711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08/10/2023, 21:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe
Size

4.8MB
MD5

faad5480bf069d1925da8c40d910d7ba
SHA1

d6cd814d913f31ca62e8bbea2ec746c9351f0803
SHA256

711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1
SHA512

79c317c5937030edc388f5134a75837f0fcf85682b974a8facf241a676ed1ae5f7c38bba3c88152bb2f88717e892ba19a92a88c4ebdfc0a8e9ce8b3ccdd2bcfc
SSDEEP

98304:dz9qPaEv3SpsRhVPDcurz0U8lF8aWHTdPNt5Lq+mFKpl4:uHThVIkb878a0TlR44pl4

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a000000012288-2.dat	acprotect
behavioral1/files/0x000a000000012288-3.dat	acprotect
behavioral1/files/0x002b000000015c7c-5.dat	acprotect
behavioral1/files/0x000a000000012288-8.dat	acprotect
behavioral1/files/0x002b000000015c7c-153.dat	acprotect
behavioral1/files/0x002b000000015c7c-152.dat	acprotect

Loads dropped DLL 5 IoCs

pid	Process
2588	regsvr32.exe
1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe
1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe
1556	WerFault.exe
1556	WerFault.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012288-2.dat	upx
behavioral1/files/0x000a000000012288-3.dat	upx
behavioral1/memory/2588-4-0x0000000010000000-0x000000001036B000-memory.dmp	upx
behavioral1/files/0x002b000000015c7c-5.dat	upx
behavioral1/memory/1956-7-0x0000000010000000-0x0000000010169000-memory.dmp	upx
behavioral1/memory/1956-9-0x0000000010000000-0x0000000010169000-memory.dmp	upx
behavioral1/files/0x000a000000012288-8.dat	upx
behavioral1/memory/1956-10-0x0000000010000000-0x0000000010169000-memory.dmp	upx
behavioral1/memory/1956-13-0x00000000046E0000-0x0000000004A4B000-memory.dmp	upx
behavioral1/memory/1956-114-0x00000000046E0000-0x0000000004A4B000-memory.dmp	upx
behavioral1/memory/1956-117-0x00000000046E0000-0x0000000004A4B000-memory.dmp	upx
behavioral1/memory/1956-143-0x00000000046E0000-0x0000000004A4B000-memory.dmp	upx
behavioral1/files/0x002b000000015c7c-153.dat	upx
behavioral1/files/0x002b000000015c7c-152.dat	upx
behavioral1/memory/1956-154-0x0000000010000000-0x0000000010169000-memory.dmp	upx
behavioral1/memory/1956-156-0x00000000046E0000-0x0000000004A4B000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1556	1956	WerFault.exe	27

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D403739E-0B6E-96A8-84EC-237B63CCB92B}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D403739E-0B6E-96A8-84EC-237B63CCB92B}\1.0\HELPDIR\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{705AE0C0-A6E2-BDBC-B25B-A19E803CE8E1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FB280D8-FF11-CF0F-4ACA-3ADD9A77C414}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{705AE0C0-A6E2-BDBC-B25B-A19E803CE8E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{705AE0C0-A6E2-BDBC-B25B-A19E803CE8E1}\ = "Iparste"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{705AE0C0-A6E2-BDBC-B25B-A19E803CE8E1}\TypeLib\ = "{D403739E-0B6E-96A8-84EC-237B63CCB92B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xml.parste\ = "xml.parste"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D403739E-0B6E-96A8-84EC-237B63CCB92B}\1.0\ = "xml"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D403739E-0B6E-96A8-84EC-237B63CCB92B}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{705AE0C0-A6E2-BDBC-B25B-A19E803CE8E1}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{705AE0C0-A6E2-BDBC-B25B-A19E803CE8E1}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D403739E-0B6E-96A8-84EC-237B63CCB92B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{705AE0C0-A6E2-BDBC-B25B-A19E803CE8E1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{705AE0C0-A6E2-BDBC-B25B-A19E803CE8E1}\TypeLib\ = "{D403739E-0B6E-96A8-84EC-237B63CCB92B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{705AE0C0-A6E2-BDBC-B25B-A19E803CE8E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FB280D8-FF11-CF0F-4ACA-3ADD9A77C414}\ProgID\ = "xml.parste"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xml.parste\CurVer\ = "xml.parste"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FB280D8-FF11-CF0F-4ACA-3ADD9A77C414}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FB280D8-FF11-CF0F-4ACA-3ADD9A77C414}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D403739E-0B6E-96A8-84EC-237B63CCB92B}\1.0\0\win32\ = "C:\\dm\\dmpj.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xml.parste\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FB280D8-FF11-CF0F-4ACA-3ADD9A77C414}\InprocServer32\ = "C:\\dm\\dmpj.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D403739E-0B6E-96A8-84EC-237B63CCB92B}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D403739E-0B6E-96A8-84EC-237B63CCB92B}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D403739E-0B6E-96A8-84EC-237B63CCB92B}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{705AE0C0-A6E2-BDBC-B25B-A19E803CE8E1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FB280D8-FF11-CF0F-4ACA-3ADD9A77C414}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FB280D8-FF11-CF0F-4ACA-3ADD9A77C414}\ = "xml.parste"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D403739E-0B6E-96A8-84EC-237B63CCB92B}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{705AE0C0-A6E2-BDBC-B25B-A19E803CE8E1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{705AE0C0-A6E2-BDBC-B25B-A19E803CE8E1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{705AE0C0-A6E2-BDBC-B25B-A19E803CE8E1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xml.parste\CLSID\ = "{5FB280D8-FF11-CF0F-4ACA-3ADD9A77C414}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xml.parste\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{705AE0C0-A6E2-BDBC-B25B-A19E803CE8E1}\ = "Iparste"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xml.parste	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe
1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe
1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2588	1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe	28
PID 1956 wrote to memory of 2588	1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe	28
PID 1956 wrote to memory of 2588	1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe	28
PID 1956 wrote to memory of 2588	1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe	28
PID 1956 wrote to memory of 2588	1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe	28
PID 1956 wrote to memory of 2588	1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe	28
PID 1956 wrote to memory of 2588	1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe	28
PID 1956 wrote to memory of 1556	1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe	29
PID 1956 wrote to memory of 1556	1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe	29
PID 1956 wrote to memory of 1556	1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe	29
PID 1956 wrote to memory of 1556	1956	711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe	29

C:\Users\Admin\AppData\Local\Temp\711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe
"C:\Users\Admin\AppData\Local\Temp\711a4cbfd3679dba6ea55ad8843f7583fc16f92c7885d4e91ed3847724fc94b1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\dm\dmpj.dll -s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 536
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\dm\dmpj.dll

Filesize
3.0MB

MD5
8437e83a637d539a0525f5ebe217789c

SHA1
e87f2b98348e1d33e2a5a6920cc467790da98eb1

SHA256
8d5ef35a1f2ebb057831dfff90a2217a2b3a65f9bb8fe64ac1a75d25b2250457

SHA512
55285c326acb42ee00141832734647728469ca6372f06f62476292980828a37ee2f814fba9d313a25ac3d0bc30d3090a6f9a91af5141d0afe2f86d5ac4c5ae27

Download Submit
\dm\dmpj.dll

Filesize
3.0MB

MD5
8437e83a637d539a0525f5ebe217789c

SHA1
e87f2b98348e1d33e2a5a6920cc467790da98eb1

SHA256
8d5ef35a1f2ebb057831dfff90a2217a2b3a65f9bb8fe64ac1a75d25b2250457

SHA512
55285c326acb42ee00141832734647728469ca6372f06f62476292980828a37ee2f814fba9d313a25ac3d0bc30d3090a6f9a91af5141d0afe2f86d5ac4c5ae27

Download Submit
\dm\dmpj.dll

Filesize
3.0MB

MD5
8437e83a637d539a0525f5ebe217789c

SHA1
e87f2b98348e1d33e2a5a6920cc467790da98eb1

SHA256
8d5ef35a1f2ebb057831dfff90a2217a2b3a65f9bb8fe64ac1a75d25b2250457

SHA512
55285c326acb42ee00141832734647728469ca6372f06f62476292980828a37ee2f814fba9d313a25ac3d0bc30d3090a6f9a91af5141d0afe2f86d5ac4c5ae27

Download Submit
\dm\xdyl.dll

Filesize
388KB

MD5
e2652188b5dd08a5d132e05d63d53387

SHA1
e27b378dd0791b2d36a1b9ef437bde525eaa0222

SHA256
c0093f1cbaab638106be0874d740f2a448078826b52b6af486b209c67c6dd026

SHA512
2fb2b42c8e8414428639b72ec81f4f1f08c8b83fc608dc29788856cb7c0722cf32b46359932b03dd898e5620997517ba3fc03ed735e2e090f45859db520e4e35

Download Submit
\dm\xdyl.dll

Filesize
388KB

MD5
e2652188b5dd08a5d132e05d63d53387

SHA1
e27b378dd0791b2d36a1b9ef437bde525eaa0222

SHA256
c0093f1cbaab638106be0874d740f2a448078826b52b6af486b209c67c6dd026

SHA512
2fb2b42c8e8414428639b72ec81f4f1f08c8b83fc608dc29788856cb7c0722cf32b46359932b03dd898e5620997517ba3fc03ed735e2e090f45859db520e4e35

Download Submit
\dm\xdyl.dll

Filesize
388KB

MD5
e2652188b5dd08a5d132e05d63d53387

SHA1
e27b378dd0791b2d36a1b9ef437bde525eaa0222

SHA256
c0093f1cbaab638106be0874d740f2a448078826b52b6af486b209c67c6dd026

SHA512
2fb2b42c8e8414428639b72ec81f4f1f08c8b83fc608dc29788856cb7c0722cf32b46359932b03dd898e5620997517ba3fc03ed735e2e090f45859db520e4e35

Download Submit
memory/1956-7-0x0000000010000000-0x0000000010169000-memory.dmp

Filesize
1.4MB

Download
memory/1956-10-0x0000000010000000-0x0000000010169000-memory.dmp

Filesize
1.4MB

Download
memory/1956-13-0x00000000046E0000-0x0000000004A4B000-memory.dmp

Filesize
3.4MB

Download
memory/1956-114-0x00000000046E0000-0x0000000004A4B000-memory.dmp

Filesize
3.4MB

Download
memory/1956-117-0x00000000046E0000-0x0000000004A4B000-memory.dmp

Filesize
3.4MB

Download
memory/1956-143-0x00000000046E0000-0x0000000004A4B000-memory.dmp

Filesize
3.4MB

Download
memory/1956-9-0x0000000010000000-0x0000000010169000-memory.dmp

Filesize
1.4MB

Download
memory/1956-154-0x0000000010000000-0x0000000010169000-memory.dmp

Filesize
1.4MB

Download
memory/1956-156-0x00000000046E0000-0x0000000004A4B000-memory.dmp

Filesize
3.4MB

Download
memory/2588-4-0x0000000010000000-0x000000001036B000-memory.dmp

Filesize
3.4MB

Download