File created	C:\Program Files\9869\eAPI.fne	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

buxi.exed4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe

pid	process
1488	buxi.exe
1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe

pid process

1492 d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

buxi.exe

pid process

1488 buxi.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

buxi.exe

pid process

1488 buxi.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exebuxi.execsrsss.exe

pid	process
1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1488	buxi.exe
1412	csrsss.exe
1412	csrsss.exe
1412	csrsss.exe
1412	csrsss.exe
1412	csrsss.exe
1412	csrsss.exe
1412	csrsss.exe
1412	csrsss.exe
1412	csrsss.exe
1412	csrsss.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exebuxi.exe

description	pid	process	target process
PID 1492 wrote to memory of 1488	1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe	buxi.exe
PID 1492 wrote to memory of 1488	1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe	buxi.exe
PID 1492 wrote to memory of 1488	1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe	buxi.exe
PID 1492 wrote to memory of 1488	1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe	buxi.exe
PID 1488 wrote to memory of 1412	1488	buxi.exe	csrsss.exe
PID 1488 wrote to memory of 1412	1488	buxi.exe	csrsss.exe
PID 1488 wrote to memory of 1412	1488	buxi.exe	csrsss.exe
PID 1488 wrote to memory of 1412	1488	buxi.exe	csrsss.exe
PID 1492 wrote to memory of 1680	1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe	cmd.exe
PID 1492 wrote to memory of 1680	1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe	cmd.exe
PID 1492 wrote to memory of 1680	1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe	cmd.exe
PID 1492 wrote to memory of 1680	1492	d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
"C:\Users\Admin\AppData\Local\Temp\d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492

C:\Program Files\9869\buxi.exe
"C:\Program Files\9869\buxi.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488

C:\Program Files\9869\csrsss.exe
csrsss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
2⤵
PID:1680

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\9869\HtmlView.fne
Filesize
224KB

MD5
2c0b196cb4b98677c77aa810e7f1f072

SHA1
b8ba545ebb7b55c7371cd7c18d78dfebbba33866

SHA256
8d32a07500380f9b900134fecf01068d025f7b7b27c998066a321710db5a5f0d

SHA512
39713b827cae220ae1d2f6b968bb689f72e583f1f5024260f54744c332ca99ed5a9508bcea6c143df31faa5a362e40fc5e7d2215a5c7f6c095c3951662a9b76f

Download Submit
C:\Program Files\9869\SkinH_EL.dll
Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
C:\Program Files\9869\buxi.exe
Filesize
1.1MB

MD5
73064f7eee9546886d3d3783c0d784d2

SHA1
aeb8f7e74b21401c8df856dfc43e11212976d2ac

SHA256
caca80d323292fee1ef0d13a7b6932bbf5b9fc7dde227a01610820006fc53ceb

SHA512
0ba19a9c0424b806a1567346e0059ae86957ee13ea4f47d8f9a4bf45cb0f6ba4af7edfa1c63bb77dd5cb3213ef03044de59a64ee79b4c7c25c09249e8f1228f2

Download Submit
C:\Program Files\9869\buxi.exe
Filesize
1.1MB

MD5
73064f7eee9546886d3d3783c0d784d2

SHA1
aeb8f7e74b21401c8df856dfc43e11212976d2ac

SHA256
caca80d323292fee1ef0d13a7b6932bbf5b9fc7dde227a01610820006fc53ceb

SHA512
0ba19a9c0424b806a1567346e0059ae86957ee13ea4f47d8f9a4bf45cb0f6ba4af7edfa1c63bb77dd5cb3213ef03044de59a64ee79b4c7c25c09249e8f1228f2

Download Submit
C:\Program Files\9869\csrsss.exe
Filesize
308KB

MD5
342b7993d8a019bfd6f774b0f709ce68

SHA1
56dec19739f8d88bf259a5867e7c252b03e47134

SHA256
6884c988b2cab744b253c1708aae2bc6dcfbe7db85083d5bce59590884281fc2

SHA512
a54287fbdc8e0282161e2713964ddd800b72f9982c3d0db307ecb22ac83d31bf717e42e60f707655ca15c46ba281d464c507125d591459dd6261eaaf1929a9a5

Download Submit
C:\Program Files\9869\csrsss.exe
Filesize
308KB

MD5
342b7993d8a019bfd6f774b0f709ce68

SHA1
56dec19739f8d88bf259a5867e7c252b03e47134

SHA256
6884c988b2cab744b253c1708aae2bc6dcfbe7db85083d5bce59590884281fc2

SHA512
a54287fbdc8e0282161e2713964ddd800b72f9982c3d0db307ecb22ac83d31bf717e42e60f707655ca15c46ba281d464c507125d591459dd6261eaaf1929a9a5

Download Submit
C:\Program Files\9869\krnln.fnr
Filesize
1.0MB

MD5
44e2ca67c060fbe3dc0d030149f5a478

SHA1
5df61eb626bc3849893701942114609c1086d496

SHA256
6ced19283dbbb95f264448f380592f4e98ba8228efca2f68821ab3ae61029d93

SHA512
1a348c7585d78dd68c1d0e059ea1d7cea57c1aeff734f834f75025719b9fdd0e9bb16aebe75e15502a1b83106387eaa9493b8990999e0a68b62c1afdbc8cf45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4cfce0f6b1f599ceac1844a6a7673e1e69d60edec6cf900b9d43054c729fd35.exe
Filesize
3.6MB

MD5
9a9766d5f216f007c191ce786f00c8af

SHA1
370e9a47e92caf2d8b9dc454faca18415006d787

SHA256
4e3de338a4832a376a5a7d71052fb6c29d7401abc56e74ea28d8f176df1cb304

SHA512
bfa3fa00dc9e6227cf72a4d957a4d481f03c62e6df044721741552aaf5a8b0f802143d86ae5bcac84721fb80c5a7c10a6fe363a8f47642496684cf2fde621f5f

Download Submit
\Program Files\9869\HtmlView.fne
Filesize
224KB

MD5
2c0b196cb4b98677c77aa810e7f1f072

SHA1
b8ba545ebb7b55c7371cd7c18d78dfebbba33866

SHA256
8d32a07500380f9b900134fecf01068d025f7b7b27c998066a321710db5a5f0d

SHA512
39713b827cae220ae1d2f6b968bb689f72e583f1f5024260f54744c332ca99ed5a9508bcea6c143df31faa5a362e40fc5e7d2215a5c7f6c095c3951662a9b76f

Download Submit
\Program Files\9869\HtmlView.fne
Filesize
224KB

MD5
2c0b196cb4b98677c77aa810e7f1f072

SHA1
b8ba545ebb7b55c7371cd7c18d78dfebbba33866

SHA256
8d32a07500380f9b900134fecf01068d025f7b7b27c998066a321710db5a5f0d

SHA512
39713b827cae220ae1d2f6b968bb689f72e583f1f5024260f54744c332ca99ed5a9508bcea6c143df31faa5a362e40fc5e7d2215a5c7f6c095c3951662a9b76f

Download Submit
\Program Files\9869\SkinH_EL.dll
Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
\Program Files\9869\buxi.exe
Filesize
1.1MB

MD5
73064f7eee9546886d3d3783c0d784d2

SHA1
aeb8f7e74b21401c8df856dfc43e11212976d2ac

SHA256
caca80d323292fee1ef0d13a7b6932bbf5b9fc7dde227a01610820006fc53ceb

SHA512
0ba19a9c0424b806a1567346e0059ae86957ee13ea4f47d8f9a4bf45cb0f6ba4af7edfa1c63bb77dd5cb3213ef03044de59a64ee79b4c7c25c09249e8f1228f2

Download Submit
\Program Files\9869\buxi.exe
Filesize
1.1MB

MD5
73064f7eee9546886d3d3783c0d784d2

SHA1
aeb8f7e74b21401c8df856dfc43e11212976d2ac

SHA256
caca80d323292fee1ef0d13a7b6932bbf5b9fc7dde227a01610820006fc53ceb

SHA512
0ba19a9c0424b806a1567346e0059ae86957ee13ea4f47d8f9a4bf45cb0f6ba4af7edfa1c63bb77dd5cb3213ef03044de59a64ee79b4c7c25c09249e8f1228f2

Download Submit
\Program Files\9869\csrsss.exe
Filesize
308KB

MD5
342b7993d8a019bfd6f774b0f709ce68

SHA1
56dec19739f8d88bf259a5867e7c252b03e47134

SHA256
6884c988b2cab744b253c1708aae2bc6dcfbe7db85083d5bce59590884281fc2

SHA512
a54287fbdc8e0282161e2713964ddd800b72f9982c3d0db307ecb22ac83d31bf717e42e60f707655ca15c46ba281d464c507125d591459dd6261eaaf1929a9a5

Download Submit
\Program Files\9869\csrsss.exe
Filesize
308KB

MD5
342b7993d8a019bfd6f774b0f709ce68

SHA1
56dec19739f8d88bf259a5867e7c252b03e47134

SHA256
6884c988b2cab744b253c1708aae2bc6dcfbe7db85083d5bce59590884281fc2

SHA512
a54287fbdc8e0282161e2713964ddd800b72f9982c3d0db307ecb22ac83d31bf717e42e60f707655ca15c46ba281d464c507125d591459dd6261eaaf1929a9a5

Download Submit
\Program Files\9869\krnln.fnr
Filesize
1.0MB

MD5
44e2ca67c060fbe3dc0d030149f5a478

SHA1
5df61eb626bc3849893701942114609c1086d496

SHA256
6ced19283dbbb95f264448f380592f4e98ba8228efca2f68821ab3ae61029d93

SHA512
1a348c7585d78dd68c1d0e059ea1d7cea57c1aeff734f834f75025719b9fdd0e9bb16aebe75e15502a1b83106387eaa9493b8990999e0a68b62c1afdbc8cf45e

Download Submit
\Program Files\9869\krnln.fnr
Filesize
1.0MB

MD5
44e2ca67c060fbe3dc0d030149f5a478

SHA1
5df61eb626bc3849893701942114609c1086d496

SHA256
6ced19283dbbb95f264448f380592f4e98ba8228efca2f68821ab3ae61029d93

SHA512
1a348c7585d78dd68c1d0e059ea1d7cea57c1aeff734f834f75025719b9fdd0e9bb16aebe75e15502a1b83106387eaa9493b8990999e0a68b62c1afdbc8cf45e

Download Submit
memory/1412-82-0x00000000004D0000-0x000000000050B000-memory.dmp

Filesize
236KB

Download
memory/1412-73-0x0000000000000000-mapping.dmp

Download
memory/1412-87-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1488-88-0x0000000001F50000-0x0000000001FA0000-memory.dmp

Filesize
320KB

Download
memory/1488-74-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1488-75-0x0000000000530000-0x000000000056D000-memory.dmp

Filesize
244KB

Download
memory/1488-79-0x0000000001F50000-0x0000000001FA0000-memory.dmp

Filesize
320KB

Download
memory/1488-86-0x0000000001F50000-0x0000000001FA0000-memory.dmp

Filesize
320KB

Download
memory/1488-64-0x0000000000330000-0x000000000036B000-memory.dmp

Filesize
236KB

Download
memory/1488-89-0x0000000001F50000-0x0000000001FA0000-memory.dmp

Filesize
320KB

Download
memory/1488-57-0x0000000000000000-mapping.dmp

Download
memory/1492-69-0x00000000030C0000-0x00000000031E4000-memory.dmp

Filesize
1.1MB

Download
memory/1492-70-0x00000000030C0000-0x00000000031E4000-memory.dmp

Filesize
1.1MB

Download
memory/1492-54-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/1680-80-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads