Analysis
-
max time kernel
154s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 01:57
Static task
static1
Behavioral task
behavioral1
Sample
9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe
Resource
win7-20230831-en
General
-
Target
9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe
-
Size
9.8MB
-
MD5
7b88feb63c5e6e010008e7244149a529
-
SHA1
3a7000d176cb1f014efb5bb81b585d6b265e849b
-
SHA256
9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e
-
SHA512
08cdb724391a0907f17c360f76bca6c18268848deab74ff31a3b41e338611d35a1eec851feef28b1bf46bf9a146e8bef33330ab54e1d64fed83c76d65a8023ec
-
SSDEEP
196608:iBzclOEC4iD1rgKErPJjkZc+35hio2Jp2mSCpfUO+x8pFjV5FPggQvOQs28:r7nKoeZJ3F+tp803FoJvc28
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000800000002321c-45.dat acprotect behavioral2/files/0x000800000002321c-48.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2828 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 3740 旗舰7.0安全锁注册.exe -
Loads dropped DLL 1 IoCs
pid Process 3740 旗舰7.0安全锁注册.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/3740-35-0x0000000000400000-0x000000000143F000-memory.dmp agile_net behavioral2/memory/3740-40-0x0000000000400000-0x000000000143F000-memory.dmp agile_net behavioral2/memory/3740-52-0x0000000000400000-0x000000000143F000-memory.dmp agile_net -
resource yara_rule behavioral2/files/0x000800000002321c-45.dat upx behavioral2/memory/3740-49-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/files/0x000800000002321c-48.dat upx behavioral2/memory/3740-50-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/3740-51-0x0000000010000000-0x000000001003D000-memory.dmp upx -
resource yara_rule behavioral2/files/0x0006000000023212-26.dat vmprotect behavioral2/files/0x0006000000023212-27.dat vmprotect behavioral2/memory/3740-35-0x0000000000400000-0x000000000143F000-memory.dmp vmprotect behavioral2/memory/3740-40-0x0000000000400000-0x000000000143F000-memory.dmp vmprotect behavioral2/memory/3740-52-0x0000000000400000-0x000000000143F000-memory.dmp vmprotect -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\DC\is-BRS8J.tmp 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File created C:\Program Files (x86)\DC\is-80LN0.tmp 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File created C:\Program Files (x86)\DC\is-VLF1N.tmp 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File opened for modification C:\Program Files (x86)\DC\SkinH_EL.dll 旗舰7.0安全锁注册.exe File created C:\Program Files (x86)\DC\is-BRS8J.tmp 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File created C:\Program Files (x86)\DC\is-69QQ4.tmp 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File created C:\Program Files (x86)\DC\SkinH_EL.dll 旗舰7.0安全锁注册.exe File created C:\Program Files (x86)\DC\is-ICJQH.tmp 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File opened for modification C:\Program Files (x86)\DC\unins000.dat 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File opened for modification C:\Program Files (x86)\DC\MyProg.exe 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File opened for modification C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File opened for modification C:\Program Files (x86)\DC\兼容补丁.exe 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp File created C:\Program Files (x86)\DC\unins000.dat 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2828 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 2828 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 3740 旗舰7.0安全锁注册.exe 3740 旗舰7.0安全锁注册.exe 3740 旗舰7.0安全锁注册.exe 3740 旗舰7.0安全锁注册.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2828 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3740 旗舰7.0安全锁注册.exe 3740 旗舰7.0安全锁注册.exe 3740 旗舰7.0安全锁注册.exe 3740 旗舰7.0安全锁注册.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2828 1048 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe 86 PID 1048 wrote to memory of 2828 1048 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe 86 PID 1048 wrote to memory of 2828 1048 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe 86 PID 2828 wrote to memory of 3740 2828 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 87 PID 2828 wrote to memory of 3740 2828 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 87 PID 2828 wrote to memory of 3740 2828 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe"C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp"C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp" /SL5="$90232,9392307,727552,C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe"C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3740
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD5147127382e001f495d1842ee7a9e7912
SHA192d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA51297f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d
-
Filesize
86KB
MD5147127382e001f495d1842ee7a9e7912
SHA192d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA51297f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d
-
Filesize
7.7MB
MD5dec9991c3d3ce3fb3aa4aba139deda6e
SHA1257a81d186fb1f7b0e6f1e27461f095a6718887e
SHA256fa3e84ebe3bed4bd7de671e8c8ae0c92426afb4c29c23959adbde838d27b4a70
SHA5123c4695bdee8623b512d2c88ae0a24d8d58bcb1e8c6f5c770d22a80373b46ccfbf3b0fa4d32495fd71c161cba110537107598aed89dd0831ba3f74453617ff3f0
-
Filesize
7.7MB
MD5dec9991c3d3ce3fb3aa4aba139deda6e
SHA1257a81d186fb1f7b0e6f1e27461f095a6718887e
SHA256fa3e84ebe3bed4bd7de671e8c8ae0c92426afb4c29c23959adbde838d27b4a70
SHA5123c4695bdee8623b512d2c88ae0a24d8d58bcb1e8c6f5c770d22a80373b46ccfbf3b0fa4d32495fd71c161cba110537107598aed89dd0831ba3f74453617ff3f0
-
C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp
Filesize2.9MB
MD51cc42c79271f65dffe819b5c35b63764
SHA11899685db0f918255b2bad3a0dd54103519b90ad
SHA256d177a918f12a581b0327c13b9222d2213154dba20ab0551bbbf2ef6671b9e630
SHA512d38dcd50959f5d5dadac6252cba2df8089aa24af92bd09bd3b6cf9afef584fe108f9cd50dbe9083ec1673cbd5be29c682eef7b0ef1da714cf0fa55a5a5ee5c2c
-
C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp
Filesize2.9MB
MD51cc42c79271f65dffe819b5c35b63764
SHA11899685db0f918255b2bad3a0dd54103519b90ad
SHA256d177a918f12a581b0327c13b9222d2213154dba20ab0551bbbf2ef6671b9e630
SHA512d38dcd50959f5d5dadac6252cba2df8089aa24af92bd09bd3b6cf9afef584fe108f9cd50dbe9083ec1673cbd5be29c682eef7b0ef1da714cf0fa55a5a5ee5c2c