Analysis
-
max time kernel
145s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14/10/2023, 01:57
Static task
static1
Behavioral task
behavioral1
Sample
9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe
Resource
win7-20230831-en
General
-
Target
9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe
-
Size
9.8MB
-
MD5
7b88feb63c5e6e010008e7244149a529
-
SHA1
3a7000d176cb1f014efb5bb81b585d6b265e849b
-
SHA256
9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e
-
SHA512
08cdb724391a0907f17c360f76bca6c18268848deab74ff31a3b41e338611d35a1eec851feef28b1bf46bf9a146e8bef33330ab54e1d64fed83c76d65a8023ec
-
SSDEEP
196608:iBzclOEC4iD1rgKErPJjkZc+35hio2Jp2mSCpfUO+x8pFjV5FPggQvOQs28:r7nKoeZJ3F+tp803FoJvc28
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0006000000015ca9-77.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2196 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 2740 旗舰7.0安全锁注册.exe -
Loads dropped DLL 4 IoCs
pid Process 1964 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe 2196 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 2196 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 2740 旗舰7.0安全锁注册.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2740-37-0x0000000000400000-0x000000000143F000-memory.dmp agile_net behavioral1/memory/2740-87-0x0000000000400000-0x000000000143F000-memory.dmp agile_net -
resource yara_rule behavioral1/files/0x0006000000015ca9-77.dat upx behavioral1/memory/2740-80-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/2740-82-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/2740-83-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/2740-84-0x0000000010000000-0x000000001003D000-memory.dmp upx -
resource yara_rule behavioral1/files/0x0006000000015c61-26.dat vmprotect behavioral1/files/0x0006000000015c61-28.dat vmprotect behavioral1/files/0x0006000000015c61-32.dat vmprotect behavioral1/files/0x0006000000015c61-30.dat vmprotect behavioral1/files/0x0006000000015c61-33.dat vmprotect behavioral1/memory/2740-37-0x0000000000400000-0x000000000143F000-memory.dmp vmprotect behavioral1/memory/2740-87-0x0000000000400000-0x000000000143F000-memory.dmp vmprotect -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\DC\is-LRR53.tmp 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File opened for modification C:\Program Files (x86)\DC\MyProg.exe 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File created C:\Program Files (x86)\DC\is-LRR53.tmp 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File opened for modification C:\Program Files (x86)\DC\SkinH_EL.dll 旗舰7.0安全锁注册.exe File created C:\Program Files (x86)\DC\is-PMA9H.tmp 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File created C:\Program Files (x86)\DC\SkinH_EL.dll 旗舰7.0安全锁注册.exe File opened for modification C:\Program Files (x86)\DC\兼容补丁.exe 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File opened for modification C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File created C:\Program Files (x86)\DC\unins000.dat 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File opened for modification C:\Program Files (x86)\DC\unins000.dat 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File created C:\Program Files (x86)\DC\is-J1NMF.tmp 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File created C:\Program Files (x86)\DC\is-6L2M4.tmp 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File created C:\Program Files (x86)\DC\is-URDNA.tmp 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2196 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 2196 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 2740 旗舰7.0安全锁注册.exe 2740 旗舰7.0安全锁注册.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2196 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2740 旗舰7.0安全锁注册.exe 2740 旗舰7.0安全锁注册.exe 2740 旗舰7.0安全锁注册.exe 2740 旗舰7.0安全锁注册.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2196 1964 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe 28 PID 1964 wrote to memory of 2196 1964 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe 28 PID 1964 wrote to memory of 2196 1964 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe 28 PID 1964 wrote to memory of 2196 1964 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe 28 PID 1964 wrote to memory of 2196 1964 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe 28 PID 1964 wrote to memory of 2196 1964 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe 28 PID 1964 wrote to memory of 2196 1964 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe 28 PID 2196 wrote to memory of 2740 2196 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 29 PID 2196 wrote to memory of 2740 2196 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 29 PID 2196 wrote to memory of 2740 2196 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 29 PID 2196 wrote to memory of 2740 2196 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe"C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp"C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp" /SL5="$40150,9392307,727552,C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe"C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.7MB
MD5dec9991c3d3ce3fb3aa4aba139deda6e
SHA1257a81d186fb1f7b0e6f1e27461f095a6718887e
SHA256fa3e84ebe3bed4bd7de671e8c8ae0c92426afb4c29c23959adbde838d27b4a70
SHA5123c4695bdee8623b512d2c88ae0a24d8d58bcb1e8c6f5c770d22a80373b46ccfbf3b0fa4d32495fd71c161cba110537107598aed89dd0831ba3f74453617ff3f0
-
Filesize
7.7MB
MD5dec9991c3d3ce3fb3aa4aba139deda6e
SHA1257a81d186fb1f7b0e6f1e27461f095a6718887e
SHA256fa3e84ebe3bed4bd7de671e8c8ae0c92426afb4c29c23959adbde838d27b4a70
SHA5123c4695bdee8623b512d2c88ae0a24d8d58bcb1e8c6f5c770d22a80373b46ccfbf3b0fa4d32495fd71c161cba110537107598aed89dd0831ba3f74453617ff3f0
-
Filesize
7.7MB
MD5dec9991c3d3ce3fb3aa4aba139deda6e
SHA1257a81d186fb1f7b0e6f1e27461f095a6718887e
SHA256fa3e84ebe3bed4bd7de671e8c8ae0c92426afb4c29c23959adbde838d27b4a70
SHA5123c4695bdee8623b512d2c88ae0a24d8d58bcb1e8c6f5c770d22a80373b46ccfbf3b0fa4d32495fd71c161cba110537107598aed89dd0831ba3f74453617ff3f0
-
C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp
Filesize2.9MB
MD51cc42c79271f65dffe819b5c35b63764
SHA11899685db0f918255b2bad3a0dd54103519b90ad
SHA256d177a918f12a581b0327c13b9222d2213154dba20ab0551bbbf2ef6671b9e630
SHA512d38dcd50959f5d5dadac6252cba2df8089aa24af92bd09bd3b6cf9afef584fe108f9cd50dbe9083ec1673cbd5be29c682eef7b0ef1da714cf0fa55a5a5ee5c2c
-
C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp
Filesize2.9MB
MD51cc42c79271f65dffe819b5c35b63764
SHA11899685db0f918255b2bad3a0dd54103519b90ad
SHA256d177a918f12a581b0327c13b9222d2213154dba20ab0551bbbf2ef6671b9e630
SHA512d38dcd50959f5d5dadac6252cba2df8089aa24af92bd09bd3b6cf9afef584fe108f9cd50dbe9083ec1673cbd5be29c682eef7b0ef1da714cf0fa55a5a5ee5c2c
-
Filesize
86KB
MD5147127382e001f495d1842ee7a9e7912
SHA192d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA51297f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d
-
Filesize
7.7MB
MD5dec9991c3d3ce3fb3aa4aba139deda6e
SHA1257a81d186fb1f7b0e6f1e27461f095a6718887e
SHA256fa3e84ebe3bed4bd7de671e8c8ae0c92426afb4c29c23959adbde838d27b4a70
SHA5123c4695bdee8623b512d2c88ae0a24d8d58bcb1e8c6f5c770d22a80373b46ccfbf3b0fa4d32495fd71c161cba110537107598aed89dd0831ba3f74453617ff3f0
-
Filesize
7.7MB
MD5dec9991c3d3ce3fb3aa4aba139deda6e
SHA1257a81d186fb1f7b0e6f1e27461f095a6718887e
SHA256fa3e84ebe3bed4bd7de671e8c8ae0c92426afb4c29c23959adbde838d27b4a70
SHA5123c4695bdee8623b512d2c88ae0a24d8d58bcb1e8c6f5c770d22a80373b46ccfbf3b0fa4d32495fd71c161cba110537107598aed89dd0831ba3f74453617ff3f0
-
\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp
Filesize2.9MB
MD51cc42c79271f65dffe819b5c35b63764
SHA11899685db0f918255b2bad3a0dd54103519b90ad
SHA256d177a918f12a581b0327c13b9222d2213154dba20ab0551bbbf2ef6671b9e630
SHA512d38dcd50959f5d5dadac6252cba2df8089aa24af92bd09bd3b6cf9afef584fe108f9cd50dbe9083ec1673cbd5be29c682eef7b0ef1da714cf0fa55a5a5ee5c2c