Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 12:11
Static task
static1
Behavioral task
behavioral1
Sample
LYDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
LYDLL.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
MsnReader.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
MsnReader.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
UpDate.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
UpDate.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
XT1922Lib.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
XT1922Lib.dll
Resource
win10v2004-20240802-en
General
-
Target
LYDLL.dll
-
Size
424KB
-
MD5
2265a498bf73383489dbd3541e7ac1fa
-
SHA1
d47bac8ead1428289874cb3e53c62dddbefd28c7
-
SHA256
a231bdcc7a1672c6cfdc159a08ba9db00b84e6222156deca575e6cb862209b67
-
SHA512
bfa1cb7705794a808a8e0f3e031f700e977e7787a2adef167aa5e4453832c0ec238c247735a14e96c0fe717b0b3d31784a5502b0b9a1e72b3b6e9df80be78205
-
SSDEEP
6144:luMheR3mrOkdefYxzenLTEudNI/zQ3Q5mvnr1hgs6NMLiIcb0IdYA0NguLnEf:tNRIfYSJL452npheMmIcb5+AnQnEf
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000b0000000233b2-5.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 1484 svchost.exe -
Loads dropped DLL 3 IoCs
pid Process 1484 svchost.exe 1484 svchost.exe 1484 svchost.exe -
resource yara_rule behavioral2/files/0x000b0000000233b2-5.dat upx behavioral2/memory/1484-15-0x0000000010000000-0x00000000100FD000-memory.dmp upx behavioral2/memory/1484-32-0x0000000010000000-0x00000000100FD000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SYSWIN = "C:\\Windows\\svchost.exe" rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\dmshell.dll rundll32.exe File created C:\Windows\svchost.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1484 svchost.exe 1484 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3012 wrote to memory of 1548 3012 rundll32.exe 86 PID 3012 wrote to memory of 1548 3012 rundll32.exe 86 PID 3012 wrote to memory of 1548 3012 rundll32.exe 86 PID 1548 wrote to memory of 1484 1548 rundll32.exe 87 PID 1548 wrote to memory of 1484 1548 rundll32.exe 87 PID 1548 wrote to memory of 1484 1548 rundll32.exe 87
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\LYDLL.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\LYDLL.dll,#12⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\svchost.exeC:\Windows\svchost.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1484
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
868KB
MD550a7707b174c8affe5dc8fa42ce9616e
SHA18e51db19f55590ba6109b6bf624b432be4c275d0
SHA256200dc3f65a30cc5ab80bb8764f5d8c5525f2f0a6132295c4ee262abe4f53bf62
SHA512346229f3168023b6b33bad6c9f5bef2e97d25063d119a0bef95ced063a4188335ec5a3c8c2a4257c002f7b5e94be825e8245d152751eb7f5492abed398b5f5f2
-
Filesize
379KB
MD5607ce5e3f197f37380660eb252f31366
SHA1784b907bb3b2b4b42f86a200d99c9ba6a2638b58
SHA2561b4b0ac73a1ea1167f91f87f5c901d920dd563b5288f869386a75eb694edb516
SHA5120abcade5dcff4b609a33cb57a3130bb40f729e4a2293b6c50f8b5d84a526b054afdfc5c48239de2f190b2daa8302abef67cc077dfa80df1c20fbecd924c6d761
-
Filesize
20KB
MD509a94cb1a83cc9b0107aaca961a40300
SHA1d205d12ef0170f184a32fc4a13270bc7db7253f2
SHA25603ac787a19228ef4cfc5953d37b2e1839f7c1e0582a397562385f3bcc5bb20b5
SHA51237faca7ac8d02a8b32d17db64b9da670be50a1c13246d223e84550cedcd62818fafd6851a6344a75a04a0c1e237de3755465ea75d13582e3971fb68c3e3832f4