1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 04:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
Size

14.1MB
MD5

45fdadc1af59faef8e361fd047964602
SHA1

8e05d457fc278e0506cb8751fdaffe0a5b1eb8c7
SHA256

1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d
SHA512

bf04d2e35c2500e0a8f8bd26887355dcf0320810b4582cd958b054e219abfeac6e16320f9d743affcedf63cd8c42c3758135b18fcee7b94e9eece5822375579a
SSDEEP

393216:P4K8q1cLjy+zCe/1mifAPEqzTeWVYKoabfT6QT0sbxJ:P4K/1bSCGAXX9YdabfesbX

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023400-9.dat	acprotect

Executes dropped EXE 5 IoCs

pid	Process
2580	winos360.exe
3916	kpzs.exe
400	kpzs.exe
1868	kpzs.exe
3544	kpzs.exe

Loads dropped DLL 21 IoCs

pid	Process
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
3916	kpzs.exe
3916	kpzs.exe
3916	kpzs.exe
400	kpzs.exe
400	kpzs.exe
1868	kpzs.exe
1868	kpzs.exe
3544	kpzs.exe
3544	kpzs.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023400-9.dat	upx
behavioral2/memory/3756-12-0x0000000074CB0000-0x0000000074D6C000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\12\uninst.exe	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\winos360.exe	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\XPFarmer.bpl	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\explorer.exe	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\DuiLib.dll	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\kpzs.exe	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\libcef.dll	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\msvcp100.dll	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\msvcr100.exe	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\QQ.exe	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\CefControl.dll	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\HelpPane.exe	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\EPEvenue_SB.exe	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\msvcr100.dll	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\rtl70.bpl	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\vcl70.bpl	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
File created	C:\Program Files (x86)\12\12345678.exe	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
3756	1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe
2580	winos360.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2580	winos360.exe
3916	kpzs.exe
400	kpzs.exe
1868	kpzs.exe
3544	kpzs.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 3916	2580	winos360.exe	90
PID 2580 wrote to memory of 3916	2580	winos360.exe	90
PID 2580 wrote to memory of 3916	2580	winos360.exe	90
PID 2580 wrote to memory of 1868	2580	winos360.exe	94
PID 2580 wrote to memory of 1868	2580	winos360.exe	94
PID 2580 wrote to memory of 1868	2580	winos360.exe	94

C:\Users\Admin\AppData\Local\Temp\1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe
"C:\Users\Admin\AppData\Local\Temp\1c98c2fc0c27a9c6cfee9e7ff78283b7afb737911ee25039f23cb4fcdcd01d2d.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3756

C:\Program Files (x86)\12\winos360.exe
"C:\Program Files (x86)\12\winos360.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Program Files (x86)\12\kpzs.exe
  "C:\Program Files (x86)\12\kpzs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3916
- C:\Program Files (x86)\12\kpzs.exe
  "C:\Program Files (x86)\12\kpzs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding
1⤵
PID:872

C:\Program Files (x86)\12\kpzs.exe
"C:\Program Files (x86)\12\kpzs.exe" "C:\Users\Admin\AppData\Local\Temp\\09FF5741AF4E4fe7B17043.lnk"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:400

C:\Program Files (x86)\12\kpzs.exe
"C:\Program Files (x86)\12\kpzs.exe" "C:\Users\Admin\AppData\Local\Temp\\6D29150F415B40ce9C99DA.lnk"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\12\CefControl.dll

Filesize
590KB

MD5
037d4ae83b30c3ba8f7f23e54a168bb2

SHA1
05a291f0397928c30d5b8fd4980c9ffb0472a4e7

SHA256
2422e71145ae364a4992cf37eba2938e541253bec467419ea6d1f037822c77f4

SHA512
fe2119eb042044049e0916086a815b19af8873133ea85edb8657533abeea95d2608aae3a6a0519132a7d064726121ae792ba9a22d6393f43ec1f28e1f857dac4

Download Submit
C:\Program Files (x86)\12\DuiLib.dll

Filesize
2.2MB

MD5
cbfc4a8bc75a556dd97981531fadd751

SHA1
25e8eccb28e804db23d1d5123f3766d29b99294f

SHA256
4640ad02300c1311697c5592acdcfa59dba923eae1f2f2cb215a4a09d5055676

SHA512
3b02ea196b431e44a242ddafb0392420f1221b95e4a987a453bf3b1f72cc9ff707df7d5ff27f421edac0b6138cfa0205a98abf1dd92c7c5defcfdae2db34988c

Download Submit
C:\Program Files (x86)\12\MSVCP100.dll

Filesize
411KB

MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
C:\Program Files (x86)\12\kpzs.exe

Filesize
72KB

MD5
3ffb2d1b619bd7841df50aaf619922fd

SHA1
6973d1b9f33ceb741569db9d0d1fa06712a2565e

SHA256
8ce68528e25b86977f18d42c8c5dddbd6e6f24f34a340d447f4b4db0cb96bfbe

SHA512
7855b96335088bb718215eeea63d6d36c871f3f946de3de48fcc0bb7666cc61c7922f7c84d886d19c5454d283971a5e704c2cc97795c629fc20183c29040d4da

Download Submit
C:\Program Files (x86)\12\libcef.dll

Filesize
2.3MB

MD5
e051c4f91754fca9baaf618aa1b96634

SHA1
7c026f137b8443a2b489cded18fde35d6bcf8b92

SHA256
6dff6ce527a1eef5f0c8f003bfd51bad43df14ec5d9d15248b451e0bf2066816

SHA512
6a217e73e568b978a85722f451ae287eea65fba595d2520e9b7402377c3ea22ecd372d52e3b66af2efd748aa05c04533d24db58c6a2dc06e2629b578b0918cc1

Download Submit
C:\Program Files (x86)\12\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\12\winos360.exe

Filesize
5.2MB

MD5
dfff7fdeb342305504b35b2261eab611

SHA1
000f37471c5cf6d245848368d3eec4c1a21b624e

SHA256
2df0837884c042ec6c889702bed52df643722e9f949b4f2d7b9834ae42c6f246

SHA512
588b6f3fdf64c695c0b4465f78ae6eaf36a9b350b9ccd2fd5e891ae1b4e36329403184a2e0f60dc45d7ca33f43a0546ae24c909f3b82e5f402b03bf46fdb01d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4EBD.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4EBD.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4EBD.tmp\System.dll

Filesize
12KB

MD5
e38d8ff9f749ee1b141a122fec7280e0

SHA1
fbc8e410ef716fdb36977e5c16d3373a6100189a

SHA256
00f7604d4f36a728c7759f4d9cf3e30c9728c503557aac49bbcd55cfc3e4fcb4

SHA512
2b1dccf42d435445331291db94f869c4e8f6dcdfe4371969e76ee275d4e845e1d2e947c216f80484a7dd4b8e85158298e6ec7ed9add6d4259c07fdf87c316a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4EBD.tmp\nsNiuniuSkin.dll

Filesize
288KB

MD5
1e88afb7fe5b58d09d8a1b631e442538

SHA1
9ddb655cb32d002f68bdee962ce917002faa3614

SHA256
21a9a74fd631030981cdca42ab580f5aa030068ab80c183b73e99bea2d4f7708

SHA512
a7723bd73f55a716ea450f075d7a4fc7cd2080992c56ad67b6d46fdf4e30cef386068e1f4c2c788764cb092b529589cc1119ea2d62d07e32ea6d201e3afaf876

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4EBD.tmp\nsProcess.dll

Filesize
4KB

MD5
88d3e48d1c1a051c702d47046ade7b4c

SHA1
8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

SHA256
51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

SHA512
83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4EBD.tmp\skin.zip

Filesize
344KB

MD5
f6a79e27e3413d61e3efa357518a9013

SHA1
c4db1a576107aafb5878be2aba57699ce5cbcb6f

SHA256
1475259157f97f492d2a8638c94a209920381890017da2d876f115b5945da701

SHA512
39ea0cfcc3b6298c24712c76316e9152c800222dae6e8c01487712546890b267d952e0e22a51f6494a877a15a7b00877f819354febe18340675a8bb71db77db3

Download Submit
memory/3756-12-0x0000000074CB0000-0x0000000074D6C000-memory.dmp

Filesize
752KB

Download