75fe871f78a0eea5ce5489c0815c230603aa45e2fc5f7bf67414a90888c63407

Resubmissions

30/06/2023, 08:09

230630-j2ll3agf35 7

30/06/2023, 08:03

230630-jxpg6age93 10

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2023, 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

新建文件夹 (2)/_D0DE469BB8424834A796EDFE1D0176CA.exe
Size

2.1MB
MD5

4ac3d60c4850e37a9b39976c1553df05
SHA1

45e5a0e35be7034e38543fc1a0c3f9ca3808fa5c
SHA256

c53eac22482ec00bebb3c006d442c7b48a448f9d0cc16a743af9a88de1a1da6c
SHA512

7b1e7044deab0f485e1968000df3409d003c38728ab6c07026b5818ed3f0550c32afa0149903e6696e306284b2680426ca8e38540292b35f60d3a8827d789753
SSDEEP

49152:vepDNj9UCdjGNjXn/S1qe7FFsOAckBNMmH3Cy+3u:vKNjuCpaj61RjONQy++

Score

7^/10

upx vmprotect

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023145-139.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2776	_D0DE469BB8424834A796EDFE1D0176CA.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023145-139.dat	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2776-133-0x0000000000400000-0x0000000000873000-memory.dmp	vmprotect
behavioral2/memory/2776-134-0x0000000000400000-0x0000000000873000-memory.dmp	vmprotect
behavioral2/memory/2776-146-0x0000000000400000-0x0000000000873000-memory.dmp	vmprotect

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{23F03270-37F2-49D4-B73B-9E2A7FE4CB38}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FAA5A47B-913E-4D48-A451-0825C617DD57}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{83872F96-E858-4643-9EF3-DFD2AF651CD8}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{2556AC7D-4B6A-4943-9EB0-A8C6807AB63E}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C3DD29AC-F316-43C3-90D0-965C573E2050}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8401E070-F66A-4BA3-A8E3-7CA4B7A06A1A}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9578D02F-4206-4D21-A5E1-9D486A35595E}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FFCE30FD-5EE2-40CE-B284-DD89FEF4E1E3}.catalogItem	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2776	_D0DE469BB8424834A796EDFE1D0176CA.exe
2776	_D0DE469BB8424834A796EDFE1D0176CA.exe

C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe
"C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:5108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7RMPX3MN\OHLL01H6.htm

Filesize
377KB

MD5
d51acb034a9a5d7baa2907d8808e229f

SHA1
18452d07dc3a510b51478a77a9610f3fba65aabd

SHA256
6465a3bcbec0a8698e340bf1664e28aabd7bbb5d1705034c1280d49ee7de67da

SHA512
213d551f990d79d997ad2d02867804acd4404e7c281607a0280b9509abe33c38de038ea0961f0a2433a756c5eb88e3aaac2178c2027bcbdc8e0579b72c56cdb8

Download Submit
C:\Users\Public\Pictures\gj.dll

Filesize
41KB

MD5
d0a62532cecac152bc553474d5899a94

SHA1
fbb691817dfbae7518648c82304e42288b8354e3

SHA256
242911c8ec9f435569637d5490219a181eb0438c98f8357227d6424e97485f49

SHA512
9e2150873aa2ce7fa360a5dda0e490f497b716282e827d89e85d50e166a73bd54bbedfa54b5fdb22b31dcfa297b564f922d2cbb152fe490ac336dd2e0fc3ea51

Download Submit
memory/2776-133-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/2776-134-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/2776-142-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2776-146-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/2776-148-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download