db4b632583ed63a5b7e225e69eb961c7e56ab8b9e98bc5e1e66d88802615d741

Analysis

max time kernel
123s
max time network
139s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe
Size

2.2MB
MD5

5ba94f496e2c41990fc0172993d0e2e0
SHA1

dc387345dab2c9d94d630e40a6554cbfea1763de
SHA256

db4b632583ed63a5b7e225e69eb961c7e56ab8b9e98bc5e1e66d88802615d741
SHA512

df399ac178fe9b544774a7189e2c2bfca3bc18c8a9b99def04fc2090e048159ba6fa0b02b3251e4c174ac2bc8b57d80929fe63a842591c1db15177c2b4e54982
SSDEEP

49152:LEkYj5Z6iDVYARnLjRaE/LmDtPjfzfgiv5Bb9:wBZ6iBYARvR9/eqex

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000120bd-12.dat	acprotect
behavioral1/files/0x00080000000120bd-13.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
2688	regsvr32.exe
2820	regsvr32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120bd-12.dat	upx
behavioral1/files/0x00080000000120bd-13.dat	upx
behavioral1/memory/2688-14-0x0000000010000000-0x0000000010186000-memory.dmp	upx

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\VERSION\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}\1.0\ = "eyou"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyou_X.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eyou.Reply\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ = "Reply"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\ProgID\ = "eyou.Reply"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dm_yhdg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyou_X.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eyou.Reply\ = "eyou.Reply"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eyou.Reply\Clsid\ = "{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dm_yhdg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ = "_Reply"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ = "_Reply"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\TypeLib\ = "{306A3F35-7664-43E6-8E90-E537FFECA430}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\TypeLib\ = "{306A3F35-7664-43E6-8E90-E537FFECA430}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\TypeLib\ = "{306A3F35-7664-43E6-8E90-E537FFECA430}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe
2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe
2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2688	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	28
PID 2136 wrote to memory of 2688	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	28
PID 2136 wrote to memory of 2688	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	28
PID 2136 wrote to memory of 2688	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	28
PID 2136 wrote to memory of 2688	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	28
PID 2136 wrote to memory of 2688	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	28
PID 2136 wrote to memory of 2688	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	28
PID 2136 wrote to memory of 2820	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	29
PID 2136 wrote to memory of 2820	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	29
PID 2136 wrote to memory of 2820	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	29
PID 2136 wrote to memory of 2820	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	29
PID 2136 wrote to memory of 2820	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	29
PID 2136 wrote to memory of 2820	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	29
PID 2136 wrote to memory of 2820	2136	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 dm_yhdg.dll -s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2688
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 eyou_X.dll -s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dm_yhdg.dll

Filesize
844KB

MD5
e75fa46fc6809786e7014f17e12b9f5a

SHA1
4adb9916931b1cd3f1d10a26c1271181a40692d0

SHA256
7bacf0e3691a5e250edda75e51c5e147d8b3ce57ccd5d478c9f9da531fc0548b

SHA512
c12a9de13714ff696428fc6bc432522544f6da63c81eecf84ad1931936b7381f8919b68ca75f8809b93af809c46377d5149462d4eec4d2142b5e86c97ec1724e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyou_X.dll

Filesize
60KB

MD5
efbe7846e797490258664711e1b30911

SHA1
bdc41e8cc6a9d13eca82be031e54759045aabb72

SHA256
423145bb537f3f4d8c8cb5261f90135d90508298acba25c5e31d6c5df5860d13

SHA512
815f6f8bee496953c85aa268ef527129cba05550c8b7c788bfe50d9afd1ae650691f60b1a04cf926eb0a1c514ddf7377a14e9f18e19d813006ff74dc2bbaa48b

Download Submit
C:\eks77.ini

Filesize
89B

MD5
6c18d351b5dfa0eb36ce7b8d118e9d59

SHA1
47c1521ff846f5129da64cb764479f3b288991b8

SHA256
a712874ee81174379187c208b454b1eec1be936188855ba26d5ba4dc0e4badd0

SHA512
634b9270829a5b2545d0622a2937c492e9262ee618ba4c78cafe3f66af330cf4b9904a442a9c32a4cbc63ef6c13b190e1e87575f09b379383d9df0882f8dd1d3

Download Submit
\Users\Admin\AppData\Local\Temp\dm_yhdg.dll

Filesize
844KB

MD5
e75fa46fc6809786e7014f17e12b9f5a

SHA1
4adb9916931b1cd3f1d10a26c1271181a40692d0

SHA256
7bacf0e3691a5e250edda75e51c5e147d8b3ce57ccd5d478c9f9da531fc0548b

SHA512
c12a9de13714ff696428fc6bc432522544f6da63c81eecf84ad1931936b7381f8919b68ca75f8809b93af809c46377d5149462d4eec4d2142b5e86c97ec1724e

Download Submit
\Users\Admin\AppData\Local\Temp\eyou_X.dll

Filesize
60KB

MD5
efbe7846e797490258664711e1b30911

SHA1
bdc41e8cc6a9d13eca82be031e54759045aabb72

SHA256
423145bb537f3f4d8c8cb5261f90135d90508298acba25c5e31d6c5df5860d13

SHA512
815f6f8bee496953c85aa268ef527129cba05550c8b7c788bfe50d9afd1ae650691f60b1a04cf926eb0a1c514ddf7377a14e9f18e19d813006ff74dc2bbaa48b

Download Submit
memory/2136-10-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2136-11-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2136-27-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2136-28-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2136-29-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2688-14-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download