File name:	3a69b134ca55598ca03fa0bd29638bbc13364f79d60afaba966a2ae7fcd0f08e
Full analysis:	https://app.any.run/tasks/aedd290b-4dff-496a-b0b9-03c4a9fda7a1
Verdict:	Malicious activity
Analysis date:	December 14, 2024, 09:15:18
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx themida
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	B9AFBCCA90D55D84AF42DB0CA0F62A42
SHA1:	757E96863FE74D75C5D10522280B19555F742CDB
SHA256:	3A69B134CA55598CA03FA0BD29638BBC13364F79D60AFABA966A2AE7FCD0F08E
SSDEEP:	98304:OdqNWJ7DuyzFTYNdMYZzoccLt1b7ImvU0ydfTVrt83um6e3izvJZPrqzNrv7GLC+:w7mhOs3jZHeV

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:12:04 04:40:08+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	1171456
InitializedDataSize:	1564672
UninitializedDataSize:	-
EntryPoint:	0x95a058
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.2.1.2
ProductVersionNumber:	1.2.1.2
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	1.2.1.2
FileDescription:	加速器
ProductName:	加速器
ProductVersion:	1.2.1.2
CompanyName:	加速器
LegalCopyright:	加速器
Comments:	加速器


(PID) Process:	(236) 3a69b134ca55598ca03fa0bd29638bbc13364f79d60afaba966a2ae7fcd0f08e.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:	write	Name:	1280x720x32(BGR 0)
Value: 31,31,31,31
(PID) Process:	(236) 3a69b134ca55598ca03fa0bd29638bbc13364f79d60afaba966a2ae7fcd0f08e.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{B267E3AD-A825-4A09-82B9-EEC22AA3B847}\Count
Operation:	delete key	Name:	(default)
Value:

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2324	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2324	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5496	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
236	3a69b134ca55598ca03fa0bd29638bbc13364f79d60afaba966a2ae7fcd0f08e.exe	HEAD	200	103.235.46.96:80	http://www.baidu.com/	unknown	—	—	whitelisted
236	3a69b134ca55598ca03fa0bd29638bbc13364f79d60afaba966a2ae7fcd0f08e.exe	HEAD	200	103.235.46.96:80	http://www.baidu.com/	unknown	—	—	whitelisted
5496	RUXIMICS.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2324	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
5496	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	104.126.37.171:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
2324	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	RUXIMICS.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2324	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
www.bing.com	104.126.37.171 104.126.37.161 104.126.37.177 104.126.37.160 104.126.37.170 104.126.37.144 104.126.37.139 104.126.37.145 104.126.37.153	whitelisted
google.com	142.250.181.238	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
www.baidu.com	103.235.46.96 103.235.47.188	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
self.events.data.microsoft.com	52.182.143.211	whitelisted

General Info

3a69b134ca55598ca03fa0bd29638bbc13364f79d60afaba966a2ae7fcd0f08e

B9AFBCCA90D55D84AF42DB0CA0F62A42

757E96863FE74D75C5D10522280B19555F742CDB

3A69B134CA55598CA03FA0BD29638BBC13364F79D60AFABA966A2AE7FCD0F08E

98304:OdqNWJ7DuyzFTYNdMYZzoccLt1b7ImvU0ydfTVrt83um6e3izvJZPrqzNrv7GLC+:w7mhOs3jZHeV

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Connects to the CnC server

SUSPICIOUS

Reads the BIOS version

Connects to unusual port

Contacting a server suspected of hosting an CnC

There is functionality for taking screenshot (YARA)

INFO

The sample compiled with chinese language support

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

UPX packer has been detected

Themida protector has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings