cc1cd5ba859a7740354c41b4ff82ca5dcd647841b8f85eeaff98b4100e7e97ed

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc6a6c618be3601c0aab4a846d1cb67f.exe
Size

58KB
MD5

bc6a6c618be3601c0aab4a846d1cb67f
SHA1

2c66724dad00ce1e21fdbd0f094f2f4b22732b20
SHA256

cc1cd5ba859a7740354c41b4ff82ca5dcd647841b8f85eeaff98b4100e7e97ed
SHA512

9a20bcf3acbd9b86602273f0d83fe55decd4537453abdc4ed120f94bcda08a636ff167c095252aafd8a13f5e276d32e165ed0767bcef08054e2ad5cab49f6d0a
SSDEEP

1536:gMgT2CrBCYsjFjR1/j41qWtMmZojQzpMyzPT9sL150b:RK2LDNjxIMmZ8tgPT9sL150b

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023201-13.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
3596	Syszx.exe

Loads dropped DLL 2 IoCs

pid	Process
3596	Syszx.exe
3596	Syszx.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5088-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/files/0x000a0000000231f9-4.dat	upx
behavioral2/memory/3596-8-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/files/0x0007000000023201-13.dat	upx
behavioral2/memory/3596-14-0x0000000000590000-0x00000000005B4000-memory.dmp	upx
behavioral2/memory/3596-15-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5088-17-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3596-16-0x0000000000590000-0x00000000005B4000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Syszx.exe	bc6a6c618be3601c0aab4a846d1cb67f.exe
File opened for modification	C:\Windows\Syszx.exe	bc6a6c618be3601c0aab4a846d1cb67f.exe
File opened for modification	C:\Windows\NTZX.DLL	Syszx.exe
File created	C:\Windows\NTZX.DLL	Syszx.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91970}	Syszx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91970}\	Syszx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91970}\InProcServer32	Syszx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91970}\InProcServer32\ = "C:\\Windows\\NTZX.DLL"	Syszx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91970}\InProcServer32\ThreadingModel = "Apartment"	Syszx.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	3596	Syszx.exe
Token: SeRestorePrivilege	3596	Syszx.exe
Token: SeRestorePrivilege	3596	Syszx.exe
Token: SeRestorePrivilege	3596	Syszx.exe
Token: SeRestorePrivilege	3596	Syszx.exe
Token: SeRestorePrivilege	3596	Syszx.exe
Token: SeBackupPrivilege	3596	Syszx.exe
Token: SeRestorePrivilege	3596	Syszx.exe
Token: SeRestorePrivilege	3596	Syszx.exe
Token: SeRestorePrivilege	3596	Syszx.exe
Token: SeRestorePrivilege	3596	Syszx.exe
Token: SeRestorePrivilege	3596	Syszx.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3596	Syszx.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 3596	5088	bc6a6c618be3601c0aab4a846d1cb67f.exe	89
PID 5088 wrote to memory of 3596	5088	bc6a6c618be3601c0aab4a846d1cb67f.exe	89
PID 5088 wrote to memory of 3596	5088	bc6a6c618be3601c0aab4a846d1cb67f.exe	89

C:\Users\Admin\AppData\Local\Temp\bc6a6c618be3601c0aab4a846d1cb67f.exe
"C:\Users\Admin\AppData\Local\Temp\bc6a6c618be3601c0aab4a846d1cb67f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\Syszx.exe
  C:\Windows\Syszx.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\NTZX.DLL

Filesize
44KB

MD5
516236b350d0cb03ac10f94ef7690e60

SHA1
1aa499fa59e4f38a7ea9c2ff808172532d742717

SHA256
4e5a16bfc52785fb1bbf6203d4fd66bb8f658be20b7a56ac402fb2e217f08fbc

SHA512
5d17ac7f5af04f50a7a3d94bf96815c48020820e785661f7d22879ce76e3eef1487d987d02b7d29e2b1afbd92329465914ea6ab86f9c71475982575e2944833c

Download Submit
C:\Windows\Syszx.exe

Filesize
58KB

MD5
bc6a6c618be3601c0aab4a846d1cb67f

SHA1
2c66724dad00ce1e21fdbd0f094f2f4b22732b20

SHA256
cc1cd5ba859a7740354c41b4ff82ca5dcd647841b8f85eeaff98b4100e7e97ed

SHA512
9a20bcf3acbd9b86602273f0d83fe55decd4537453abdc4ed120f94bcda08a636ff167c095252aafd8a13f5e276d32e165ed0767bcef08054e2ad5cab49f6d0a

Download Submit
memory/3596-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3596-14-0x0000000000590000-0x00000000005B4000-memory.dmp

Filesize
144KB

Download
memory/3596-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3596-16-0x0000000000590000-0x00000000005B4000-memory.dmp

Filesize
144KB

Download
memory/5088-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5088-17-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download