f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74

Analysis

max time kernel
202s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 19:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe
Size

198KB
MD5

dfef99c8638b87859046f5b8654e0e28
SHA1

a81d9c8aa6a4947c2df49cba68e070242f1dfde2
SHA256

f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74
SHA512

e481b4c574f0ad6549f5de24678d28a70b07e2e7585097fbce09effb388f8e2827a94ba2e4dfdaaae3757660cea9103d20025b7b0d7907d1916a2867d9d462bb
SSDEEP

6144:JI1XoZKzIUxrc5NYXSsq1fMbU8p9OGaLzy7OmoyBYQpQ4:J+WKMaWWiBQU8pvN55BXpP

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002307d-137.dat	acprotect
behavioral2/files/0x000800000002307d-138.dat	acprotect

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/216-132-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/files/0x000800000002307d-137.dat	upx
behavioral2/files/0x000800000002307d-138.dat	upx
behavioral2/memory/2484-139-0x0000000010000000-0x000000001009A000-memory.dmp	upx
behavioral2/memory/216-140-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/216-142-0x0000000000400000-0x000000000044E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
4260	regsvr32.exe
2484	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\try5085.dll	f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe
File created	C:\Windows\SysWOW64\dllcache\try5085.dll	f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe
File created	C:\Windows\SysWOW64\fssyfile.dll	f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe
File opened for modification	C:\Windows\SysWOW64\Web.ini	rundll32.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Test33.MuOb.1\ = "MuOb Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67A1AC1C-7B71-4617-8B81-D0DCEF0EA725}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67A1AC1C-7B71-4617-8B81-D0DCEF0EA725}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6114286-BD78-45BF-8F06-C643DFECB255}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6114286-BD78-45BF-8F06-C643DFECB255}\TypeLib\ = "{67A1AC1C-7B71-4617-8B81-D0DCEF0EA725}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6114286-BD78-45BF-8F06-C643DFECB255}\ = "IMuOb"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6114286-BD78-45BF-8F06-C643DFECB255}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test33.MuOb	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Test33.MuOb\ = "MuOb Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Test33.MuOb\CurVer\ = "Test33.MuOb.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67A1AC1C-7B71-4617-8B81-D0DCEF0EA725}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67A1AC1C-7B71-4617-8B81-D0DCEF0EA725}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67A1AC1C-7B71-4617-8B81-D0DCEF0EA725}\1.0\HELPDIR\ = "C:\\Windows\\System32"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6114286-BD78-45BF-8F06-C643DFECB255}\TypeLib\ = "{67A1AC1C-7B71-4617-8B81-D0DCEF0EA725}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test33.MuOb.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Test33.MuOb\CLSID\ = "{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}\ProgID\ = "Test33.MuOb.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6114286-BD78-45BF-8F06-C643DFECB255}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6114286-BD78-45BF-8F06-C643DFECB255}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6114286-BD78-45BF-8F06-C643DFECB255}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test33.MuOb.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6114286-BD78-45BF-8F06-C643DFECB255}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Test33.MuOb.1\CLSID\ = "{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}\InprocServer32\ = "C:\\Windows\\SysWow64\\fssyfile.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}\TypeLib\ = "{67A1AC1C-7B71-4617-8B81-D0DCEF0EA725}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67A1AC1C-7B71-4617-8B81-D0DCEF0EA725}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67A1AC1C-7B71-4617-8B81-D0DCEF0EA725}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6114286-BD78-45BF-8F06-C643DFECB255}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6114286-BD78-45BF-8F06-C643DFECB255}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test33.MuOb\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test33.MuOb\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67A1AC1C-7B71-4617-8B81-D0DCEF0EA725}\1.0\ = "test33 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6114286-BD78-45BF-8F06-C643DFECB255}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}\ = "MuOb Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}\VersionIndependentProgID\ = "Test33.MuOb"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67A1AC1C-7B71-4617-8B81-D0DCEF0EA725}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67A1AC1C-7B71-4617-8B81-D0DCEF0EA725}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\fssyfile.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6114286-BD78-45BF-8F06-C643DFECB255}\ = "IMuOb"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6114286-BD78-45BF-8F06-C643DFECB255}\ProxyStubClsid32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2484	rundll32.exe
2484	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
216	f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 4260	216	f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe	82
PID 216 wrote to memory of 4260	216	f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe	82
PID 216 wrote to memory of 4260	216	f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe	82
PID 216 wrote to memory of 2484	216	f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe	83
PID 216 wrote to memory of 2484	216	f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe	83
PID 216 wrote to memory of 2484	216	f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe	83
PID 216 wrote to memory of 5088	216	f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe	85
PID 216 wrote to memory of 5088	216	f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe	85
PID 216 wrote to memory of 5088	216	f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe	85

C:\Users\Admin\AppData\Local\Temp\f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe
"C:\Users\Admin\AppData\Local\Temp\f39bb0789013983467bd3a281b547e556e01f3c95dafa6b3e1edc504df957f74.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\System32\fssyfile.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4260
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 try5085.dll , InstallMyDll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
  2⤵
  PID:5088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
0a00efceb81cd4edfa2db3013f911b90

SHA1
853ea7dc6dbd3b4684e37cab1602569d12dc8c90

SHA256
a4fb7c772eadbff884493b6b724bbd0eebc968ee56fd3d3164f366508e16ba72

SHA512
44ab3f18c1bc36bcc9e2334fe3c0b63d9728ace80ddfd5b8d8fd58d321390bf902bbd54ba2b6d24fec9960fcb445175f97b391dbe20a6780966b5c1872ffe0a7

Download Submit
C:\Windows\SysWOW64\fssyfile.dll

Filesize
32KB

MD5
21dfe98d9c9ca73924960f518bd0e5e2

SHA1
49b5b1c0b9d678ec02b8163032ed9f39665a7d2c

SHA256
cc5d6e0669e08430bb9466850dc38733e7b4808431039bec6060346a63208261

SHA512
ca6a635396422a25276db28c5a0ad81a32127b4d66426c401ca2e4fe1b20739e5561eb05846d6506698ce70a18d48ccbc887edfc8d6be07cc231528720a7b455

Download Submit
C:\Windows\SysWOW64\fssyfile.dll

Filesize
32KB

MD5
21dfe98d9c9ca73924960f518bd0e5e2

SHA1
49b5b1c0b9d678ec02b8163032ed9f39665a7d2c

SHA256
cc5d6e0669e08430bb9466850dc38733e7b4808431039bec6060346a63208261

SHA512
ca6a635396422a25276db28c5a0ad81a32127b4d66426c401ca2e4fe1b20739e5561eb05846d6506698ce70a18d48ccbc887edfc8d6be07cc231528720a7b455

Download Submit
C:\Windows\SysWOW64\try5085.dll

Filesize
168KB

MD5
c974570bf81388924a133197c512d731

SHA1
dab2e57d37ead95e62f01d8650e01411e36d8e51

SHA256
cf64c23ac3f0a3623d9a24c93cd95185d9f3e54f6eca350575799d5de4d9712b

SHA512
9530ff3e358319c394ab79a7c5eb17f8dfbe8e9fa96facc08b858589c7280f22c5411ef7986a1c2c2d7f5c15485f67a64d9f555972fb810e5df682359d512b4e

Download Submit
C:\Windows\SysWOW64\try5085.dll

Filesize
168KB

MD5
c974570bf81388924a133197c512d731

SHA1
dab2e57d37ead95e62f01d8650e01411e36d8e51

SHA256
cf64c23ac3f0a3623d9a24c93cd95185d9f3e54f6eca350575799d5de4d9712b

SHA512
9530ff3e358319c394ab79a7c5eb17f8dfbe8e9fa96facc08b858589c7280f22c5411ef7986a1c2c2d7f5c15485f67a64d9f555972fb810e5df682359d512b4e

Download Submit
memory/216-132-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/216-140-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/216-142-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2484-139-0x0000000010000000-0x000000001009A000-memory.dmp

Filesize
616KB

Download