dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1

Analysis

max time kernel
63s
max time network
69s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
Size

776KB
MD5

80a5e42a196fe53e37632d7fbcc14c02
SHA1

64a7f3c93660f11aed1f255a48e51d4dd9a468a3
SHA256

dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1
SHA512

8f418b57bac60db7b727f35d4bf1e6aed137abc2416e97353fed15ba6ecefa97314fcadefc13f515a5ee1d9c7e53f2adc41f3a257164fa66f741e81bd42b8210
SSDEEP

24576:RoP7vH4pnNbW4o014TTaxLuGIN0oviCT6Dw/t:RgQpnNb7okGTaxLw0uiCT6Ut

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000133e6-61.dat	acprotect
behavioral1/files/0x00070000000133e6-63.dat	acprotect
behavioral1/files/0x0007000000013402-67.dat	acprotect
behavioral1/files/0x0007000000013402-68.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
1868	rundll32.exe
680	rundll32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\staticial\cmss.jyc	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
File opened for modification	C:\Program Files\staticial\csrg.jpc	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
File created	C:\Program Files\staticial\config.ini	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
File created	C:\Program Files\staticial\dd.vbs	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\windows\staticial\cmss.jyc	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
File created	C:\windows\staticial\csrg.jpc	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
File opened for modification	C:\windows\staticial\csrg.jpc	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
File created	C:\windows\staticial\config.ini	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
File opened for modification	C:\windows\staticial\config.ini	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
File opened for modification	C:\windows\data.dat	rundll32.exe
File created	C:\windows\staticial\cmss.jyc	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1212	ipconfig.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.henbucuo.com/?nn"	rundll32.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\shell\open\command	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\shell\open\command\ = "rundll32.exe c:\\windows\\staticial\\cmss.jyc,scanMiddle"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ttc\shell\open\command\ = "C:\\PROGRA~1\\MOZILL~1\\firefox.exe http://www.henbucuo.com/?nn"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wri\DefaultIcon	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wri\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ttc\ = "ttc"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wri	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\shell	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\shell\open\command\ = "rundll32.exe c:\\windows\\staticial\\cmss.jyc,scanMiddle"	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ttc\DefaultIcon	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ttc	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ttc\shell	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ttc\shell\open	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wri\ = "wri"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wri\DefaultIcon\ = "C:\\Progra~1\\Intern~1\\iexplore.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wri\shell\open	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\shell\open	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ttc\DefaultIcon\ = "C:\\PROGRA~1\\MOZILL~1\\firefox.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ttc\shell\open\command	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wri\shell	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wri\shell\open\command\ = "C:\\Progra~1\\Intern~1\\iexplore.exe http://www.henbucuo.com/?nn"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe
680	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 1732	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	27
PID 884 wrote to memory of 1732	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	27
PID 884 wrote to memory of 1732	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	27
PID 884 wrote to memory of 1732	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	27
PID 1732 wrote to memory of 1212	1732	cmd.exe	29
PID 1732 wrote to memory of 1212	1732	cmd.exe	29
PID 1732 wrote to memory of 1212	1732	cmd.exe	29
PID 1732 wrote to memory of 1212	1732	cmd.exe	29
PID 884 wrote to memory of 1868	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	30
PID 884 wrote to memory of 1868	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	30
PID 884 wrote to memory of 1868	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	30
PID 884 wrote to memory of 1868	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	30
PID 884 wrote to memory of 1868	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	30
PID 884 wrote to memory of 1868	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	30
PID 884 wrote to memory of 1868	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	30
PID 1868 wrote to memory of 680	1868	rundll32.exe	32
PID 1868 wrote to memory of 680	1868	rundll32.exe	32
PID 1868 wrote to memory of 680	1868	rundll32.exe	32
PID 1868 wrote to memory of 680	1868	rundll32.exe	32
PID 1868 wrote to memory of 680	1868	rundll32.exe	32
PID 1868 wrote to memory of 680	1868	rundll32.exe	32
PID 1868 wrote to memory of 680	1868	rundll32.exe	32
PID 884 wrote to memory of 736	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	34
PID 884 wrote to memory of 736	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	34
PID 884 wrote to memory of 736	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	34
PID 884 wrote to memory of 736	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	34
PID 884 wrote to memory of 916	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	35
PID 884 wrote to memory of 916	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	35
PID 884 wrote to memory of 916	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	35
PID 884 wrote to memory of 916	884	dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe	35

C:\Users\Admin\AppData\Local\Temp\dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe
"C:\Users\Admin\AppData\Local\Temp\dfcc764579c75adf684801c646ca46b01cb0d8d17e15945fbf9520ce62c73cb1.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ipconfig /all > c:\WINDOWS\Temp\2020.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1212
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\windows\staticial\cmss.jyc",scanMiddle
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Progra~1\staticial\csrg.jpc,scanCook
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:680
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe "C:\Program Files\staticial\dd.vbs"
  2⤵
  PID:736
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe "c:\oied.bak.vbs"
  2⤵
  PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\staticial\dd.vbs

Filesize
467B

MD5
fdf5894fca182230626f28848359ba7c

SHA1
cdde473b87b1d4b0faa01ce16c753d75a39509ae

SHA256
1aca5ca82e9890f5d1385752ea26d5111648d90c74d1fdd5b20505d6f67b7908

SHA512
f450cb1197392bfb79e713c17de8c6869e83805d2f2c03a4ee1e0bdf43c935bf83e6f43116c9b51d702d3ebe18b9c6eb46deb7555b068623ecf0bf4b513b6446

Download Submit
C:\Progra~1\staticial\config.ini

Filesize
51B

MD5
baf70f83cca0588f2aee3518f46f5510

SHA1
a55a4b1fed37ab315d1a19dc4fbd46f75fa3e23a

SHA256
42e85d9660073fd141c53b8682424a080947bce2ad5a2b9e2d44485fc6ae9782

SHA512
c020352adf727841faa3b01a0cc965252ea0386a354a0db35ca04d1afdb3f3930b42622f3d4f48f2b7e3c57820c3f3fa884acaf8f40f6ce85407cb39f3228025

Download Submit
C:\Progra~1\staticial\csrg.jpc

Filesize
337KB

MD5
c26d9a84820ba9b651cc6b84087106f5

SHA1
0bf6f73dcaf87df516c41d4e3390ff734f8b9232

SHA256
e46566ccfc7f4dbc7a49adeb394ddda92fda7c775d68374a6c9d5f91d508b9b7

SHA512
705f204cdba364381e6d8249793df8fa6497e8939cef80ff3239bcf2bc85a2ea340f1023c93a5f704e4c91013ba5c9c2c211d7e227ff3a7f44807f120dddbda2

Download Submit
C:\windows\staticial\cmss.jyc

Filesize
387KB

MD5
442b54d3a1d24adc3f2879ae10213f66

SHA1
6878e624745d02037eb045923175d1e7505dbeae

SHA256
2f46f2b23002c38697d7171f0d6bb612d83ab894175ae57e6e4fb2dadd3a0326

SHA512
9988b48c22d1e34bbd56714b3dcbe2a7813ae8aef3fa34b9f4bc1e4c4ebe887fa93437996ce399fa6930b3dfbcb272180f36788cd0cc08c98de2c8c2e2fc8f49

Download Submit
\??\c:\WINDOWS\Temp\2020.tmp

Filesize
1KB

MD5
bc7fea9fc3bf90645cf0f51174d2b514

SHA1
dc662834f9953075a95a1eaafa8f4ccdba30a2c0

SHA256
f222767470ae25fec6a98675636aaf74a3708ef347f8e6cf0b5e610a83db26e3

SHA512
edda13f7de946efd1c21472ba12788251ac1fe72c246ca71c548c3bddced22080bd94b8d0304e71c9a769382f64b85b1d73a009d45aa1d3ddd39f903c342f5ef

Download Submit
\??\c:\oied.bak.vbs

Filesize
424B

MD5
9008c98bdb849cf9a8491abdc432bf72

SHA1
afed958787c084787d73f5a1cbfd970379234288

SHA256
42f763b3c5c81d16458e94ac17ab626d1c2b3111927cb48a51ed081315cb8413

SHA512
de6fc74638c8ca4e37ff620c8bbbb3f84456f94d3405464c335d9124ef76cc5bf3675d11b3948cacfc0031b94b537787e87b9cd6847f6a577cc3d196f363bdd4

Download Submit
\PROGRA~1\staticial\csrg.jpc

Filesize
337KB

MD5
c26d9a84820ba9b651cc6b84087106f5

SHA1
0bf6f73dcaf87df516c41d4e3390ff734f8b9232

SHA256
e46566ccfc7f4dbc7a49adeb394ddda92fda7c775d68374a6c9d5f91d508b9b7

SHA512
705f204cdba364381e6d8249793df8fa6497e8939cef80ff3239bcf2bc85a2ea340f1023c93a5f704e4c91013ba5c9c2c211d7e227ff3a7f44807f120dddbda2

Download Submit
\Windows\staticial\cmss.jyc

Filesize
387KB

MD5
442b54d3a1d24adc3f2879ae10213f66

SHA1
6878e624745d02037eb045923175d1e7505dbeae

SHA256
2f46f2b23002c38697d7171f0d6bb612d83ab894175ae57e6e4fb2dadd3a0326

SHA512
9988b48c22d1e34bbd56714b3dcbe2a7813ae8aef3fa34b9f4bc1e4c4ebe887fa93437996ce399fa6930b3dfbcb272180f36788cd0cc08c98de2c8c2e2fc8f49

Download Submit
memory/680-70-0x0000000010000000-0x00000000100FC000-memory.dmp

Filesize
1008KB

Download
memory/884-57-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/1868-69-0x0000000010000000-0x0000000010126000-memory.dmp

Filesize
1.1MB

Download