3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 06:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe
Size

3.4MB
MD5

7123ba9660904bc686b6fd671bb68320
SHA1

642748e62b22da7d711be1641fbd8834839e4790
SHA256

3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca
SHA512

6cd05f0839cac1f78e694c81a59ad9f91cfc3aa8fe025f931f75651515098da187f6723e43dad749a996ec1bc668cf584fc741082015b5fb1c360f1012a61e65
SSDEEP

98304:eMeSg/XlpO7UgCKgSSH4BAJl2QvzI0kO/uDO7UgCKgSSH4BAJlT:fmlhgblSXJIyujgblSXV

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023063-1.dat	acprotect
behavioral2/files/0x0006000000023063-2.dat	acprotect
behavioral2/files/0x0006000000023063-7.dat	acprotect
behavioral2/files/0x0006000000023063-8.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
1320	regsvr32.exe
1872	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe
1872	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023063-1.dat	upx
behavioral2/files/0x0006000000023063-2.dat	upx
behavioral2/memory/1320-3-0x0000000010000000-0x000000001017A000-memory.dmp	upx
behavioral2/memory/1872-5-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral2/files/0x0006000000023063-7.dat	upx
behavioral2/files/0x0006000000023063-8.dat	upx
behavioral2/memory/1872-9-0x0000000003570000-0x00000000036EA000-memory.dmp	upx
behavioral2/memory/1872-11-0x0000000003570000-0x00000000036EA000-memory.dmp	upx
behavioral2/memory/1872-12-0x0000000010000000-0x0000000010018000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dm.dll	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Windows\\SysWow64\\dm.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\dm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR	regsvr32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1872	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe
1872	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1320	1872	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe	86
PID 1872 wrote to memory of 1320	1872	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe	86
PID 1872 wrote to memory of 1320	1872	3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe	86

C:\Users\Admin\AppData\Local\Temp\3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe
"C:\Users\Admin\AppData\Local\Temp\3488016559f3cc17649b14a8441723d76a54e83883e3b5f6850455588bfe32ca.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Windows\system32\dm.dll /s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dm.dll

Filesize
821KB

MD5
459b11596d6532bbc46f15b371810ab5

SHA1
ae66b39e4f5b28cbf2e68cbf90223cec63241a56

SHA256
9737b8480c6fb3facd8e5d325477cbe15f0404688b03f47fa2736757b6215d5d

SHA512
86fb19a0fcc613b55da0694b5943993d96a3f36e9840e05248cb5dca80b7c553cb5772db1284304944be53ebe84036338ea8ffa83fe65c23a8ec4650ac9435b4

Download Submit
C:\Windows\SysWOW64\dm.dll

Filesize
821KB

MD5
459b11596d6532bbc46f15b371810ab5

SHA1
ae66b39e4f5b28cbf2e68cbf90223cec63241a56

SHA256
9737b8480c6fb3facd8e5d325477cbe15f0404688b03f47fa2736757b6215d5d

SHA512
86fb19a0fcc613b55da0694b5943993d96a3f36e9840e05248cb5dca80b7c553cb5772db1284304944be53ebe84036338ea8ffa83fe65c23a8ec4650ac9435b4

Download Submit
C:\Windows\SysWOW64\dm.dll

Filesize
821KB

MD5
459b11596d6532bbc46f15b371810ab5

SHA1
ae66b39e4f5b28cbf2e68cbf90223cec63241a56

SHA256
9737b8480c6fb3facd8e5d325477cbe15f0404688b03f47fa2736757b6215d5d

SHA512
86fb19a0fcc613b55da0694b5943993d96a3f36e9840e05248cb5dca80b7c553cb5772db1284304944be53ebe84036338ea8ffa83fe65c23a8ec4650ac9435b4

Download Submit
C:\Windows\SysWOW64\dm.dll

Filesize
821KB

MD5
459b11596d6532bbc46f15b371810ab5

SHA1
ae66b39e4f5b28cbf2e68cbf90223cec63241a56

SHA256
9737b8480c6fb3facd8e5d325477cbe15f0404688b03f47fa2736757b6215d5d

SHA512
86fb19a0fcc613b55da0694b5943993d96a3f36e9840e05248cb5dca80b7c553cb5772db1284304944be53ebe84036338ea8ffa83fe65c23a8ec4650ac9435b4

Download Submit
memory/1320-3-0x0000000010000000-0x000000001017A000-memory.dmp

Filesize
1.5MB

Download
memory/1872-5-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1872-6-0x0000000077590000-0x0000000077680000-memory.dmp

Filesize
960KB

Download
memory/1872-9-0x0000000003570000-0x00000000036EA000-memory.dmp

Filesize
1.5MB

Download
memory/1872-10-0x0000000002CA0000-0x0000000002E40000-memory.dmp

Filesize
1.6MB

Download
memory/1872-11-0x0000000003570000-0x00000000036EA000-memory.dmp

Filesize
1.5MB

Download
memory/1872-12-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1872-13-0x0000000077590000-0x0000000077680000-memory.dmp

Filesize
960KB

Download