15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18/09/2023, 23:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
Size

7.6MB
MD5

185fc738f4c877fe7681e9d1f9ab8858
SHA1

75dcf80d4b149c3c7875310f37432c6f4e1a108d
SHA256

15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb
SHA512

7f1ac7ccf732e3d0439fa11ba78004acaed6cd22e05edbf4f218fef8a52e22fdcd10717e526706c2f4686be15d5e70bf3fa1c7f2ebd0665c44e7c034b0a887e0
SSDEEP

98304:kzJujwhwGa5SbWf+YFCDsmC7IIdehJJBtjN/Cg0xZLZ4QowKGs8U0RJFv:TshMQaf+HOShHjN/JwxZU2v

Score

7^/10

spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000120e4-1.dat	acprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000120e4-1.dat	upx
behavioral1/memory/1928-2-0x0000000010000000-0x0000000010176000-memory.dmp	upx
behavioral1/memory/1928-3-0x0000000010000000-0x0000000010176000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\H:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\I:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\J:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\K:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\O:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\T:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\E:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\X:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\U:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\S:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\Z:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\R:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\B:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\N:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\P:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\Y:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\A:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\M:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\Q:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\V:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\W:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
File opened (read-only)	\??\L:	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\zm.dll	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Windows\\zm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Windows\\"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Windows\\zm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}	regsvr32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2064	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2064	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
2064	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1716	2064	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe	28
PID 2064 wrote to memory of 1716	2064	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe	28
PID 2064 wrote to memory of 1716	2064	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe	28
PID 2064 wrote to memory of 1716	2064	15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe	28
PID 1716 wrote to memory of 1928	1716	cmd.exe	30
PID 1716 wrote to memory of 1928	1716	cmd.exe	30
PID 1716 wrote to memory of 1928	1716	cmd.exe	30
PID 1716 wrote to memory of 1928	1716	cmd.exe	30
PID 1716 wrote to memory of 1928	1716	cmd.exe	30
PID 1716 wrote to memory of 1928	1716	cmd.exe	30
PID 1716 wrote to memory of 1928	1716	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe
"C:\Users\Admin\AppData\Local\Temp\15b684fa9609d613aaa10cf1aee3cfe0ece2a26dfd7f2b1068b347c7aac1accb.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\cmd.exe
  cmd /k regsvr32 /s C:\Windows\zm.dll zm.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\zm.dll zm.dll
    3⤵
    - Modifies registry class
    PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\zm.dll

Filesize
804KB

MD5
c578b6820bda5689940560147c6e5ffc

SHA1
922e50d89c9c44bdc205ef17aa57212b64e58852

SHA256
3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389

SHA512
9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

Download Submit
C:\qq11503059\gj-data.ini

Filesize
31B

MD5
8020fb0fbe9004a42ee1f39ebe3b02f9

SHA1
d8e775d96c9826a30607c7381637d3709bfa5dfb

SHA256
b597e739e60f1456f27ddd261a545a654c0cfc41a2923095d0bb436bd4db2d83

SHA512
7c937f5826b9d0f5106f18bd32dfe5ea9514202a39e1476043cf1ba32253d75e0f01d3fcb675deca1245657774ff1eba4c83292c7890613b92329e79e914978e

Download Submit
memory/1928-2-0x0000000010000000-0x0000000010176000-memory.dmp

Filesize
1.5MB

Download
memory/1928-3-0x0000000010000000-0x0000000010176000-memory.dmp

Filesize
1.5MB

Download