1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd

Analysis

max time kernel
151s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 16:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
Size

3.2MB
MD5

fd90afc4822d6dd90b5ad33efe90e7be
SHA1

6c1694d20d292e9abf55e674fc8381134164dd19
SHA256

1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd
SHA512

4d8a56afe2a4655ccd748adfdfbd2c2a15453808ff71061ef5e6cbe6e62732462eb9d36c18b373f9f758d9641c5d91e8a8e463daa954dd2b878f262ea6f45fa5
SSDEEP

49152:V3MB0ngskt2y48WD1q9geh1SB3gy4iTZaqdwk0c05HGig:yangsc2n8C1q50BVNYqdwkLcHHg

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00030000000006d3-132.dat	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00030000000006d3-132.dat	upx
behavioral2/memory/4252-136-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\md.dll	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
File created	C:\Windows\SysWOW64\Îó±¨³ÌÐò.ime	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\yy.com	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yy.com	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yy.com\NumberOfSubdomains = "1"	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
4252	1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe

C:\Users\Admin\AppData\Local\Temp\1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe
"C:\Users\Admin\AppData\Local\Temp\1491030ed239bb475647985ef2f3360dac2a213867b564e3aea2868724370cdd.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
C:\Windows\SysWOW64\Îó±¨³ÌÐò.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
C:\Windows\SysWOW64\Îó±¨³ÌÐò.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
memory/4252-135-0x00000000053C0000-0x00000000053CE000-memory.dmp

Filesize
56KB

Download
memory/4252-136-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download