b8831b4e947c9a8b36f2a8cb31da9c7f5a5a5325bc608285f442293fc6024cc2

General

Target

b8831b4e947c9a8b36f2a8cb31da9c7f5a5a5325bc608285f442293fc6024cc2.exe
Size

34KB
MD5

6ad7192169125cc8eb6e76e629fabf7a
SHA1

138680488617ddc1c42c06f98aab399eda93a352
SHA256

b8831b4e947c9a8b36f2a8cb31da9c7f5a5a5325bc608285f442293fc6024cc2
SHA512

2533f12629156581e553889f99d76ddce40bada8ee2a0ae4701ba179b59e00b83f17c8996f8c297ed4377e515458a073204892e636463bd144cb3602b55f4df4
SSDEEP

768:REjoldIsxKGrhdnIECnbcuyD7UF2rTQEf06e4FSMKv2ICAiOLk:REIdPxBrIECnouy8FiQ+JecW2ICAiO4

Score

9^/10

upx

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00140000000054ab-60.dat	acprotect
behavioral1/files/0x00140000000054ab-59.dat	acprotect

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1732-56-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x00140000000054ab-60.dat	upx
behavioral1/files/0x00140000000054ab-59.dat	upx
behavioral1/memory/968-61-0x00000000701A0000-0x00000000701AB000-memory.dmp	upx
behavioral1/memory/1732-62-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
968	regsvr32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\DA0O538997.dll	b8831b4e947c9a8b36f2a8cb31da9c7f5a5a5325bc608285f442293fc6024cc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\DA0O538997.dll	regsvr32.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B8A2D95-0AC9-11D1-896C-00C04FB6BFC4}\InprocServer32\Original = "C:\\Windows\\SysWOW64\\urlmon.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B8A2D95-0AC9-11D1-896C-00C04FB6BFC4}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\DA0O538997.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1FE6762-FC48-11D0-883A-3C8B00C10000}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1FE6762-FC48-11D0-883A-3C8B00C10000}\InprocServer32\Original = "C:\\Windows\\SysWOW64\\Dxtrans.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1FE6762-FC48-11D0-883A-3C8B00C10000}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\DA0O538997.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEFFD4A5-FC5D-4427-920D-E4917AAD09EE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B8A2D95-0AC9-11D1-896C-00C04FB6BFC4}\InprocServer32	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	968	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1732	b8831b4e947c9a8b36f2a8cb31da9c7f5a5a5325bc608285f442293fc6024cc2.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 968	1732	b8831b4e947c9a8b36f2a8cb31da9c7f5a5a5325bc608285f442293fc6024cc2.exe	27
PID 1732 wrote to memory of 968	1732	b8831b4e947c9a8b36f2a8cb31da9c7f5a5a5325bc608285f442293fc6024cc2.exe	27
PID 1732 wrote to memory of 968	1732	b8831b4e947c9a8b36f2a8cb31da9c7f5a5a5325bc608285f442293fc6024cc2.exe	27
PID 1732 wrote to memory of 968	1732	b8831b4e947c9a8b36f2a8cb31da9c7f5a5a5325bc608285f442293fc6024cc2.exe	27
PID 1732 wrote to memory of 968	1732	b8831b4e947c9a8b36f2a8cb31da9c7f5a5a5325bc608285f442293fc6024cc2.exe	27
PID 1732 wrote to memory of 968	1732	b8831b4e947c9a8b36f2a8cb31da9c7f5a5a5325bc608285f442293fc6024cc2.exe	27
PID 1732 wrote to memory of 968	1732	b8831b4e947c9a8b36f2a8cb31da9c7f5a5a5325bc608285f442293fc6024cc2.exe	27

C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\DA0O538997.dll

Filesize
15KB

MD5
190da29d5f5683f33c4e8847f27045b7

SHA1
ca7478e5f729f2854edc92255e6dda285e7a35d7

SHA256
3b228e6a5cf10bbe1f2b98af59c97862c031efcf7eb4cf760ab0b88f5fdadb84

SHA512
a9583ba9a432b3bdb23e52bdc24a6bfdbc87207b278b13dafbb68852f2557202e3389ee2b55e2e1a5eda4b039ec1d5a24da5755f4f2932036db1d3334ffe45e3

Download Submit
\Program Files (x86)\Common Files\microsoft shared\DAO\DA0O538997.dll

Filesize
15KB

MD5
190da29d5f5683f33c4e8847f27045b7

SHA1
ca7478e5f729f2854edc92255e6dda285e7a35d7

SHA256
3b228e6a5cf10bbe1f2b98af59c97862c031efcf7eb4cf760ab0b88f5fdadb84

SHA512
a9583ba9a432b3bdb23e52bdc24a6bfdbc87207b278b13dafbb68852f2557202e3389ee2b55e2e1a5eda4b039ec1d5a24da5755f4f2932036db1d3334ffe45e3

Download Submit
memory/968-58-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/968-61-0x00000000701A0000-0x00000000701AB000-memory.dmp

Filesize
44KB

Download
memory/1732-56-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1732-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download