bf1f266ef8a8b7bca53f54a7468a30c92dc6c7183e1ea7ddf2b1ef331bcea5e3

General

Target

74788111b9ac631022b5995122a82c07.exe
Size

77KB
MD5

74788111b9ac631022b5995122a82c07
SHA1

d91234025cbdcdd296df6e84b6913cd9ad35c137
SHA256

bf1f266ef8a8b7bca53f54a7468a30c92dc6c7183e1ea7ddf2b1ef331bcea5e3
SHA512

4ea2f8df5eb874a975591d720d7fe9da28500a65ecbd8d0b8551e1a305c97a794f26e6b78c31fc6c494e3edee880b3f3f669a94519e205492db2f2eb2d9e86c3
SSDEEP

1536:hiRgxYx2kzgUnrVWCJ2AZGAjF51L53/iD6WYxpza9JN9E057jC:hSgFKyHAvjFt3/iD6WYyJN9Ev

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0009000000023201-18.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	74788111b9ac631022b5995122a82c07.exe

Executes dropped EXE 2 IoCs

pid	Process
2584	qjgame.Exe
3492	wulin9527.exe

Loads dropped DLL 3 IoCs

pid	Process
2584	qjgame.Exe
3492	wulin9527.exe
3492	wulin9527.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000231f7-5.dat	upx
behavioral2/memory/2584-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2584-20-0x0000000010000000-0x000000001001A000-memory.dmp	upx
behavioral2/files/0x0009000000023201-18.dat	upx
behavioral2/memory/2584-43-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2584-44-0x0000000010000000-0x000000001001A000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wulin95273qso.dll	wulin9527.exe
File opened for modification	C:\Windows\SysWOW64\wulin95273qso.dll	wulin9527.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3468	2584	WerFault.exe	87

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13BB17CA-1BA0-1F83-2376-27642B392F2C}	wulin9527.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13BB17CA-1BA0-1F83-2376-27642B392F2C}\ = "VISTA"	wulin9527.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13BB17CA-1BA0-1F83-2376-27642B392F2C}\InProcSERVER32	wulin9527.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13BB17CA-1BA0-1F83-2376-27642B392F2C}\InProcSERVER32\ = "C:\\Windows\\SysWow64\\wulin95273qso.dll"	wulin9527.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13BB17CA-1BA0-1F83-2376-27642B392F2C}\InProcSERVER32\ThREADingModel = "ApartMENT"	wulin9527.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2584	qjgame.Exe
2584	qjgame.Exe
3492	wulin9527.exe
3492	wulin9527.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2584	qjgame.Exe
Token: SeRestorePrivilege	2584	qjgame.Exe
Token: SeDebugPrivilege	2584	qjgame.Exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3492	wulin9527.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 2584	4288	74788111b9ac631022b5995122a82c07.exe	87
PID 4288 wrote to memory of 2584	4288	74788111b9ac631022b5995122a82c07.exe	87
PID 4288 wrote to memory of 2584	4288	74788111b9ac631022b5995122a82c07.exe	87
PID 4288 wrote to memory of 3492	4288	74788111b9ac631022b5995122a82c07.exe	90
PID 4288 wrote to memory of 3492	4288	74788111b9ac631022b5995122a82c07.exe	90
PID 4288 wrote to memory of 3492	4288	74788111b9ac631022b5995122a82c07.exe	90
PID 4288 wrote to memory of 2596	4288	74788111b9ac631022b5995122a82c07.exe	92
PID 4288 wrote to memory of 2596	4288	74788111b9ac631022b5995122a82c07.exe	92
PID 4288 wrote to memory of 2596	4288	74788111b9ac631022b5995122a82c07.exe	92

C:\Users\Admin\AppData\Local\Temp\74788111b9ac631022b5995122a82c07.exe
"C:\Users\Admin\AppData\Local\Temp\74788111b9ac631022b5995122a82c07.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\qjgame.Exe
  "C:\Users\Admin\AppData\Local\Temp\qjgame.Exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 480
    3⤵
    - Program crash
    PID:3468
- C:\Users\Admin\AppData\Local\Temp\wulin9527.exe
  "C:\Users\Admin\AppData\Local\Temp\wulin9527.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OPE4160.bat" "" "C:\Users\Admin\AppData\Local\Temp" "74788111b9ac631022b5995122a82c07.exe""
  2⤵
  PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2584 -ip 2584
1⤵
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OPE4160.bat

Filesize
44B

MD5
bd72f632464c3ff2f5a20870b59aa27b

SHA1
4bbb3d50ec61ce9adebf98a3c8f7a0bbe960a684

SHA256
9ddaf09d8002847f4ab98a3e2f50730aa4a6950815aeef1ec55bae5482afb0f4

SHA512
12295684b9c54f7a3a55c60be888941124072c864f1b52f438bfc04a929ba1e6add8a088f06d3812591a2441ec3409584a72d96f2dd8ebd47c7a7fce51443676

Download Submit
C:\Users\Admin\AppData\Local\Temp\dat4141.tmp

Filesize
18KB

MD5
04d0b770aba6561c02db176c5b406bec

SHA1
ea3d0b5a83f5bd9b054db90b602ce18c0804bcb9

SHA256
75f95dfc21674d96a4a96e7a5ba0aec5a865a1d48c3dee30ba81b6b1338363be

SHA512
9b500b22839aecb0c0f3dff15fdd49da792a3c65972013e9ed4a59e6b23ae4b47c880a02a61b8d8d9879416928897c28d813f3dc3ba1a3b0c01d5a0aef7b8467

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjgame.Exe

Filesize
29KB

MD5
1d886304b557168a14590fa1efe5fbae

SHA1
a2205d862e7d70dffa06f7b4310a5a1822a8ee28

SHA256
57f539fa75a7630252fa28f98d278b1e94267f77e5fcc57b608a1274af0df665

SHA512
dcc7cb061a0f76f6c5ea242d7fb6ad585dee2b82cdacd96861328cc7c41dfdea84905c01432566d5f8ecd92e163c1ec4b6648d702c9ea7ed113cf4c84bb36c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\wulin9527.exe

Filesize
45KB

MD5
bd2fbcceb25d18251712d7f3348d17f5

SHA1
58c26084eb7035fa9abd698e5e5941ca60cca9e0

SHA256
7995c65f8ec35d0e2cee1cc1a7a8365193c54ea8e40e44d744a30f8e3b6c77bb

SHA512
13ed95a8c92ec83b0db3e0a4c7f7fdb8a0e2b8be87f6d4650594f722d6fd61f8d9f817b82d33d36332600df606234f5f522976382d02c7ef6ad5383c56d4d323

Download Submit
C:\Windows\SysWOW64\wulin95273qso.dll

Filesize
80KB

MD5
94f9ac5612c932d5fe03a17b54eee605

SHA1
3bb8fae721834d8817edc43ce42637526d07f16d

SHA256
a89a8d849f584ec1d2baf5f957b221457db0f32c76685957f1f7aa04649fc764

SHA512
b6b0d5e0041bdc4e7e42edfe2425a45055caf1e028439eda504f396a7c971deda67f4b3aa2389bf75f4720a69cee4d289a242589f7187c2eb86d3925c4634227

Download Submit
memory/2584-44-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/2584-32-0x0000000075D70000-0x0000000075E60000-memory.dmp

Filesize
960KB

Download
memory/2584-20-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/2584-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2584-43-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2584-45-0x0000000075D70000-0x0000000075E60000-memory.dmp

Filesize
960KB

Download
memory/3492-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3492-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3492-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3492-38-0x0000000000590000-0x00000000005A9000-memory.dmp

Filesize
100KB

Download
memory/3492-34-0x0000000075D70000-0x0000000075E60000-memory.dmp

Filesize
960KB

Download
memory/3492-49-0x0000000075D70000-0x0000000075E60000-memory.dmp

Filesize
960KB

Download
memory/3492-46-0x0000000000590000-0x00000000005A9000-memory.dmp

Filesize
100KB

Download
memory/4288-40-0x0000000000400000-0x0000000000414C8E-memory.dmp

Filesize
83KB

Download
memory/4288-0-0x0000000000400000-0x0000000000414C8E-memory.dmp

Filesize
83KB

Download

Analysis

Sharing