3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 06:26 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe
Size

3.4MB
MD5

7123ba9660904bc686b6fd671bb68320
SHA1

642748e62b22da7d711be1641fbd8834839e4790
SHA256

3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca
SHA512

6cd05f0839cac1f78e694c81a59ad9f91cfc3aa8fe025f931f75651515098da187f6723e43dad749a996ec1bc668cf584fc741082015b5fb1c360f1012a61e65
SSDEEP

98304:eMeSg/XlpO7UgCKgSSH4BAJl2QvzI0kO/uDO7UgCKgSSH4BAJlT:fmlhgblSXJIyujgblSXV

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023063-1.dat	acprotect
behavioral2/files/0x0006000000023063-2.dat	acprotect
behavioral2/files/0x0006000000023063-7.dat	acprotect
behavioral2/files/0x0006000000023063-8.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
1320	regsvr32.exe
1872	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe
1872	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023063-1.dat	upx
behavioral2/files/0x0006000000023063-2.dat	upx
behavioral2/memory/1320-3-0x0000000010000000-0x000000001017A000-memory.dmp	upx
behavioral2/memory/1872-5-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral2/files/0x0006000000023063-7.dat	upx
behavioral2/files/0x0006000000023063-8.dat	upx
behavioral2/memory/1872-9-0x0000000003570000-0x00000000036EA000-memory.dmp	upx
behavioral2/memory/1872-11-0x0000000003570000-0x00000000036EA000-memory.dmp	upx
behavioral2/memory/1872-12-0x0000000010000000-0x0000000010018000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dm.dll	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Windows\\SysWow64\\dm.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\dm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR	regsvr32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1872	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe
1872	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1320	1872	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe	86
PID 1872 wrote to memory of 1320	1872	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe	86
PID 1872 wrote to memory of 1320	1872	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe	86

C:\Users\Admin\AppData\Local\Temp\3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe
"C:\Users\Admin\AppData\Local\Temp\3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Windows\system32\dm.dll /s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1320

Network

DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

54.120.234.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.120.234.20.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

16.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.173.189.20.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

54.120.234.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

54.120.234.20.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

16.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

16.173.189.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dm.dll

Filesize
821KB

MD5
459b11596d6532bbc46f15b371810ab5

SHA1
ae66b39e4f5b28cbf2e68cbf90223cec63241a56

SHA256
9737b8480c6fb3facd8e5d325477cbe15f0404688b03f47fa2736757b6215d5d

SHA512
86fb19a0fcc613b55da0694b5943993d96a3f36e9840e05248cb5dca80b7c553cb5772db1284304944be53ebe84036338ea8ffa83fe65c23a8ec4650ac9435b4

Download Submit
C:\Windows\SysWOW64\dm.dll

Filesize
821KB

MD5
459b11596d6532bbc46f15b371810ab5

SHA1
ae66b39e4f5b28cbf2e68cbf90223cec63241a56

SHA256
9737b8480c6fb3facd8e5d325477cbe15f0404688b03f47fa2736757b6215d5d

SHA512
86fb19a0fcc613b55da0694b5943993d96a3f36e9840e05248cb5dca80b7c553cb5772db1284304944be53ebe84036338ea8ffa83fe65c23a8ec4650ac9435b4

Download Submit
C:\Windows\SysWOW64\dm.dll

Filesize
821KB

MD5
459b11596d6532bbc46f15b371810ab5

SHA1
ae66b39e4f5b28cbf2e68cbf90223cec63241a56

SHA256
9737b8480c6fb3facd8e5d325477cbe15f0404688b03f47fa2736757b6215d5d

SHA512
86fb19a0fcc613b55da0694b5943993d96a3f36e9840e05248cb5dca80b7c553cb5772db1284304944be53ebe84036338ea8ffa83fe65c23a8ec4650ac9435b4

Download Submit
C:\Windows\SysWOW64\dm.dll

Filesize
821KB

MD5
459b11596d6532bbc46f15b371810ab5

SHA1
ae66b39e4f5b28cbf2e68cbf90223cec63241a56

SHA256
9737b8480c6fb3facd8e5d325477cbe15f0404688b03f47fa2736757b6215d5d

SHA512
86fb19a0fcc613b55da0694b5943993d96a3f36e9840e05248cb5dca80b7c553cb5772db1284304944be53ebe84036338ea8ffa83fe65c23a8ec4650ac9435b4

Download Submit
memory/1320-3-0x0000000010000000-0x000000001017A000-memory.dmp

Filesize
1.5MB

Download
memory/1872-5-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1872-6-0x0000000077590000-0x0000000077680000-memory.dmp

Filesize
960KB

Download
memory/1872-9-0x0000000003570000-0x00000000036EA000-memory.dmp

Filesize
1.5MB

Download
memory/1872-10-0x0000000002CA0000-0x0000000002E40000-memory.dmp

Filesize
1.6MB

Download
memory/1872-11-0x0000000003570000-0x00000000036EA000-memory.dmp

Filesize
1.5MB

Download
memory/1872-12-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1872-13-0x0000000077590000-0x0000000077680000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.