e27311ff3902a363712358eea8592ca31071bab168ff09374482bf893a61039a

General

Target

e53582e7dbeb7aex_JC.exe
Size

3.5MB
MD5

e53582e7dbeb7ac0d3528397f3b5faef
SHA1

6c2e2a8b82ae565ea1ca53696acc8ffb62b09b27
SHA256

e27311ff3902a363712358eea8592ca31071bab168ff09374482bf893a61039a
SHA512

f1a1badb84c72745ae2ab23d3b6c482f82b89e7596076328983545df275e11c37aa1bcff55d502c6b112d18955c45a26e1a06f95effad896f32c188fb6689977
SSDEEP

49152:dHK3ocHZd9i+Rj8HhL+BuHcoTdaYWVegnnqrSeyt4GcokGzrTrURQb0bHj5NQ:MT9lRIBWuBhBgqrSeuXkurUjbjbQ

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ds.dll	acprotect
\Users\Admin\AppData\Local\Temp\ds.dll	acprotect
\Users\Admin\AppData\Local\Temp\ds.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

TysxClient_setup_2.0.107.exe

pid process

2400 TysxClient_setup_2.0.107.exe
Loads dropped DLL 3 IoCs

Processes:

e53582e7dbeb7aex_JC.exeregsvr32.exeTysxClient_setup_2.0.107.exe

pid process

2204 e53582e7dbeb7aex_JC.exe
3060 regsvr32.exe
2400 TysxClient_setup_2.0.107.exe

pid	process
2400	TysxClient_setup_2.0.107.exe

pid	process
2204	e53582e7dbeb7aex_JC.exe
3060	regsvr32.exe
2400	TysxClient_setup_2.0.107.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Program Files\TysxClient_setup_2.0.107.exe	upx
C:\Program Files\TysxClient_setup_2.0.107.exe	upx
behavioral1/memory/2204-57-0x00000000024D0000-0x000000000276E000-memory.dmp	upx
behavioral1/memory/2400-59-0x0000000000400000-0x000000000069E000-memory.dmp	upx
C:\Program Files\TysxClient_setup_2.0.107.exe	upx
C:\Users\Admin\AppData\Local\Temp\ds.dll	upx
\Users\Admin\AppData\Local\Temp\ds.dll	upx
behavioral1/memory/3060-71-0x0000000010000000-0x0000000010176000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\ds.dll	upx
behavioral1/memory/2400-73-0x0000000010000000-0x0000000010176000-memory.dmp	upx
behavioral1/memory/2400-90-0x0000000000400000-0x000000000069E000-memory.dmp	upx
behavioral1/memory/2400-92-0x0000000010000000-0x0000000010176000-memory.dmp	upx
behavioral1/memory/2400-107-0x0000000000400000-0x000000000069E000-memory.dmp	upx
behavioral1/memory/2400-119-0x0000000000400000-0x000000000069E000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

Processes:

e53582e7dbeb7aex_JC.exe

description ioc process

File created C:\Program Files\TysxClient_setup_2.0.107.exe e53582e7dbeb7aex_JC.exe

description	ioc	process
File created	C:\Program Files\TysxClient_setup_2.0.107.exe	e53582e7dbeb7aex_JC.exe

Drops file in Windows directory 4 IoCs

Processes:

e53582e7dbeb7aex_JC.exe

description	ioc	process
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	e53582e7dbeb7aex_JC.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.ldb	e53582e7dbeb7aex_JC.exe
File created	C:\WINDOWS\Media\ActiveX.ocx	e53582e7dbeb7aex_JC.exe
File created	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	e53582e7dbeb7aex_JC.exe

Modifies registry class 37 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ds.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ds.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

NTFS ADS 3 IoCs

Processes:

e53582e7dbeb7aex_JC.exe

description	ioc	process
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.ldb	e53582e7dbeb7aex_JC.exe
File created	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	e53582e7dbeb7aex_JC.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	e53582e7dbeb7aex_JC.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e53582e7dbeb7aex_JC.exe

pid process

2204 e53582e7dbeb7aex_JC.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

e53582e7dbeb7aex_JC.exe

pid process

2204 e53582e7dbeb7aex_JC.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

e53582e7dbeb7aex_JC.exeTysxClient_setup_2.0.107.exe

pid process

2204 e53582e7dbeb7aex_JC.exe
2400 TysxClient_setup_2.0.107.exe
2400 TysxClient_setup_2.0.107.exe

pid	process
2204	e53582e7dbeb7aex_JC.exe

pid	process
2204	e53582e7dbeb7aex_JC.exe

pid	process
2204	e53582e7dbeb7aex_JC.exe
2400	TysxClient_setup_2.0.107.exe
2400	TysxClient_setup_2.0.107.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

e53582e7dbeb7aex_JC.exeTysxClient_setup_2.0.107.execmd.exe

description	pid	process	target process
PID 2204 wrote to memory of 2400	2204	e53582e7dbeb7aex_JC.exe	TysxClient_setup_2.0.107.exe
PID 2204 wrote to memory of 2400	2204	e53582e7dbeb7aex_JC.exe	TysxClient_setup_2.0.107.exe
PID 2204 wrote to memory of 2400	2204	e53582e7dbeb7aex_JC.exe	TysxClient_setup_2.0.107.exe
PID 2204 wrote to memory of 2400	2204	e53582e7dbeb7aex_JC.exe	TysxClient_setup_2.0.107.exe
PID 2204 wrote to memory of 2400	2204	e53582e7dbeb7aex_JC.exe	TysxClient_setup_2.0.107.exe
PID 2204 wrote to memory of 2400	2204	e53582e7dbeb7aex_JC.exe	TysxClient_setup_2.0.107.exe
PID 2204 wrote to memory of 2400	2204	e53582e7dbeb7aex_JC.exe	TysxClient_setup_2.0.107.exe
PID 2400 wrote to memory of 3064	2400	TysxClient_setup_2.0.107.exe	cmd.exe
PID 2400 wrote to memory of 3064	2400	TysxClient_setup_2.0.107.exe	cmd.exe
PID 2400 wrote to memory of 3064	2400	TysxClient_setup_2.0.107.exe	cmd.exe
PID 2400 wrote to memory of 3064	2400	TysxClient_setup_2.0.107.exe	cmd.exe
PID 3064 wrote to memory of 3060	3064	cmd.exe	regsvr32.exe
PID 3064 wrote to memory of 3060	3064	cmd.exe	regsvr32.exe
PID 3064 wrote to memory of 3060	3064	cmd.exe	regsvr32.exe
PID 3064 wrote to memory of 3060	3064	cmd.exe	regsvr32.exe
PID 3064 wrote to memory of 3060	3064	cmd.exe	regsvr32.exe
PID 3064 wrote to memory of 3060	3064	cmd.exe	regsvr32.exe
PID 3064 wrote to memory of 3060	3064	cmd.exe	regsvr32.exe
PID 2204 wrote to memory of 740	2204	e53582e7dbeb7aex_JC.exe	regsvr32.exe
PID 2204 wrote to memory of 740	2204	e53582e7dbeb7aex_JC.exe	regsvr32.exe
PID 2204 wrote to memory of 740	2204	e53582e7dbeb7aex_JC.exe	regsvr32.exe
PID 2204 wrote to memory of 740	2204	e53582e7dbeb7aex_JC.exe	regsvr32.exe
PID 2204 wrote to memory of 740	2204	e53582e7dbeb7aex_JC.exe	regsvr32.exe
PID 2204 wrote to memory of 740	2204	e53582e7dbeb7aex_JC.exe	regsvr32.exe
PID 2204 wrote to memory of 740	2204	e53582e7dbeb7aex_JC.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\e53582e7dbeb7aex_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e53582e7dbeb7aex_JC.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Program Files\TysxClient_setup_2.0.107.exe
  "C:\Program Files\TysxClient_setup_2.0.107.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c regsvr32 /s ds.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s ds.dll
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:3060
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\WINDOWS\Media\ActiveX.ocx /s
  2⤵
  PID:740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TysxClient_setup_2.0.107.exe

Filesize
1.3MB

MD5
33d529127707cf47856c60c44d6ca585

SHA1
ac9df8cc473ed595e53832ee3025e4a455283511

SHA256
fdfcad4be0ba4d01b62be2004b780cd1d811191ef5ab0096834f665f8812c3de

SHA512
6a4fdb84503ab298563c95ee4dfcc417ed9d9541c8fd3078997aeed5849a2f75ebb247986b23cfa31dc3ea2a3dca773860fee6b6705c5c343179e290e26bcf0e

Download Submit
C:\Program Files\TysxClient_setup_2.0.107.exe

Filesize
1.3MB

MD5
33d529127707cf47856c60c44d6ca585

SHA1
ac9df8cc473ed595e53832ee3025e4a455283511

SHA256
fdfcad4be0ba4d01b62be2004b780cd1d811191ef5ab0096834f665f8812c3de

SHA512
6a4fdb84503ab298563c95ee4dfcc417ed9d9541c8fd3078997aeed5849a2f75ebb247986b23cfa31dc3ea2a3dca773860fee6b6705c5c343179e290e26bcf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds.dll

Filesize
804KB

MD5
c578b6820bda5689940560147c6e5ffc

SHA1
922e50d89c9c44bdc205ef17aa57212b64e58852

SHA256
3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389

SHA512
9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

Download Submit
C:\WINDOWS\Media\ActiveX.ocx

Filesize
12B

MD5
966bac3b2786068372451427653f7bb4

SHA1
972f61560abd6ba706e6537d5346bff6daecff0d

SHA256
24c649ca17ef69b8f1b58f71bec150ecb79a3a299f6d34236579cbee59c8242f

SHA512
5e5c9ca57e08770bab6381a99bd169c32dacb48c31c6dbf56cd8ce3307c2f9c75215a8e3ab6988c507023bdbeac110af1e29d4677ffcb5c28eb68226201906be

Download Submit
\Program Files\TysxClient_setup_2.0.107.exe

Filesize
1.3MB

MD5
33d529127707cf47856c60c44d6ca585

SHA1
ac9df8cc473ed595e53832ee3025e4a455283511

SHA256
fdfcad4be0ba4d01b62be2004b780cd1d811191ef5ab0096834f665f8812c3de

SHA512
6a4fdb84503ab298563c95ee4dfcc417ed9d9541c8fd3078997aeed5849a2f75ebb247986b23cfa31dc3ea2a3dca773860fee6b6705c5c343179e290e26bcf0e

Download Submit
\Users\Admin\AppData\Local\Temp\ds.dll

Filesize
804KB

MD5
c578b6820bda5689940560147c6e5ffc

SHA1
922e50d89c9c44bdc205ef17aa57212b64e58852

SHA256
3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389

SHA512
9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

Download Submit
\Users\Admin\AppData\Local\Temp\ds.dll

Filesize
804KB

MD5
c578b6820bda5689940560147c6e5ffc

SHA1
922e50d89c9c44bdc205ef17aa57212b64e58852

SHA256
3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389

SHA512
9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

Download Submit
memory/2204-89-0x00000000024D0000-0x000000000276E000-memory.dmp

Filesize
2.6MB

Download
memory/2204-57-0x00000000024D0000-0x000000000276E000-memory.dmp

Filesize
2.6MB

Download
memory/2400-59-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/2400-73-0x0000000010000000-0x0000000010176000-memory.dmp

Filesize
1.5MB

Download
memory/2400-79-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2400-90-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/2400-92-0x0000000010000000-0x0000000010176000-memory.dmp

Filesize
1.5MB

Download
memory/2400-107-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/2400-119-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/3060-71-0x0000000010000000-0x0000000010176000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads