db4b632583ed63a5b7e225e69eb961c7e56ab8b9e98bc5e1e66d88802615d741

Analysis

max time kernel
138s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe
Size

2.2MB
MD5

5ba94f496e2c41990fc0172993d0e2e0
SHA1

dc387345dab2c9d94d630e40a6554cbfea1763de
SHA256

db4b632583ed63a5b7e225e69eb961c7e56ab8b9e98bc5e1e66d88802615d741
SHA512

df399ac178fe9b544774a7189e2c2bfca3bc18c8a9b99def04fc2090e048159ba6fa0b02b3251e4c174ac2bc8b57d80929fe63a842591c1db15177c2b4e54982
SSDEEP

49152:LEkYj5Z6iDVYARnLjRaE/LmDtPjfzfgiv5Bb9:wBZ6iBYARvR9/eqex

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000b000000022d83-37.dat	acprotect
behavioral2/files/0x000b000000022d83-38.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
1588	regsvr32.exe
4316	regsvr32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000022d83-37.dat	upx
behavioral2/files/0x000b000000022d83-38.dat	upx
behavioral2/memory/1588-39-0x0000000010000000-0x0000000010186000-memory.dmp	upx

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eyou.Reply	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dm_yhdg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ = "_Reply"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyou_X.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\TypeLib\ = "{306A3F35-7664-43E6-8E90-E537FFECA430}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\TypeLib\ = "{306A3F35-7664-43E6-8E90-E537FFECA430}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eyou.Reply\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dm_yhdg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ = "_Reply"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\TypeLib\ = "{306A3F35-7664-43E6-8E90-E537FFECA430}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}\1.0\ = "eyou"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyou_X.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eyou.Reply\ = "eyou.Reply"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eyou.Reply\Clsid\ = "{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306A3F35-7664-43E6-8E90-E537FFECA430}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\ProgID\ = "eyou.Reply"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\VERSION\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FEED9E1-718E-43B1-9CE0-A960A77A65F9}\ = "eyou.Reply"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADE48428-F554-4958-BDAD-5A0AD0D11C9C}\ = "Reply"	regsvr32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2124	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe
2124	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1588	2124	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	83
PID 2124 wrote to memory of 1588	2124	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	83
PID 2124 wrote to memory of 1588	2124	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	83
PID 2124 wrote to memory of 4316	2124	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	84
PID 2124 wrote to memory of 4316	2124	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	84
PID 2124 wrote to memory of 4316	2124	NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe	84

C:\Users\Admin\AppData\Local\Temp\NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5ba94f496e2c41990fc0172993d0e2e0_JC.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 dm_yhdg.dll -s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1588
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 eyou_X.dll -s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dm_yhdg.dll

Filesize
844KB

MD5
e75fa46fc6809786e7014f17e12b9f5a

SHA1
4adb9916931b1cd3f1d10a26c1271181a40692d0

SHA256
7bacf0e3691a5e250edda75e51c5e147d8b3ce57ccd5d478c9f9da531fc0548b

SHA512
c12a9de13714ff696428fc6bc432522544f6da63c81eecf84ad1931936b7381f8919b68ca75f8809b93af809c46377d5149462d4eec4d2142b5e86c97ec1724e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dm_yhdg.dll

Filesize
844KB

MD5
e75fa46fc6809786e7014f17e12b9f5a

SHA1
4adb9916931b1cd3f1d10a26c1271181a40692d0

SHA256
7bacf0e3691a5e250edda75e51c5e147d8b3ce57ccd5d478c9f9da531fc0548b

SHA512
c12a9de13714ff696428fc6bc432522544f6da63c81eecf84ad1931936b7381f8919b68ca75f8809b93af809c46377d5149462d4eec4d2142b5e86c97ec1724e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e581ba7.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\e581bc7.tmp

Filesize
1.6MB

MD5
5870ea0d6ba8dd6e2008466bdd00e0f4

SHA1
d41bf60d0dedff90e3cfc1b41b7e1a73df39a7d5

SHA256
5a7dac8c8b5d7cf1115246dfaf994e7f50e16a7eac1488642396f5e23fddfe0d

SHA512
0c620d5e7383adcf979feccc3b1bad584a5cec8b3d74d0ace8bb786f1f04ba87fa70d59d041dc3833977d44a75f2070181d4054c7c0b9c4ce2d66249b4b3c837

Download Submit
C:\Users\Admin\AppData\Local\Temp\e581bd8.tmp

Filesize
137KB

MD5
f6b847a54cfb804a25b8842b45fd1d50

SHA1
bb22fef07ce1577c8a7fa057d8cf05502c013bfc

SHA256
5dd2f5a957946e0b6f63660ebd897851aad4795d4c847396c47ddbb647715583

SHA512
dd08a55f538e2a33e6a0c496dc97ae9045594cbbf62f7894ae8ded63f4dc0b2e89c5935269adfd1c19607b1d2474bddc49f6acb955e6dc53a55560663ca2137a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyou_X.dll

Filesize
60KB

MD5
efbe7846e797490258664711e1b30911

SHA1
bdc41e8cc6a9d13eca82be031e54759045aabb72

SHA256
423145bb537f3f4d8c8cb5261f90135d90508298acba25c5e31d6c5df5860d13

SHA512
815f6f8bee496953c85aa268ef527129cba05550c8b7c788bfe50d9afd1ae650691f60b1a04cf926eb0a1c514ddf7377a14e9f18e19d813006ff74dc2bbaa48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyou_X.dll

Filesize
60KB

MD5
efbe7846e797490258664711e1b30911

SHA1
bdc41e8cc6a9d13eca82be031e54759045aabb72

SHA256
423145bb537f3f4d8c8cb5261f90135d90508298acba25c5e31d6c5df5860d13

SHA512
815f6f8bee496953c85aa268ef527129cba05550c8b7c788bfe50d9afd1ae650691f60b1a04cf926eb0a1c514ddf7377a14e9f18e19d813006ff74dc2bbaa48b

Download Submit
memory/1588-39-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download