3a15890bedd42d2f1212ace0369dce19f30f85ac65faf3f094933b3be7a6372b

Resubmissions

24/06/2024, 08:15

240624-j5zm4asera 10

10/06/2024, 16:22

240610-tvfscatcnn 10

Analysis

max time kernel
91s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

??/325.exe
Size

9.1MB
MD5

cdc017ad5e35d93ae1554afa5faca0de
SHA1

50244e567adb5629b9caee3f912e629dfcfbdfc5
SHA256

2960484ccfa5df036f8bf653ab2ea4038a1320584cb1e67e0df9895be766d74b
SHA512

46af54c3756c979cf9bfd51db2fa891d2de04ccb3a834cef4c2efeadc409d872920bc7faa9b4412ba0af95cb3ee2e4ee3494d6713ab7f46a7fa9b61b7e64f18d
SSDEEP

196608:YyEbi8kKU1qXnpwCeDp5IXuWEA1HaugJKvgabfT8z//QTDQsN85:YOK8q3CCeDfIeWVYKoabfT6QT0si5

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral6/files/0x0007000000023430-9.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
3260	winos.exe

Loads dropped DLL 11 IoCs

pid	Process
3876	325.exe
3876	325.exe
3876	325.exe
3876	325.exe
3876	325.exe
3876	325.exe
3876	325.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral6/files/0x0007000000023430-9.dat	upx
behavioral6/memory/3876-12-0x0000000074270000-0x000000007432C000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\12\rtl70.bpl	325.exe
File created	C:\Program Files (x86)\12\XPFarmer.bpl	325.exe
File created	C:\Program Files (x86)\12\EPEvenue_SB.exe	325.exe
File created	C:\Program Files (x86)\12\kpzs.exe	325.exe
File created	C:\Program Files (x86)\12\libcef.dll	325.exe
File created	C:\Program Files (x86)\12\msvcp100.dll	325.exe
File created	C:\Program Files (x86)\12\vcl70.bpl	325.exe
File created	C:\Program Files (x86)\12\winos.exe	325.exe
File created	C:\Program Files (x86)\12\12345678.exe	325.exe
File created	C:\Program Files (x86)\12\CefControl.dll	325.exe
File created	C:\Program Files (x86)\12\DuiLib.dll	325.exe
File created	C:\Program Files (x86)\12\msvcr100.dll	325.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3876	325.exe
3876	325.exe
3876	325.exe
3876	325.exe
3876	325.exe
3876	325.exe
3876	325.exe
3876	325.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe
3260	winos.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3260	winos.exe

C:\Users\Admin\AppData\Local\Temp\__\325.exe
"C:\Users\Admin\AppData\Local\Temp\__\325.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3876

C:\Program Files (x86)\12\winos.exe
"C:\Program Files (x86)\12\winos.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\12\CefControl.dll

Filesize
590KB

MD5
037d4ae83b30c3ba8f7f23e54a168bb2

SHA1
05a291f0397928c30d5b8fd4980c9ffb0472a4e7

SHA256
2422e71145ae364a4992cf37eba2938e541253bec467419ea6d1f037822c77f4

SHA512
fe2119eb042044049e0916086a815b19af8873133ea85edb8657533abeea95d2608aae3a6a0519132a7d064726121ae792ba9a22d6393f43ec1f28e1f857dac4

Download Submit
C:\Program Files (x86)\12\DuiLib.dll

Filesize
2.2MB

MD5
cbfc4a8bc75a556dd97981531fadd751

SHA1
25e8eccb28e804db23d1d5123f3766d29b99294f

SHA256
4640ad02300c1311697c5592acdcfa59dba923eae1f2f2cb215a4a09d5055676

SHA512
3b02ea196b431e44a242ddafb0392420f1221b95e4a987a453bf3b1f72cc9ff707df7d5ff27f421edac0b6138cfa0205a98abf1dd92c7c5defcfdae2db34988c

Download Submit
C:\Program Files (x86)\12\libcef.dll

Filesize
2.3MB

MD5
aca9d43f1489b96a859e21bbb9c906d6

SHA1
5d711692fbae0d59b5251ef98f5991317bb466e7

SHA256
f2ab5b7f2f987934171b5256481bd8469de9b3b8c36d7d0133fcc246c5595ead

SHA512
e121533ca772238fb677a34f5e5ddb9b0c3164e32c8680790596fd5ecbebcdfd4f4f0c3835ea80000c91ff34590336f2f3e50f75c037e1b38834c67a2b17424b

Download Submit
C:\Program Files (x86)\12\winos.exe

Filesize
5.2MB

MD5
dfff7fdeb342305504b35b2261eab611

SHA1
000f37471c5cf6d245848368d3eec4c1a21b624e

SHA256
2df0837884c042ec6c889702bed52df643722e9f949b4f2d7b9834ae42c6f246

SHA512
588b6f3fdf64c695c0b4465f78ae6eaf36a9b350b9ccd2fd5e891ae1b4e36329403184a2e0f60dc45d7ca33f43a0546ae24c909f3b82e5f402b03bf46fdb01d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3634.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3634.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3634.tmp\System.dll

Filesize
12KB

MD5
e38d8ff9f749ee1b141a122fec7280e0

SHA1
fbc8e410ef716fdb36977e5c16d3373a6100189a

SHA256
00f7604d4f36a728c7759f4d9cf3e30c9728c503557aac49bbcd55cfc3e4fcb4

SHA512
2b1dccf42d435445331291db94f869c4e8f6dcdfe4371969e76ee275d4e845e1d2e947c216f80484a7dd4b8e85158298e6ec7ed9add6d4259c07fdf87c316a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3634.tmp\nsNiuniuSkin.dll

Filesize
288KB

MD5
1e88afb7fe5b58d09d8a1b631e442538

SHA1
9ddb655cb32d002f68bdee962ce917002faa3614

SHA256
21a9a74fd631030981cdca42ab580f5aa030068ab80c183b73e99bea2d4f7708

SHA512
a7723bd73f55a716ea450f075d7a4fc7cd2080992c56ad67b6d46fdf4e30cef386068e1f4c2c788764cb092b529589cc1119ea2d62d07e32ea6d201e3afaf876

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3634.tmp\nsProcess.dll

Filesize
4KB

MD5
88d3e48d1c1a051c702d47046ade7b4c

SHA1
8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

SHA256
51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

SHA512
83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3634.tmp\skin.zip

Filesize
344KB

MD5
92c109e47839d1c2fb9d78cf57b39776

SHA1
87ff3431ab46bfdd9c38c55d4bf091a3025d0dce

SHA256
289e27b61cc826656f857145e72a56bfadb3d8eb532966ba31706de8f2aaf81b

SHA512
171ba1ed02b89e62794442df3434c7c969fff6255030136960e36c0f1d3bd9b7518c1f1218110144d375410a3c8f167bfce76b085462d1457047b7c4f4f0518c

Download Submit
memory/3876-12-0x0000000074270000-0x000000007432C000-memory.dmp

Filesize
752KB

Download