f50c9b0efa555496e5421d0889f2d74ace20af8456d130e618f7857cacd62ad8

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2023 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f50c9b0efa555496e5421d0889f2d74ace20af8456d130e618f7857cacd62ad8.exe
Size

2.4MB
MD5

aef8e3aca1dd4001b2a1d08ca9263b1b
SHA1

7174a20707f704a25a47c4a35f132034647eb24f
SHA256

f50c9b0efa555496e5421d0889f2d74ace20af8456d130e618f7857cacd62ad8
SHA512

121019179d77d0031121424a111e22dc1c2704f394be381999fa1bce4de507011ea9be0ee3257a0aa2d9108521adb6334f35dd2b992ab47e341d5d6f4b31b9ab
SSDEEP

49152:bFn7G4/Kx7vwbkH+7yxto5sl2XCL9HD35JH0mXGaTF9BDrJQvExcPXiHsq:b57G4ccbke7wto5slxL9HzbBWaTjBrLb

Score

7^/10

upx vmprotect

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023208-12.dat	acprotect
behavioral2/files/0x0007000000023208-9.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
5096	usbtechsh.exe

Loads dropped DLL 1 IoCs

pid	Process
380	f50c9b0efa555496e5421d0889f2d74ace20af8456d130e618f7857cacd62ad8.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023208-12.dat	upx
behavioral2/files/0x0007000000023208-9.dat	upx
behavioral2/memory/380-14-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/380-13-0x0000000010000000-0x000000001003D000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/380-0-0x0000000000400000-0x0000000000963000-memory.dmp	vmprotect
behavioral2/memory/380-1-0x0000000000400000-0x0000000000963000-memory.dmp	vmprotect
behavioral2/memory/380-18-0x0000000000400000-0x0000000000963000-memory.dmp	vmprotect
behavioral2/memory/380-19-0x0000000000400000-0x0000000000963000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
380	f50c9b0efa555496e5421d0889f2d74ace20af8456d130e618f7857cacd62ad8.exe
380	f50c9b0efa555496e5421d0889f2d74ace20af8456d130e618f7857cacd62ad8.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
380	f50c9b0efa555496e5421d0889f2d74ace20af8456d130e618f7857cacd62ad8.exe
380	f50c9b0efa555496e5421d0889f2d74ace20af8456d130e618f7857cacd62ad8.exe
380	f50c9b0efa555496e5421d0889f2d74ace20af8456d130e618f7857cacd62ad8.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 4216	380	f50c9b0efa555496e5421d0889f2d74ace20af8456d130e618f7857cacd62ad8.exe	87
PID 380 wrote to memory of 4216	380	f50c9b0efa555496e5421d0889f2d74ace20af8456d130e618f7857cacd62ad8.exe	87
PID 380 wrote to memory of 4216	380	f50c9b0efa555496e5421d0889f2d74ace20af8456d130e618f7857cacd62ad8.exe	87
PID 4216 wrote to memory of 5096	4216	cmd.exe	89
PID 4216 wrote to memory of 5096	4216	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\f50c9b0efa555496e5421d0889f2d74ace20af8456d130e618f7857cacd62ad8.exe
"C:\Users\Admin\AppData\Local\Temp\f50c9b0efa555496e5421d0889f2d74ace20af8456d130e618f7857cacd62ad8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\usb\usbtechsh.exe -list
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\usb\usbtechsh.exe
    C:\usb\usbtechsh.exe -list
    3⤵
    - Executes dropped EXE
    PID:5096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
C:\usb\usbtechsh.exe

Filesize
220KB

MD5
bbbedc7b528797ffb5a906129ba220df

SHA1
612af05ffbb1690361f94a2455bbde4c828d5227

SHA256
fb08c198d3a3f678603174da463bac7ab76a9b8246a6d7000054085607d0634c

SHA512
4d6e2f87dba80f2fec161f38800eb56a554cf991d274393dc787ca4ac86797414e7049a4d20f6992ad23823c370a2e3aaa29d81dd019f50db13a90763d092316

Download Submit
C:\usb\usbtechsh.exe

Filesize
220KB

MD5
bbbedc7b528797ffb5a906129ba220df

SHA1
612af05ffbb1690361f94a2455bbde4c828d5227

SHA256
fb08c198d3a3f678603174da463bac7ab76a9b8246a6d7000054085607d0634c

SHA512
4d6e2f87dba80f2fec161f38800eb56a554cf991d274393dc787ca4ac86797414e7049a4d20f6992ad23823c370a2e3aaa29d81dd019f50db13a90763d092316

Download Submit
memory/380-0-0x0000000000400000-0x0000000000963000-memory.dmp

Filesize
5.4MB

Download
memory/380-1-0x0000000000400000-0x0000000000963000-memory.dmp

Filesize
5.4MB

Download
memory/380-4-0x00000000767C0000-0x00000000767C1000-memory.dmp

Filesize
4KB

Download
memory/380-5-0x00000000770C0000-0x00000000770C1000-memory.dmp

Filesize
4KB

Download
memory/380-14-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/380-13-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/380-18-0x0000000000400000-0x0000000000963000-memory.dmp

Filesize
5.4MB

Download
memory/380-19-0x0000000000400000-0x0000000000963000-memory.dmp

Filesize
5.4MB

Download