Overview
overview
10Static
static
7About.chm
windows7-x64
1About.chm
windows10-2004-x64
10Setup_s34.exe
windows7-x64
7Setup_s34.exe
windows10-2004-x64
10baid.exe
windows7-x64
7baid.exe
windows10-2004-x64
10bind_8152.exe
windows7-x64
7bind_8152.exe
windows10-2004-x64
10duisc.exe
windows7-x64
8duisc.exe
windows10-2004-x64
10edmtd.exe
windows7-x64
7edmtd.exe
windows10-2004-x64
10itadx.exe
windows7-x64
7itadx.exe
windows10-2004-x64
10ly2_03.exe
windows7-x64
10ly2_03.exe
windows10-2004-x64
10pcast.exe
windows7-x64
10pcast.exe
windows10-2004-x64
10pingtu12.exe
windows7-x64
1pingtu12.exe
windows10-2004-x64
10qqa02_u88setup.exe
windows7-x64
8qqa02_u88setup.exe
windows10-2004-x64
10sdcnc.exe
windows7-x64
8sdcnc.exe
windows10-2004-x64
10sdpig.exe
windows7-x64
7sdpig.exe
windows10-2004-x64
10sdreg.exe
windows7-x64
1sdreg.exe
windows10-2004-x64
10sdset.exe
windows7-x64
10sdset.exe
windows10-2004-x64
10sogoutb_se...ni.exe
windows7-x64
7sogoutb_se...ni.exe
windows10-2004-x64
10Analysis
-
max time kernel
143s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:27
Behavioral task
behavioral1
Sample
About.chm
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
About.chm
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
Setup_s34.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Setup_s34.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
baid.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
baid.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
bind_8152.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
bind_8152.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
duisc.exe
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
duisc.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
edmtd.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
edmtd.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
itadx.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
itadx.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
ly2_03.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
ly2_03.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
pcast.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
pcast.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral19
Sample
pingtu12.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
pingtu12.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
qqa02_u88setup.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
qqa02_u88setup.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral23
Sample
sdcnc.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
sdcnc.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
sdpig.exe
Resource
win7-20231129-en
Behavioral task
behavioral26
Sample
sdpig.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
sdreg.exe
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
sdreg.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral29
Sample
sdset.exe
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
sdset.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
sogoutb_setup_pp365sosoft08mini.exe
Resource
win7-20231215-en
General
-
Target
itadx.exe
-
Size
649KB
-
MD5
5e39f718790c8ab61b5fda0607ab046b
-
SHA1
be58a7d81bec145e61b291b9ba07d153b17fdb1d
-
SHA256
40a4758940e1bce888e96d4aa27c24032805a41700d5a0af5bddc174e247c683
-
SHA512
f08366a667eff30a3cb95f5ce37b712c55cbd251449eed0db24fee39f1a412d4924371db7444478fee7d5ee56a1835f5165bd2772fe7a97d3d94d1d96feed67e
-
SSDEEP
12288:L2qoY5sffWpiTHkfRvEwhc5Yh9gH1NcMRoNvia9N0HFW+DgnhLvLQ9WVB57:1GA0HkpvEwh2Yng8MRoAcCfghLLQ9OBV
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral13/files/0x00320000000155f7-22.dat acprotect behavioral13/files/0x00320000000155f7-23.dat acprotect -
resource yara_rule behavioral13/files/0x0009000000012266-9.dat aspack_v212_v242 behavioral13/files/0x0009000000012266-20.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2700 bckmsn.exe -
Loads dropped DLL 6 IoCs
pid Process 1044 itadx.exe 1044 itadx.exe 2700 bckmsn.exe 2700 bckmsn.exe 2700 bckmsn.exe 2700 bckmsn.exe -
resource yara_rule behavioral13/memory/1044-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral13/memory/1044-16-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral13/files/0x00320000000155f7-22.dat upx behavioral13/files/0x00320000000155f7-23.dat upx behavioral13/memory/2700-25-0x0000000010000000-0x00000000100FD000-memory.dmp upx behavioral13/memory/2700-28-0x0000000010000000-0x00000000100FD000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bckmsn = "C:\\Program Files (x86)\\bckmsn\\bckmsn.exe" bckmsn.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\bckmsn\mpvisdm.dll itadx.exe File opened for modification C:\Program Files (x86)\bckmsn\mpvisdm.dll itadx.exe File created C:\PROGRA~2\bckmsn\200~1.1\dmplayer.dll bckmsn.exe File created C:\Program Files (x86)\bckmsn\info.dat bckmsn.exe File opened for modification C:\Program Files (x86)\bckmsn itadx.exe File created C:\Program Files (x86)\bckmsn\bckmsn.exe itadx.exe File opened for modification C:\Program Files (x86)\bckmsn\bckmsn.exe itadx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 1044 itadx.exe Token: SeBackupPrivilege 1044 itadx.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2700 bckmsn.exe 2700 bckmsn.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2700 1044 itadx.exe 28 PID 1044 wrote to memory of 2700 1044 itadx.exe 28 PID 1044 wrote to memory of 2700 1044 itadx.exe 28 PID 1044 wrote to memory of 2700 1044 itadx.exe 28 PID 1044 wrote to memory of 2700 1044 itadx.exe 28 PID 1044 wrote to memory of 2700 1044 itadx.exe 28 PID 1044 wrote to memory of 2700 1044 itadx.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\itadx.exe"C:\Users\Admin\AppData\Local\Temp\itadx.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Program Files (x86)\bckmsn\bckmsn.exe"C:\Program Files (x86)\bckmsn\bckmsn.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b879cab8736199a150f07f551dfc8f2f
SHA1f09ab4bbd42bbc80d5ea7f1c44b2cb54c3541018
SHA256ef6a059c7165ad3bc6060965eb3440544066c10f920045be0a3793970a8843e1
SHA5127a390cd4ef77f1c1685a9d584873e22288ee4fbe7d64d42b2aff3ccc9a307eea6cc4348798bea64e84dd861c77adb0081c9d1b494fe87d405505a92637f92acf
-
Filesize
311KB
MD54b1f8834f9dc17e732af9807581b5939
SHA11ff447e62a3f90560f6778da74131bc0b1ae769c
SHA2562984d7361bbb36e590b9afd7fd59b96fedf737f72858b80ac84287c6509c58be
SHA512f6c2434d738bc58304cb7a56ff9cf701b701845cab726f375616205c3acf213b0c3d1838346aad186ff47b89ab5fc6b5b31d72cdfd2204f24254e6a46fffbbf4
-
Filesize
164KB
MD52eb336f8aeca2aab40505d039f3a6a8a
SHA1a2e5889115701a1363dd43ca9d2b535955554968
SHA256d05cbe888d7929e4db64f0b88235413f0f9163363f534bbe17e0b24f40af9b04
SHA512b89e02b862d5a81f71b267697410e0f2b52409006db27300e3483bcf65630ac9a8fd4c7976ce18dfd1c27f9440bda76b4157bfaac291aa7fc524f53f9e5298b2
-
Filesize
237KB
MD5ef5ec12bc67a3391646e48810dd2bab4
SHA1b57e0aa8ade39642f454c1a179be4ff94f427702
SHA2565fcaee3ea4ff2b50085af85f3ddd7ae9cdcebcb7a819c5b5d744fbe91a4293ae
SHA512504702736ced85c8ca01fd7f36a5cc30706254b5fecdb45c05f494d3130f6af08ebc468923aa89a0f95b7b9091f3aa390ff2d5cc5378bedceaef9b4cdd46fcf0
-
Filesize
192KB
MD5248d3f87bfd9eb7141a01548c1135635
SHA10a2f42b8d85ff91879792adbc0251df584a10c0f
SHA2567bc32f6c9a3e8d7ea28f356d492172b59236366b3c5a3fd5dc72200dbe92e44d
SHA5125e79ad47b1a9536f990653453f7601a6ef36232e059e0b1a6ebbb907888e1589185357c618b77688c9e8bf3cfe532f1227596dbd6b6538f63c3910c62ac4f934