f362933c504a2654fef87e10c8dc9d961d038689d381024671314dbbaaa2808e

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 11:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f362933c504a2654fef87e10c8dc9d961d038689d381024671314dbbaaa2808e.exe
Size

7.0MB
MD5

7a60e5b28ae4058075516409e6087523
SHA1

c171372c2ebe9548f0747e363de84fed698970e6
SHA256

f362933c504a2654fef87e10c8dc9d961d038689d381024671314dbbaaa2808e
SHA512

b8da51a7b09234a297feabcc0346e741677f996364cf7605b859ac329252a7459a8c5fa3f5ac63578833df6584a3c17bc0d6f4b0a25b9404494122750e7dedf3
SSDEEP

98304:XuU6x8br1ZFPqrWodw8BfgQY4Ma23c2Q3983mbVV3pb1BwTjLsa2NHrwmANyaIu0:Sk5PsOb/eCj3I1NcHNGAJaBJQaf+HW

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000400000002281c-1.dat	acprotect
behavioral2/files/0x000400000002281c-2.dat	acprotect
behavioral2/files/0x000400000002281c-4.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
4508	regsvr32.exe
2460	f362933c504a2654fef87e10c8dc9d961d038689d381024671314dbbaaa2808e.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000400000002281c-1.dat	upx
behavioral2/files/0x000400000002281c-2.dat	upx
behavioral2/memory/4508-3-0x0000000010000000-0x0000000010176000-memory.dmp	upx
behavioral2/files/0x000400000002281c-4.dat	upx
behavioral2/memory/2460-5-0x0000000010000000-0x0000000010176000-memory.dmp	upx
behavioral2/memory/2460-6-0x0000000010000000-0x0000000010176000-memory.dmp	upx

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\dm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\dm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft	regsvr32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2460	f362933c504a2654fef87e10c8dc9d961d038689d381024671314dbbaaa2808e.exe
2460	f362933c504a2654fef87e10c8dc9d961d038689d381024671314dbbaaa2808e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 4508	2460	f362933c504a2654fef87e10c8dc9d961d038689d381024671314dbbaaa2808e.exe	86
PID 2460 wrote to memory of 4508	2460	f362933c504a2654fef87e10c8dc9d961d038689d381024671314dbbaaa2808e.exe	86
PID 2460 wrote to memory of 4508	2460	f362933c504a2654fef87e10c8dc9d961d038689d381024671314dbbaaa2808e.exe	86

C:\Users\Admin\AppData\Local\Temp\f362933c504a2654fef87e10c8dc9d961d038689d381024671314dbbaaa2808e.exe
"C:\Users\Admin\AppData\Local\Temp\f362933c504a2654fef87e10c8dc9d961d038689d381024671314dbbaaa2808e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\dm.dll -s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\dm.dll

Filesize
804KB

MD5
c578b6820bda5689940560147c6e5ffc

SHA1
922e50d89c9c44bdc205ef17aa57212b64e58852

SHA256
3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389

SHA512
9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

Download Submit
C:\dm.dll

Filesize
804KB

MD5
c578b6820bda5689940560147c6e5ffc

SHA1
922e50d89c9c44bdc205ef17aa57212b64e58852

SHA256
3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389

SHA512
9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

Download Submit
C:\dm.dll

Filesize
804KB

MD5
c578b6820bda5689940560147c6e5ffc

SHA1
922e50d89c9c44bdc205ef17aa57212b64e58852

SHA256
3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389

SHA512
9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

Download Submit
memory/2460-5-0x0000000010000000-0x0000000010176000-memory.dmp

Filesize
1.5MB

Download
memory/2460-6-0x0000000010000000-0x0000000010176000-memory.dmp

Filesize
1.5MB

Download
memory/4508-3-0x0000000010000000-0x0000000010176000-memory.dmp

Filesize
1.5MB

Download