3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22-09-2023 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe
Size

3.4MB
MD5

7123ba9660904bc686b6fd671bb68320
SHA1

642748e62b22da7d711be1641fbd8834839e4790
SHA256

3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca
SHA512

6cd05f0839cac1f78e694c81a59ad9f91cfc3aa8fe025f931f75651515098da187f6723e43dad749a996ec1bc668cf584fc741082015b5fb1c360f1012a61e65
SSDEEP

98304:eMeSg/XlpO7UgCKgSSH4BAJl2QvzI0kO/uDO7UgCKgSSH4BAJlT:fmlhgblSXJIyujgblSXV

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0014000000011fff-1.dat	acprotect
behavioral1/files/0x0014000000011fff-2.dat	acprotect
behavioral1/files/0x0014000000011fff-9.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
1936	regsvr32.exe
2436	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0014000000011fff-1.dat	upx
behavioral1/files/0x0014000000011fff-2.dat	upx
behavioral1/memory/1936-3-0x0000000010000000-0x000000001017A000-memory.dmp	upx
behavioral1/memory/2436-5-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/files/0x0014000000011fff-9.dat	upx
behavioral1/memory/2436-10-0x00000000037D0000-0x000000000394A000-memory.dmp	upx
behavioral1/memory/2436-12-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/2436-14-0x00000000037D0000-0x000000000394A000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dm.dll	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Windows\\SysWow64\\dm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\dm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2436	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe
2436	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1936	2436	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe	28
PID 2436 wrote to memory of 1936	2436	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe	28
PID 2436 wrote to memory of 1936	2436	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe	28
PID 2436 wrote to memory of 1936	2436	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe	28
PID 2436 wrote to memory of 1936	2436	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe	28
PID 2436 wrote to memory of 1936	2436	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe	28
PID 2436 wrote to memory of 1936	2436	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe	28

C:\Users\Admin\AppData\Local\Temp\3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe
"C:\Users\Admin\AppData\Local\Temp\3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Windows\system32\dm.dll /s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dm.dll

Filesize
821KB

MD5
459b11596d6532bbc46f15b371810ab5

SHA1
ae66b39e4f5b28cbf2e68cbf90223cec63241a56

SHA256
9737b8480c6fb3facd8e5d325477cbe15f0404688b03f47fa2736757b6215d5d

SHA512
86fb19a0fcc613b55da0694b5943993d96a3f36e9840e05248cb5dca80b7c553cb5772db1284304944be53ebe84036338ea8ffa83fe65c23a8ec4650ac9435b4

Download Submit
\Windows\SysWOW64\dm.dll

Filesize
821KB

MD5
459b11596d6532bbc46f15b371810ab5

SHA1
ae66b39e4f5b28cbf2e68cbf90223cec63241a56

SHA256
9737b8480c6fb3facd8e5d325477cbe15f0404688b03f47fa2736757b6215d5d

SHA512
86fb19a0fcc613b55da0694b5943993d96a3f36e9840e05248cb5dca80b7c553cb5772db1284304944be53ebe84036338ea8ffa83fe65c23a8ec4650ac9435b4

Download Submit
\Windows\SysWOW64\dm.dll

Filesize
821KB

MD5
459b11596d6532bbc46f15b371810ab5

SHA1
ae66b39e4f5b28cbf2e68cbf90223cec63241a56

SHA256
9737b8480c6fb3facd8e5d325477cbe15f0404688b03f47fa2736757b6215d5d

SHA512
86fb19a0fcc613b55da0694b5943993d96a3f36e9840e05248cb5dca80b7c553cb5772db1284304944be53ebe84036338ea8ffa83fe65c23a8ec4650ac9435b4

Download Submit
memory/1936-3-0x0000000010000000-0x000000001017A000-memory.dmp

Filesize
1.5MB

Download
memory/2436-5-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2436-6-0x0000000002BB0000-0x0000000002D40000-memory.dmp

Filesize
1.6MB

Download
memory/2436-8-0x00000000756C0000-0x00000000757D0000-memory.dmp

Filesize
1.1MB

Download
memory/2436-10-0x00000000037D0000-0x000000000394A000-memory.dmp

Filesize
1.5MB

Download
memory/2436-11-0x0000000002BB0000-0x0000000002D40000-memory.dmp

Filesize
1.6MB

Download
memory/2436-12-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2436-13-0x00000000756C0000-0x00000000757D0000-memory.dmp

Filesize
1.1MB

Download
memory/2436-14-0x00000000037D0000-0x000000000394A000-memory.dmp

Filesize
1.5MB

Download