Analysis Overview
SHA256
219022cfdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71
Threat Level: Likely malicious
The file 219022cfdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N was found to be: Likely malicious.
Malicious Activity Summary
Sets service image path in registry
Executes dropped EXE
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Reads user/profile data of web browsers
Drops file in System32 directory
UPX packed file
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer start page
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 18:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 18:22
Reported
2024-11-09 18:24
Platform
win7-20241023-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rdSDry\219022cdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\219022cfdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rdSDry\219022cdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | C:\Users\Admin\AppData\Local\Temp\219022cfdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rdSDry\219022cdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | C:\Users\Admin\AppData\Local\Temp\219022cfdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\lvqkBb.dll | C:\Users\Admin\AppData\Local\Temp\219022cfdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| File created | C:\Windows\lSfgtKl.dll | C:\Windows\SysWOW64\rdSDry\219022cdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| File created | C:\Windows\llDYcB\HtqbdIKS.dll | C:\Windows\SysWOW64\rdSDry\219022cdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| File opened for modification | C:\Windows\llDYcB\HtqbdIKS.dll | C:\Windows\SysWOW64\rdSDry\219022cdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rdSDry\219022cdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\219022cfdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rdSDry\219022cdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\219022cfdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe
"C:\Users\Admin\AppData\Local\Temp\219022cfdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe"
C:\Windows\SysWOW64\rdSDry\219022cdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe
"C:\Windows\SysWOW64\rdSDry\219022cdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.58sky.com | udp |
| US | 8.8.8.8:53 | www.58sky.com | udp |
| US | 8.8.8.8:53 | www.58sky.com | udp |
| US | 8.8.8.8:53 | www.58sky.com | udp |
| US | 8.8.8.8:53 | cnwx.58ad.cn | udp |
| CN | 119.97.143.63:80 | cnwx.58ad.cn | tcp |
| CN | 119.97.143.63:80 | cnwx.58ad.cn | tcp |
| CN | 119.97.143.63:80 | cnwx.58ad.cn | tcp |
| US | 8.8.8.8:53 | www.go890.com | udp |
| US | 8.8.8.8:53 | wdx.go890.com | udp |
Files
memory/2600-0-0x0000000000400000-0x0000000000535000-memory.dmp
memory/2600-9-0x00000000024B0000-0x00000000025E5000-memory.dmp
memory/2600-11-0x0000000000400000-0x0000000000535000-memory.dmp
memory/2456-10-0x0000000000400000-0x0000000000535000-memory.dmp
C:\Windows\SysWOW64\rdSDry\219022cdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe
| MD5 | bed47e64916c41a5369a6c9d081068ab |
| SHA1 | 1ac40c1f0007a0b73f8d6a7dfcf099f402c9a93a |
| SHA256 | 61de26ed75ad2175a1ad705db40b188f00fbebf7ad99d48c9916a68e1eccb2bf |
| SHA512 | 6547eb0fe4940e1a44a491b5143985dd89a1685e20bb637e7943bb1353e67dde0ade7b1bd65be9333608beecd0d8cbf925334aef311fa9585706a428c28711e3 |
memory/2456-15-0x0000000000400000-0x0000000000535000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 18:22
Reported
2024-11-09 18:24
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EuDulh2jqC\ImagePath = "\\??\\C:\\Windows\\EuDulh2jqC8.sys" | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\219022cfdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49} | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "https://www.hao123.com/?tn=92867579_hao_pg" | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.hao123.com/?tn=92867579_hao_pg" | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\219022cfdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe
"C:\Users\Admin\AppData\Local\Temp\219022cfdfe40f8d24a17162fb5381a95acb4feac329273642dc633ccd6d6f71N.exe"
C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe
"C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.58sky.com | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cnwx.58ad.cn | udp |
| CN | 119.97.143.63:80 | cnwx.58ad.cn | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| CN | 119.97.143.63:80 | cnwx.58ad.cn | tcp |
| CN | 119.97.143.63:80 | cnwx.58ad.cn | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.go890.com | udp |
| US | 8.8.8.8:53 | wdx.go890.com | udp |
| US | 8.8.8.8:53 | www.58sky.com | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| N/A | 255.255.255.255:6880 | udp | |
| US | 8.8.8.8:53 | www.go890.com | udp |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| GB | 174.35.118.63:80 | www.ip138.com | tcp |
| US | 8.8.8.8:53 | www.175sf.com | udp |
| US | 8.8.8.8:53 | ip.catr.cn | udp |
| US | 8.8.8.8:53 | 63.118.35.174.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip.dnsexit.com | udp |
| US | 3.223.207.201:80 | ip.dnsexit.com | tcp |
| CN | 103.216.153.69:80 | www.175sf.com | tcp |
| US | 8.8.8.8:53 | 201.207.223.3.in-addr.arpa | udp |
Files
memory/1672-0-0x0000000000400000-0x0000000000535000-memory.dmp
C:\Users\Admin\AppData\Local\lNaxpe\219022cfdfe40f8d24a1716fb5381a95acb4feac329273642dc633ccd6d6f71N.exe
| MD5 | 746bca11f8d16e347795dae743182d55 |
| SHA1 | 9765b8b7d84f5bfa140c7965a7ce68a39aa32bb6 |
| SHA256 | e61b59ff1124f7eba8a2c2aa1e51958cfb10217546ea0ce369e9314c8ee679bf |
| SHA512 | 87c4eebaefb35a0d841a8b315fe540e866e3743e917c80ca7658704409c7d9e5a6f97be2d7c7367c01abd2d4bcef41d05d1ad66d100507f2e81101eec25c3c92 |
memory/4212-8-0x0000000000400000-0x0000000000535000-memory.dmp
memory/1672-9-0x0000000000400000-0x0000000000535000-memory.dmp
memory/4212-12-0x0000000000400000-0x0000000000535000-memory.dmp
C:\Windows\qQRacyk\clOToS.dll
| MD5 | 5e53829069a7100453e5a1721ce1ae2e |
| SHA1 | 88128724be367c9b862b506abfd81e831da2bcaf |
| SHA256 | b49f7cf1ff4d96fedbdc85607c6a60154a210f4396ea3de2eb9ca71f960e9801 |
| SHA512 | 09990a58058d042eb79c4bff3b98f67d0d671e2f7787166706a2b62f8f436955d8c66c9a176448be45fdd62636140e3783ae4c8f8e0026669f4e35777cd8b2c3 |
memory/4212-26-0x0000000002F10000-0x0000000003098000-memory.dmp
memory/4212-28-0x0000000002F10000-0x0000000003098000-memory.dmp
memory/4212-29-0x00000000023F0000-0x00000000023F3000-memory.dmp
C:\Windows\qQRacyk\kLBDILewh.dll
| MD5 | 88c4820aa1ecfa3017963db6a60952a0 |
| SHA1 | 95aeaa84e38c62059a703c6a8ce8712df9c990f9 |
| SHA256 | bb3c682d5bbe59a63dd8fad19466f8c9f770df15acdbed580012be7cea62acbd |
| SHA512 | bde8c85f4232f24f415289e1aab61ce090cbd06442d774908a86ede135e74834e4c964c1a584df7a8d37fb56559126de24ff42c8497df7602534cb5d6100f5ee |
memory/4212-48-0x0000000073E50000-0x0000000073ED9000-memory.dmp
memory/4212-54-0x0000000002F10000-0x0000000003098000-memory.dmp
memory/4212-55-0x00000000023F0000-0x00000000023F3000-memory.dmp
memory/4212-68-0x0000000073E50000-0x0000000073ED9000-memory.dmp
memory/4212-67-0x0000000002F10000-0x0000000003098000-memory.dmp
memory/4212-71-0x0000000002F10000-0x0000000003098000-memory.dmp