99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4

Analysis

max time kernel
180s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe
Size

6.1MB
MD5

1e35465aa719b0f1b7cc5d3d92d0b6cf
SHA1

d7e07451e9538251b10b6dc86020b1492129bd66
SHA256

99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4
SHA512

83db00320ca1b95e7cae81647837ec9355e47fa7eefcfdcc4b28a6ac4f0fcb81e5985f12fe14899e0ae2e5c870f5a6dec14e4afe6381b8521fb89def451e40af
SSDEEP

98304:Fum3hYsDXe2lgtnHrkSkMcwfys+QXwn1mwyFXXNDB2RY3hruWTgwHWLarV0TL+:Fu3GOF6XMIEwedD2AJt6/+

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022df9-1.dat	acprotect
behavioral2/files/0x0006000000022df9-2.dat	acprotect
behavioral2/files/0x0006000000022df9-34.dat	acprotect
behavioral2/files/0x0006000000022df9-35.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
632	HOUV.exe

Loads dropped DLL 4 IoCs

pid	Process
3240	regsvr32.exe
632	HOUV.exe
632	HOUV.exe
632	HOUV.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022df9-1.dat	upx
behavioral2/files/0x0006000000022df9-2.dat	upx
behavioral2/memory/3240-3-0x0000000010000000-0x00000000104FC000-memory.dmp	upx
behavioral2/files/0x0006000000022df9-34.dat	upx
behavioral2/files/0x0006000000022df9-35.dat	upx
behavioral2/memory/632-36-0x0000000004A80000-0x0000000004F7C000-memory.dmp	upx
behavioral2/memory/632-43-0x0000000004A80000-0x0000000004F7C000-memory.dmp	upx
behavioral2/memory/632-44-0x0000000004A80000-0x0000000004F7C000-memory.dmp	upx
behavioral2/memory/632-60-0x0000000004A80000-0x0000000004F7C000-memory.dmp	upx
behavioral2/memory/632-61-0x0000000004A80000-0x0000000004F7C000-memory.dmp	upx

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\11\Res\2.txt	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe
File created	C:\Windows\11\Res\3.txt	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe
File created	C:\Windows\11\Res\4.txt	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe
File created	C:\Windows\11\Res\Õ½³¡ÎïÆ·1.bmp	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe
File created	C:\Windows\11\Res\Õ½³¡ÎïÆ·2.bmp	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe
File created	C:\Windows\11\HOUV.exe	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe
File created	C:\Windows\11\½ø³ÌÍ¨ÐÅ.exe	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe
File created	C:\Windows\11\Res\1.txt	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D63DDDA-3F00-7289-B2CB-0B62894622AA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D63DDDA-3F00-7289-B2CB-0B62894622AA}\TypeLib\ = "{067F62DC-D869-9B14-A6C8-C77755CD86E5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D63DDDA-3F00-7289-B2CB-0B62894622AA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{685B11EC-42B5-D666-1C73-1CB27440334C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D63DDDA-3F00-7289-B2CB-0B62894622AA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D63DDDA-3F00-7289-B2CB-0B62894622AA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D63DDDA-3F00-7289-B2CB-0B62894622AA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{067F62DC-D869-9B14-A6C8-C77755CD86E5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{067F62DC-D869-9B14-A6C8-C77755CD86E5}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D63DDDA-3F00-7289-B2CB-0B62894622AA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D63DDDA-3F00-7289-B2CB-0B62894622AA}\ = "Ixqsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xq.xqsoft\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xq.xqsoft\CLSID\ = "{685B11EC-42B5-D666-1C73-1CB27440334C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{685B11EC-42B5-D666-1C73-1CB27440334C}\ = "xq.xqsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{685B11EC-42B5-D666-1C73-1CB27440334C}\InprocServer32\ = "c:\\¾Õ»¨¸¨Öú\\SmIlE.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{067F62DC-D869-9B14-A6C8-C77755CD86E5}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{067F62DC-D869-9B14-A6C8-C77755CD86E5}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{067F62DC-D869-9B14-A6C8-C77755CD86E5}\1.0\0\win32\ = "c:\\¾Õ»¨¸¨Öú\\SmIlE.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D63DDDA-3F00-7289-B2CB-0B62894622AA}\ = "Ixqsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D63DDDA-3F00-7289-B2CB-0B62894622AA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D63DDDA-3F00-7289-B2CB-0B62894622AA}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xq.xqsoft	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{067F62DC-D869-9B14-A6C8-C77755CD86E5}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D63DDDA-3F00-7289-B2CB-0B62894622AA}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xq.xqsoft\CurVer\ = "xq.xqsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{685B11EC-42B5-D666-1C73-1CB27440334C}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{067F62DC-D869-9B14-A6C8-C77755CD86E5}\1.0\HELPDIR\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D63DDDA-3F00-7289-B2CB-0B62894622AA}\TypeLib\ = "{067F62DC-D869-9B14-A6C8-C77755CD86E5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xq.xqsoft\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{685B11EC-42B5-D666-1C73-1CB27440334C}\ProgID\ = "xq.xqsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{067F62DC-D869-9B14-A6C8-C77755CD86E5}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D63DDDA-3F00-7289-B2CB-0B62894622AA}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xq.xqsoft\ = "xq.xqsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{685B11EC-42B5-D666-1C73-1CB27440334C}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{685B11EC-42B5-D666-1C73-1CB27440334C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{067F62DC-D869-9B14-A6C8-C77755CD86E5}\1.0\ = "xq"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{067F62DC-D869-9B14-A6C8-C77755CD86E5}\1.0\0	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1868	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe
1868	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	HOUV.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
632	HOUV.exe
632	HOUV.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1868	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe
1868	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe
632	HOUV.exe
632	HOUV.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 3240	1868	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe	91
PID 1868 wrote to memory of 3240	1868	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe	91
PID 1868 wrote to memory of 3240	1868	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe	91
PID 1868 wrote to memory of 632	1868	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe	94
PID 1868 wrote to memory of 632	1868	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe	94
PID 1868 wrote to memory of 632	1868	99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe	94

C:\Users\Admin\AppData\Local\Temp\99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe
"C:\Users\Admin\AppData\Local\Temp\99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 c:\¾Õ»¨¸¨Öú\SmIlE.dll -s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3240
- C:\Windows\11\HOUV.exe
  C:\Windows\11\HOUV.exe xq HOUV.exe C:\Users\Admin\AppData\Local\Temp\99493be2baf7d5959fd2dd4cd09de139748f38757da814374ca9ced92c3f06a4.exe ÊÖ¶¯
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\11\HOUV.exe

Filesize
1.3MB

MD5
1fc2eee1d789e4531a7187aa963ac6fc

SHA1
e1603d942712e707ef920417579296f0f9a9bf99

SHA256
db107d01b1702dc1db6e6af8a9ab871813b9c348c59abefa0ab9963977cd7421

SHA512
30b4079d17521e1f2b23cefe928a554583cf52b87594a7c3a7a7c8c3e9178bad78e3821fefb3619b1b3ceb5c7f88c5555ad1d0ce5dba72f718a81bebfcd6233c

Download Submit
C:\Windows\11\HOUV.exe

Filesize
1.3MB

MD5
1fc2eee1d789e4531a7187aa963ac6fc

SHA1
e1603d942712e707ef920417579296f0f9a9bf99

SHA256
db107d01b1702dc1db6e6af8a9ab871813b9c348c59abefa0ab9963977cd7421

SHA512
30b4079d17521e1f2b23cefe928a554583cf52b87594a7c3a7a7c8c3e9178bad78e3821fefb3619b1b3ceb5c7f88c5555ad1d0ce5dba72f718a81bebfcd6233c

Download Submit
C:\¾Õ»¨¸¨Öú\SmIlE.dll

Filesize
3.4MB

MD5
c4a0301bfdca2b60ea34b8e777ef2063

SHA1
81faaf396e1d75fb576abf37278d76efaa12947c

SHA256
4109a1f49d0d5851f7bb73969c2d9ccd3793814486e084ae8506cc6f2a558c78

SHA512
eba5f8684840164929f1575864f7e3f1c85f7b3e6f7ea46ec43634b8f3b5a91a6d3cf4969c77241bf78ed1e3490af3b7cd91b1d910ecf584c5f0e6e5390e19b8

Download Submit
C:\¾Õ»¨¸¨Öú\SmIlE.dll

Filesize
3.4MB

MD5
c4a0301bfdca2b60ea34b8e777ef2063

SHA1
81faaf396e1d75fb576abf37278d76efaa12947c

SHA256
4109a1f49d0d5851f7bb73969c2d9ccd3793814486e084ae8506cc6f2a558c78

SHA512
eba5f8684840164929f1575864f7e3f1c85f7b3e6f7ea46ec43634b8f3b5a91a6d3cf4969c77241bf78ed1e3490af3b7cd91b1d910ecf584c5f0e6e5390e19b8

Download Submit
C:\¾Õ»¨¸¨Öú\SmIlE.dll

Filesize
3.4MB

MD5
c4a0301bfdca2b60ea34b8e777ef2063

SHA1
81faaf396e1d75fb576abf37278d76efaa12947c

SHA256
4109a1f49d0d5851f7bb73969c2d9ccd3793814486e084ae8506cc6f2a558c78

SHA512
eba5f8684840164929f1575864f7e3f1c85f7b3e6f7ea46ec43634b8f3b5a91a6d3cf4969c77241bf78ed1e3490af3b7cd91b1d910ecf584c5f0e6e5390e19b8

Download Submit
C:\¾Õ»¨¸¨Öú\reg.dll

Filesize
52KB

MD5
732b1be137e2be34507c7f68a54ad4a1

SHA1
7fb87f8fb3af946e9a3bc4e08756a7eec89cd27f

SHA256
679d0ef74fbf7fab6442968ee1cc7e9b4e2cf1860491a7f83a1a5903516cf2e2

SHA512
d39ff43d1cafa56cdfce578c58ae7bb82166c3a44b488c5579588073bba763adeb83137f65ff38c8bc95aae44bf143b4a656651a84de9d5bea59c36606b5b391

Download Submit
\??\c:\¾Õ»¨¸¨Öú\Reg.dll

Filesize
52KB

MD5
732b1be137e2be34507c7f68a54ad4a1

SHA1
7fb87f8fb3af946e9a3bc4e08756a7eec89cd27f

SHA256
679d0ef74fbf7fab6442968ee1cc7e9b4e2cf1860491a7f83a1a5903516cf2e2

SHA512
d39ff43d1cafa56cdfce578c58ae7bb82166c3a44b488c5579588073bba763adeb83137f65ff38c8bc95aae44bf143b4a656651a84de9d5bea59c36606b5b391

Download Submit
\??\c:\¾Õ»¨¸¨Öú\SmIlE.dll

Filesize
3.4MB

MD5
c4a0301bfdca2b60ea34b8e777ef2063

SHA1
81faaf396e1d75fb576abf37278d76efaa12947c

SHA256
4109a1f49d0d5851f7bb73969c2d9ccd3793814486e084ae8506cc6f2a558c78

SHA512
eba5f8684840164929f1575864f7e3f1c85f7b3e6f7ea46ec43634b8f3b5a91a6d3cf4969c77241bf78ed1e3490af3b7cd91b1d910ecf584c5f0e6e5390e19b8

Download Submit
memory/632-27-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/632-41-0x0000000006180000-0x0000000006196000-memory.dmp

Filesize
88KB

Download
memory/632-61-0x0000000004A80000-0x0000000004F7C000-memory.dmp

Filesize
5.0MB

Download
memory/632-60-0x0000000004A80000-0x0000000004F7C000-memory.dmp

Filesize
5.0MB

Download
memory/632-48-0x0000000006180000-0x0000000006196000-memory.dmp

Filesize
88KB

Download
memory/632-24-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/632-25-0x0000000077352000-0x0000000077353000-memory.dmp

Filesize
4KB

Download
memory/632-26-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/632-28-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/632-29-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/632-47-0x0000000005880000-0x000000000617A000-memory.dmp

Filesize
9.0MB

Download
memory/632-31-0x0000000077353000-0x0000000077354000-memory.dmp

Filesize
4KB

Download
memory/632-33-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/632-32-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/632-30-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/632-46-0x0000000004F90000-0x00000000057AB000-memory.dmp

Filesize
8.1MB

Download
memory/632-44-0x0000000004A80000-0x0000000004F7C000-memory.dmp

Filesize
5.0MB

Download
memory/632-36-0x0000000004A80000-0x0000000004F7C000-memory.dmp

Filesize
5.0MB

Download
memory/632-37-0x0000000004F90000-0x00000000057AB000-memory.dmp

Filesize
8.1MB

Download
memory/632-38-0x0000000005880000-0x000000000617A000-memory.dmp

Filesize
9.0MB

Download
memory/632-39-0x00000000061A0000-0x00000000061A2000-memory.dmp

Filesize
8KB

Download
memory/632-40-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/632-43-0x0000000004A80000-0x0000000004F7C000-memory.dmp

Filesize
5.0MB

Download
memory/632-42-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3240-9-0x0000000003290000-0x0000000003B8A000-memory.dmp

Filesize
9.0MB

Download
memory/3240-3-0x0000000010000000-0x00000000104FC000-memory.dmp

Filesize
5.0MB

Download
memory/3240-4-0x00000000029A0000-0x00000000031BB000-memory.dmp

Filesize
8.1MB

Download
memory/3240-5-0x0000000003290000-0x0000000003B8A000-memory.dmp

Filesize
9.0MB

Download
memory/3240-6-0x0000000003BB0000-0x0000000003BB2000-memory.dmp

Filesize
8KB

Download
memory/3240-7-0x0000000003B90000-0x0000000003BA6000-memory.dmp

Filesize
88KB

Download
memory/3240-8-0x0000000003B90000-0x0000000003BA6000-memory.dmp

Filesize
88KB

Download