a47ef1b22b4797187294ec207237a8195273dab7d4543d46d5d23dafe520f853

Analysis

max time kernel
139s
max time network
160s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

点击此处安装语言包.exe
Size

10.8MB
MD5

44ce97dc5b3054dfb4999933219887b7
SHA1

23cedb5e66fbc1cf3c86a8812d6189ed3dd88b17
SHA256

af884204ca0845632eb01c3a37a9d5609f2b7065b884500658da60080eaab617
SHA512

e602db55a559e6c8f96d8dc222af5debc0025675d6fcf8e98e89d4efbd65811819d1e6c8c3467576b850ceb25e0891edb1b648e130caf66046fbc643a584ae04
SSDEEP

196608:PB/vhOCUMgKCZFB4IS+9G0eBF/6FLOyomFHKnPdfxxEBB2XCQkfLoaxA4JN1cdDD:PdJOCdgxZFBVeBUFqJbnf

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

75zdeFQ06.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	75zdeFQ06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\75zdeFQ06 = "C:\\ProgramData\\deepscan\\I57P9vIG0_ecCW213G\\75zdeFQ06.exe"	75zdeFQ06.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.

Processes:

resource yara_rule

\ProgramData\deepscan\I57P9vIG0_ecCW213G\yGraphHlp180.dll acprotect
\ProgramData\deepscan\I57P9vIG0_ecCW213G\yclienti.dll acprotect
Executes dropped EXE 1 IoCs

Processes:

75zdeFQ06.exe

pid process

2500 75zdeFQ06.exe
Loads dropped DLL 7 IoCs

Processes:

点击此处安装语言包.exe75zdeFQ06.exe

pid process

3020 点击此处安装语言包.exe
2500 75zdeFQ06.exe
2500 75zdeFQ06.exe
2500 75zdeFQ06.exe
2500 75zdeFQ06.exe
2500 75zdeFQ06.exe
2500 75zdeFQ06.exe

resource	yara_rule
\ProgramData\deepscan\I57P9vIG0_ecCW213G\yGraphHlp180.dll	acprotect
\ProgramData\deepscan\I57P9vIG0_ecCW213G\yclienti.dll	acprotect

pid	process
2500	75zdeFQ06.exe

pid	process
3020	点击此处安装语言包.exe
2500	75zdeFQ06.exe
2500	75zdeFQ06.exe
2500	75zdeFQ06.exe
2500	75zdeFQ06.exe
2500	75zdeFQ06.exe
2500	75zdeFQ06.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral7/memory/2500-24-0x0000000074590000-0x000000007461D000-memory.dmp	upx
\ProgramData\deepscan\I57P9vIG0_ecCW213G\yGraphHlp180.dll	upx
\ProgramData\deepscan\I57P9vIG0_ecCW213G\yclienti.dll	upx
behavioral7/memory/2500-27-0x0000000073B40000-0x0000000073BDF000-memory.dmp	upx
behavioral7/memory/2500-42-0x0000000074590000-0x000000007461D000-memory.dmp	upx
behavioral7/memory/2500-43-0x0000000073B40000-0x0000000073BDF000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

75zdeFQ06.exe

pid process

2500 75zdeFQ06.exe
2500 75zdeFQ06.exe
2500 75zdeFQ06.exe
2500 75zdeFQ06.exe
2500 75zdeFQ06.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

75zdeFQ06.exe

description pid process

Token: SeDebugPrivilege 2500 75zdeFQ06.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

75zdeFQ06.exe

pid process

2500 75zdeFQ06.exe
2500 75zdeFQ06.exe
2500 75zdeFQ06.exe
2500 75zdeFQ06.exe
2500 75zdeFQ06.exe
2500 75zdeFQ06.exe

pid	process
2500	75zdeFQ06.exe
2500	75zdeFQ06.exe
2500	75zdeFQ06.exe
2500	75zdeFQ06.exe
2500	75zdeFQ06.exe

description	pid	process
Token: SeDebugPrivilege	2500	75zdeFQ06.exe

pid	process
2500	75zdeFQ06.exe
2500	75zdeFQ06.exe
2500	75zdeFQ06.exe
2500	75zdeFQ06.exe
2500	75zdeFQ06.exe
2500	75zdeFQ06.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

点击此处安装语言包.exe点击此处安装语言包.exe

description	pid	process	target process
PID 3008 wrote to memory of 3020	3008	点击此处安装语言包.exe	点击此处安装语言包.exe
PID 3008 wrote to memory of 3020	3008	点击此处安装语言包.exe	点击此处安装语言包.exe
PID 3008 wrote to memory of 3020	3008	点击此处安装语言包.exe	点击此处安装语言包.exe
PID 3008 wrote to memory of 3020	3008	点击此处安装语言包.exe	点击此处安装语言包.exe
PID 3020 wrote to memory of 2500	3020	点击此处安装语言包.exe	75zdeFQ06.exe
PID 3020 wrote to memory of 2500	3020	点击此处安装语言包.exe	75zdeFQ06.exe
PID 3020 wrote to memory of 2500	3020	点击此处安装语言包.exe	75zdeFQ06.exe
PID 3020 wrote to memory of 2500	3020	点击此处安装语言包.exe	75zdeFQ06.exe

C:\Users\Admin\AppData\Local\Temp\点击此处安装语言包.exe
"C:\Users\Admin\AppData\Local\Temp\点击此处安装语言包.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\点击此处安装语言包.exe
C:\Users\Admin\AppData\Local\Temp\点击此处安装语言包.exe 47043E045804540476046B0463047604650469044004650470046504580460046104610474047704670465046A0458044D043104330454043D0472044D04430434045B04610467044704530436043504370443045804330431047E04600461044204550434043204--aa`
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020

C:\ProgramData\deepscan\I57P9vIG0_ecCW213G\75zdeFQ06.exe
"C:\ProgramData\deepscan\I57P9vIG0_ecCW213G\75zdeFQ06.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2500

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\deepscan\I57P9vIG0_ecCW213G\75zdeFQ06.txt
Filesize
245B

MD5
83653858b21fb0c5759557da1d4bef6a

SHA1
e2b74867e669f0f5e84f4fb398ee8bdcc76d45f2

SHA256
ec02e0a0cdf6446da1a73267f8f7d5c544750fe96d01a97eb765e9187ed2eb72

SHA512
960b8ae0adefad0a155dd5f90c04f132877e26238aeaf9e6076608c50a4f5b584e5b3a1ef9eb1cfa363aef8e4eac80f43149f22d4e82a4c1bb16745b9bf31e2f

Download Submit
\ProgramData\deepscan\I57P9vIG0_ecCW213G\75zdeFQ06.exe
Filesize
2.4MB

MD5
7721777df2350ff195203cc7d7fe12c5

SHA1
a434eee80a389fef7f4d9886ec23bc7c8fcb2e64

SHA256
af3f9d480936286ce799ed5422222d3feabbc2325cb8242c2d09937964e73916

SHA512
e94d1dc08cc7dbf98e50f933adc94b37e96ae4738eaff4c62c4901e9a38e67bbaa316e8ee770497b44257c7bfeca6a5924294f980b54a9da049d074fa63c4d41

Download Submit
\ProgramData\deepscan\I57P9vIG0_ecCW213G\mfc120.dll
Filesize
4.2MB

MD5
e1629a36f15824346bb54a9ebe9b622f

SHA1
ee5d55315ffb351e24b7c918c82e6ce4ec17a645

SHA256
68df186e26151313a0df2adb0ef5f3a45ebba3cb02229bd8723a29dee60e278d

SHA512
0301ed7ad473015478f32afd3e41dafd045eab26ad42080bad6030324564a7ed09a7516b8d362b5cb2201d087eb25f2bb7ac5fc809a387f49f893ac3df8814bb

Download Submit
\ProgramData\deepscan\I57P9vIG0_ecCW213G\msvcp120.dll
Filesize
444KB

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
\ProgramData\deepscan\I57P9vIG0_ecCW213G\msvcr120.dll
Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
\ProgramData\deepscan\I57P9vIG0_ecCW213G\yGraphHlp180.dll
Filesize
186KB

MD5
feec59aca478ffd02bf81ec4a02768f1

SHA1
0a68219e91fd2f7a413b974a9ea22253ba9a6376

SHA256
c7d5fb1cdc4a2f6321c6e74538092a9ec6f2038d48c18132f77162b0064cd922

SHA512
23411c62d93b6107c1b3df2ee0ea7bfe62325483ecbc2653c17a66f6f5d4a1f2818b6be109f35b309d26d5733c379efbd2879d853e2c3f78b1ad4fc697c5a605

Download Submit
\ProgramData\deepscan\I57P9vIG0_ecCW213G\yclienti.dll
Filesize
255KB

MD5
fa9d7d6498f69a3f129555856b8e57d6

SHA1
ded693730bd80767884d78c522c9d8d0061958db

SHA256
3ab66b2fd3173e71318175f19908331d7e3b442b14d3e39f0f10014f64f716ad

SHA512
235bf1dfd22c6a30e8df6737218c7968901192907db2846a43684d006f4159e0b16a4ecb0a3e67217c33778924bb6e05b8a963fc148df33190e4ba41b119dd8c

Download Submit
\ProgramData\deepscan\I57P9vIG0_ecCW213G\ygraph180.dll
Filesize
2.1MB

MD5
138e8d93a64d965565c7a521bfb4b83f

SHA1
7e9a41dcc64a50a8987c553212cf150b6f2a3bcb

SHA256
974e2266fe114abbc09e551ba230b10d25bdf5d5d1359f0814261ea48426f030

SHA512
06932c0813d102db66970c8794c6bd87bbb7b9627b650112f27545c3aba7fc481d0e4316293e126be6528d7f4a051f1ab6ea804bfcbfc60d61a8ef49361a1fa5

Download Submit
memory/2500-36-0x0000000010000000-0x0000000010374000-memory.dmp

Filesize
3.5MB

Download
memory/2500-38-0x0000000002A30000-0x0000000002B17000-memory.dmp

Filesize
924KB

Download
memory/2500-34-0x0000000075100000-0x0000000075101000-memory.dmp

Filesize
4KB

Download
memory/2500-30-0x00000000770A0000-0x00000000770A1000-memory.dmp

Filesize
4KB

Download
memory/2500-21-0x0000000010000000-0x0000000010374000-memory.dmp

Filesize
3.5MB

Download
memory/2500-28-0x00000000770A0000-0x00000000770A1000-memory.dmp

Filesize
4KB

Download
memory/2500-39-0x00000000004C0000-0x0000000000543000-memory.dmp

Filesize
524KB

Download
memory/2500-27-0x0000000073B40000-0x0000000073BDF000-memory.dmp

Filesize
636KB

Download
memory/2500-24-0x0000000074590000-0x000000007461D000-memory.dmp

Filesize
564KB

Download
memory/2500-41-0x0000000002A30000-0x0000000002B17000-memory.dmp

Filesize
924KB

Download
memory/2500-42-0x0000000074590000-0x000000007461D000-memory.dmp

Filesize
564KB

Download
memory/2500-43-0x0000000073B40000-0x0000000073BDF000-memory.dmp

Filesize
636KB

Download
memory/2500-47-0x0000000004440000-0x000000000452B000-memory.dmp

Filesize
940KB

Download
memory/2500-50-0x0000000004C20000-0x0000000004D95000-memory.dmp

Filesize
1.5MB

Download
memory/2500-52-0x0000000004220000-0x0000000004431000-memory.dmp

Filesize
2.1MB

Download
memory/2500-53-0x0000000010000000-0x0000000010374000-memory.dmp

Filesize
3.5MB

Download