f1439a6c37bd4b32d86b80966266f07812e6f62a8ae8f96436aadef4b4b03025

Analysis

max time kernel
337s
max time network
401s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ľͷˡ10.5A .exe
Size

3.1MB
MD5

6888bf89383dc531b5f48565473ff282
SHA1

8a5637aaabdf6cf33f01497a8a30f6df1d3c8423
SHA256

28277d5645f1d59fda3b93f301ccadb051a4de4263ae3e26f7b7347ca4ec0816
SHA512

44c6744af094eb9aaf0e1778069e8b591880fb57ae3d5140db52273523e43f43c07249afd9b7ab3f64d7d8f2f952b8d7ce5123c9d46ebcec3d1c1bbe64c8be84
SSDEEP

49152:FZzgXr4iTZaqdwk0c05HGimCJLMBXVr05fc0rw:vcr4iYqdwkLcHHpYnRl

Score

9^/10

evasion upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral4/files/0x000c000000022de3-132.dat	acprotect

Blocks application from running via registry modification 6 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "yylauncher.exe"	ľͷˡ10.5A .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "YY.exe"	ľͷˡ10.5A .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "e_patcher.exe"	ľͷˡ10.5A .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "e.exe"	ľͷˡ10.5A .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	ľͷˡ10.5A .exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	ľͷˡ10.5A .exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts2	ľͷˡ10.5A .exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x000c000000022de3-132.dat	upx
behavioral4/memory/4628-133-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	ľͷˡ10.5A .exe

Loads dropped DLL 1 IoCs

pid	Process
4628	ľͷˡ10.5A .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4628	ľͷˡ10.5A .exe
4628	ľͷˡ10.5A .exe
4628	ľͷˡ10.5A .exe
4628	ľͷˡ10.5A .exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4628	ľͷˡ10.5A .exe
4628	ľͷˡ10.5A .exe
4628	ľͷˡ10.5A .exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 2412	4628	ľͷˡ10.5A .exe	83
PID 4628 wrote to memory of 2412	4628	ľͷˡ10.5A .exe	83

C:\Users\Admin\AppData\Local\Temp\ľͷˡ10.5A .exe
"C:\Users\Admin\AppData\Local\Temp\ľͷˡ10.5A .exe"
1⤵
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" www.x5mtr.com
  2⤵
  - Modifies Internet Explorer settings
  PID:2412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
memory/4628-133-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download