ff9b69cfe22dd2ca3cdbf72fa1ec5d4d9d4cfd5c6cacb1a657d9a284feddfb6e

General

Target

NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe
Size

3.5MB
MD5

a6aa27de4b15f9446d997c4bb85ad5c9
SHA1

54fd8761bdbc75d660ef7d2402eef2c44e71cf7f
SHA256

ff9b69cfe22dd2ca3cdbf72fa1ec5d4d9d4cfd5c6cacb1a657d9a284feddfb6e
SHA512

1d2eb4cdd4c87858f1c7cc6a281fd37326af3e736ae3dead64ad6ac390af199110a7fe5cb0cda5c60d6b154e7b20b906d1c45f6032c44b2c8eba24650480fd8e
SSDEEP

49152:dHK3ocHZd9i+Rj8HhL+BuHcoTdaYWVegnnqrSeyt4GcokGzrTrURQb0bHj5Nb:MT9lRIBWuBhBgqrSeuXkurUjbjbb

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ds.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\ds.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\ds.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

TysxClient_setup_2.0.107.exe

pid process

224 TysxClient_setup_2.0.107.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeTysxClient_setup_2.0.107.exe

pid process

2388 regsvr32.exe
224 TysxClient_setup_2.0.107.exe

pid	process
224	TysxClient_setup_2.0.107.exe

pid	process
2388	regsvr32.exe
224	TysxClient_setup_2.0.107.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files\TysxClient_setup_2.0.107.exe	upx
C:\Program Files\TysxClient_setup_2.0.107.exe	upx
behavioral2/memory/224-137-0x0000000000400000-0x000000000069E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\ds.dll	upx
C:\Users\Admin\AppData\Local\Temp\ds.dll	upx
behavioral2/memory/2388-142-0x0000000010000000-0x0000000010176000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\ds.dll	upx
behavioral2/memory/224-144-0x0000000010000000-0x0000000010176000-memory.dmp	upx
behavioral2/memory/224-146-0x0000000000400000-0x000000000069E000-memory.dmp	upx
behavioral2/memory/224-148-0x0000000010000000-0x0000000010176000-memory.dmp	upx
behavioral2/memory/224-163-0x0000000000400000-0x000000000069E000-memory.dmp	upx
behavioral2/memory/224-175-0x0000000000400000-0x000000000069E000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

Processes:

NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe

description ioc process

File created C:\Program Files\TysxClient_setup_2.0.107.exe NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe

description	ioc	process
File created	C:\Program Files\TysxClient_setup_2.0.107.exe	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe

Drops file in Windows directory 4 IoCs

Processes:

NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe

description	ioc	process
File created	C:\WINDOWS\Media\ActiveX.ocx	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe
File created	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.ldb	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe

Modifies registry class 37 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ds.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ds.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

NTFS ADS 3 IoCs

Processes:

NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe

description	ioc	process
File created	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.ldb	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe

pid process

1540 NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe
1540 NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe

pid process

1540 NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exeTysxClient_setup_2.0.107.exe

pid process

1540 NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe
224 TysxClient_setup_2.0.107.exe
224 TysxClient_setup_2.0.107.exe

pid	process
1540	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe
1540	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe

pid	process
1540	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe

pid	process
1540	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe
224	TysxClient_setup_2.0.107.exe
224	TysxClient_setup_2.0.107.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exeTysxClient_setup_2.0.107.execmd.exe

description	pid	process	target process
PID 1540 wrote to memory of 224	1540	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe	TysxClient_setup_2.0.107.exe
PID 1540 wrote to memory of 224	1540	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe	TysxClient_setup_2.0.107.exe
PID 1540 wrote to memory of 224	1540	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe	TysxClient_setup_2.0.107.exe
PID 224 wrote to memory of 1720	224	TysxClient_setup_2.0.107.exe	cmd.exe
PID 224 wrote to memory of 1720	224	TysxClient_setup_2.0.107.exe	cmd.exe
PID 224 wrote to memory of 1720	224	TysxClient_setup_2.0.107.exe	cmd.exe
PID 1720 wrote to memory of 2388	1720	cmd.exe	regsvr32.exe
PID 1720 wrote to memory of 2388	1720	cmd.exe	regsvr32.exe
PID 1720 wrote to memory of 2388	1720	cmd.exe	regsvr32.exe
PID 1540 wrote to memory of 5064	1540	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe	regsvr32.exe
PID 1540 wrote to memory of 5064	1540	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe	regsvr32.exe
PID 1540 wrote to memory of 5064	1540	NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NA_NA_NA_NA_a6aa27de4b15f9ex_JC.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Program Files\TysxClient_setup_2.0.107.exe
  "C:\Program Files\TysxClient_setup_2.0.107.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c regsvr32 /s ds.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s ds.dll
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2388
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\WINDOWS\Media\ActiveX.ocx /s
  2⤵
  PID:5064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TysxClient_setup_2.0.107.exe

Filesize
1.3MB

MD5
33d529127707cf47856c60c44d6ca585

SHA1
ac9df8cc473ed595e53832ee3025e4a455283511

SHA256
fdfcad4be0ba4d01b62be2004b780cd1d811191ef5ab0096834f665f8812c3de

SHA512
6a4fdb84503ab298563c95ee4dfcc417ed9d9541c8fd3078997aeed5849a2f75ebb247986b23cfa31dc3ea2a3dca773860fee6b6705c5c343179e290e26bcf0e

Download Submit
C:\Program Files\TysxClient_setup_2.0.107.exe

Filesize
1.3MB

MD5
33d529127707cf47856c60c44d6ca585

SHA1
ac9df8cc473ed595e53832ee3025e4a455283511

SHA256
fdfcad4be0ba4d01b62be2004b780cd1d811191ef5ab0096834f665f8812c3de

SHA512
6a4fdb84503ab298563c95ee4dfcc417ed9d9541c8fd3078997aeed5849a2f75ebb247986b23cfa31dc3ea2a3dca773860fee6b6705c5c343179e290e26bcf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds.dll

Filesize
804KB

MD5
c578b6820bda5689940560147c6e5ffc

SHA1
922e50d89c9c44bdc205ef17aa57212b64e58852

SHA256
3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389

SHA512
9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds.dll

Filesize
804KB

MD5
c578b6820bda5689940560147c6e5ffc

SHA1
922e50d89c9c44bdc205ef17aa57212b64e58852

SHA256
3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389

SHA512
9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds.dll

Filesize
804KB

MD5
c578b6820bda5689940560147c6e5ffc

SHA1
922e50d89c9c44bdc205ef17aa57212b64e58852

SHA256
3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389

SHA512
9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

Download Submit
C:\WINDOWS\Media\ActiveX.ocx

Filesize
12B

MD5
e724e5b28e2473d23bc67830b0d1020f

SHA1
2f79039b56d624bdd34aea2038ca57a59f7e2d1c

SHA256
7544168fcfb35ad557f0341db87050615a6dea368d970a6f6cf41df81f8359bb

SHA512
8425187cc19105aa26bb3db2bb90aaeea6cc9fdbfd8dc86e8a828a6cef92423b9c37a530b5eb6727e10d8742e64ace174e7fe28cc9e4d75a1ffd14b7af465e40

Download Submit
memory/224-137-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/224-144-0x0000000010000000-0x0000000010176000-memory.dmp

Filesize
1.5MB

Download
memory/224-145-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/224-146-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/224-148-0x0000000010000000-0x0000000010176000-memory.dmp

Filesize
1.5MB

Download
memory/224-163-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/224-175-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/2388-142-0x0000000010000000-0x0000000010176000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads