ce7cac02eb0a08d774e2ce8fb987a79415dd4adce7d7ea128cde13832884d8d0

Analysis

max time kernel
189s
max time network
174s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 03:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ce7cac02eb0a08d774e2ce8fb987a79415dd4adce7d7ea128cde13832884d8d0.exe
Size

255KB
MD5

dcee9c25159207b48862ab7a70345edf
SHA1

2047bbf2b554d76f22d9a6127eea69c52d5d4d73
SHA256

ce7cac02eb0a08d774e2ce8fb987a79415dd4adce7d7ea128cde13832884d8d0
SHA512

a040944685082cd66360c5547fc600f3d6eae1d2e6ba2367246fc9547bd52077202203fce426b991968b1315f659a4a11d32c84fc0968c60e4230cbfccbea9fa
SSDEEP

6144:KY94NyBzMe3sZECh2ieQN+4yfpq45d94Rna/TN4X:Z9Oy5MY4EChpe+ufpFzLN4X

Score

10^/10

adware persistence stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.drivehq.com
Port:
21
Username:
typrone3

Signatures

Executes dropped EXE 3 IoCs

pid	Process
296	rinst.exe
268	gunny.exe
1680	bpk.exe

Loads dropped DLL 12 IoCs

pid	Process
904	ce7cac02eb0a08d774e2ce8fb987a79415dd4adce7d7ea128cde13832884d8d0.exe
904	ce7cac02eb0a08d774e2ce8fb987a79415dd4adce7d7ea128cde13832884d8d0.exe
904	ce7cac02eb0a08d774e2ce8fb987a79415dd4adce7d7ea128cde13832884d8d0.exe
904	ce7cac02eb0a08d774e2ce8fb987a79415dd4adce7d7ea128cde13832884d8d0.exe
296	rinst.exe
296	rinst.exe
296	rinst.exe
296	rinst.exe
1680	bpk.exe
1680	bpk.exe
1160	IEXPLORE.EXE
904	ce7cac02eb0a08d774e2ce8fb987a79415dd4adce7d7ea128cde13832884d8d0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\Windows\\SysWOW64\\bpk.exe"	bpk.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin"	bpk.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bpk.exe	rinst.exe
File created	C:\Windows\SysWOW64\bpkhk.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\Logs.zip	bpk.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\bpkwb.dll	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	bpk.exe
File opened for modification	C:\Windows\SysWOW64\web.dat	bpk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000ba6db2c9ca6661aa75485b3ae4e8d72b685c37253dadef1bd6b2f9c035c2942c000000000e80000000020000200000003bf0500d1e1ad5b2f7430e1cbe3d1da186df6f7074438a0c2a85e5173c4679579000000062c4b6607be934659b47e84ae37d3b669487692302dd7a4fcb201a80a5d04f1403164b0605177ec209376837dc70fad86c03a45aeeb33454f2367cb133a4be3fcf830b5bced6700e400f99d5f66d951d578b06042f13707f22a9bb63551aafe37f593b2f2b7022ee6af37d13313bc81a38dbd0ee38527a4059caf3e344aa2db459f235b1c6b29bad9959ef03a06ccc0a400000002565f47ecd87eeebd5fb7d0dcc468633ff1807f08473fc31ebbde64a5bd3e20de63699703b63ff7dcbf41984b485d173f0c27596bcdc8c27e84f26fa5d76751c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D93CBB1-6EAD-11ED-874D-7AEFAD47A2D2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0746b6aba02d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376357637"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000a62ede9ee9df4602cbcda700bb3ad4a38061ad1d7752958c239400809a07c0dc000000000e8000000002000020000000d8de94017005d31e23d8cbf98417fd29adc4cbadb35a7c66db6047c0834536362000000023f9086d11376416041eb49a3814bd0d04c40e05dbba28cbd88c9212a88f219140000000f1232c205b85fa2c8b946aeb4bb39dac5e20d067d7a9ded4b28ab189d46cc95922f842a7edbacc15d0ce0863ece737adcb336756099d0534be848c8e20ac58c5	iexplore.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64\\"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\bpkwb.dll"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWOW64\\bpkwb.dll"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1680	bpk.exe
1680	bpk.exe
704	iexplore.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
1680	bpk.exe
704	iexplore.exe
704	iexplore.exe
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1680	bpk.exe
1680	bpk.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 296	904	ce7cac02eb0a08d774e2ce8fb987a79415dd4adce7d7ea128cde13832884d8d0.exe	28
PID 904 wrote to memory of 296	904	ce7cac02eb0a08d774e2ce8fb987a79415dd4adce7d7ea128cde13832884d8d0.exe	28
PID 904 wrote to memory of 296	904	ce7cac02eb0a08d774e2ce8fb987a79415dd4adce7d7ea128cde13832884d8d0.exe	28
PID 904 wrote to memory of 296	904	ce7cac02eb0a08d774e2ce8fb987a79415dd4adce7d7ea128cde13832884d8d0.exe	28
PID 296 wrote to memory of 268	296	rinst.exe	29
PID 296 wrote to memory of 268	296	rinst.exe	29
PID 296 wrote to memory of 268	296	rinst.exe	29
PID 296 wrote to memory of 268	296	rinst.exe	29
PID 296 wrote to memory of 1680	296	rinst.exe	30
PID 296 wrote to memory of 1680	296	rinst.exe	30
PID 296 wrote to memory of 1680	296	rinst.exe	30
PID 296 wrote to memory of 1680	296	rinst.exe	30
PID 268 wrote to memory of 704	268	gunny.exe	31
PID 268 wrote to memory of 704	268	gunny.exe	31
PID 268 wrote to memory of 704	268	gunny.exe	31
PID 268 wrote to memory of 704	268	gunny.exe	31
PID 704 wrote to memory of 1160	704	iexplore.exe	33
PID 704 wrote to memory of 1160	704	iexplore.exe	33
PID 704 wrote to memory of 1160	704	iexplore.exe	33
PID 704 wrote to memory of 1160	704	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\ce7cac02eb0a08d774e2ce8fb987a79415dd4adce7d7ea128cde13832884d8d0.exe
"C:\Users\Admin\AppData\Local\Temp\ce7cac02eb0a08d774e2ce8fb987a79415dd4adce7d7ea128cde13832884d8d0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\gunny.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gunny.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://idgunny.zing.vn/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:704
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:704 CREDAT:275457 /prefetch:2
        5⤵
        Loads dropped DLL
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1160
- - C:\Windows\SysWOW64\bpk.exe
    C:\Windows\system32\bpk.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpk.exe

Filesize
428KB

MD5
4634288b529d6879a6448650442f81f8

SHA1
b60d20416124a5953ef390fe4bc505d908c5116a

SHA256
98c9cdd211693b5b7c190d0b70db972d7071da31bdc4c0692e9951aadf579340

SHA512
988e1dc5c863630d96ae104ca889b8e7f04902a387a42de3a9fd6b5fc7eece877ab6fe7639df7a9467c717c871be57a9cc80ec74e3847c02fcd2a951e7bc6ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkhk.dll

Filesize
24KB

MD5
94d96674f84091006f0509fbf2bee79c

SHA1
0cd48471e8c6b917a3ee17fe0efe437c722c9929

SHA256
7cda4d5fc7fb4c1dc3f26580f68d678518014fc74e892b1bce9010f657e1c0af

SHA512
349381b49f6c039a0b6496a5100cbfe06f4c4078706a9892b84eb7dba0f7aa008bce3fb60e2562e4d3df510f09dceb484d2e5dcd652bdba6e3cf0fe3cdf72507

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkwb.dll

Filesize
40KB

MD5
e74a83aa8070db9bbf2113ca87bc72eb

SHA1
20a8e63aa83e3cc1dd344387c9a0e92071160950

SHA256
007a6ecb7c30eb3587470644f2c87c48ffdb6b9adba46d9156b32acbd723d120

SHA512
e884c7f677a8c07854d142b4458ed57efcda7adfe4a9e9cd73dd9462c7701027f525b80ff5a486c6acaabb228f8c9bad21a24146e213631ca6ae9e3b8c4232da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gunny.exe

Filesize
27KB

MD5
7c5426ce3c7c99385e30b227b08989be

SHA1
74e08804fa2c182358c3867a5404a9de5f3b353f

SHA256
4806be5a2a5728a823941afd7ae71472c1e4a04207b9e69e721ea322e6b4a64f

SHA512
548186a9953e82c248c02963c46c8a67906b2636100213859027a37552ecac259d2ddfef1a6b51528bda48addb6e685121cc29581f685a4b6ca8b4bab3c58bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gunny.exe

Filesize
27KB

MD5
7c5426ce3c7c99385e30b227b08989be

SHA1
74e08804fa2c182358c3867a5404a9de5f3b353f

SHA256
4806be5a2a5728a823941afd7ae71472c1e4a04207b9e69e721ea322e6b4a64f

SHA512
548186a9953e82c248c02963c46c8a67906b2636100213859027a37552ecac259d2ddfef1a6b51528bda48addb6e685121cc29581f685a4b6ca8b4bab3c58bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
996B

MD5
3c0e120f850712777f1116fcc08c4769

SHA1
bd0bd44f804ab6d4a543a35716b5b2f1ca984890

SHA256
f4946fa872f54113d1555fd0c63d7cbf48c7f4769b7d24c7e25310bb24766994

SHA512
3781ae0b2e271536994465aed058e012713080cdd23bfcbaedbb19db400cdcc001abcb72795ef5a21e8ea2c4cc597955daa0262cb240fb89241811245ed59540

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
4KB

MD5
a5413bc77f77e84729524197f409837d

SHA1
b07b8720d8d9ede85889d783c84e2cac3bcbbc9c

SHA256
e09b058e420aa9c9066e4c55abc91923c7ae85ef58ba09666c08c5ad72e842f8

SHA512
f6fe82e53e8da1eec1ca47d516e2430d07e49f0ff8acc4eaeb082cb57cdac676831cdeb0ed501a39e32f8ea1906a73dea8d01f3b16b746fd863cebdbc5571ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
a455ca431e66975d886f1a8cfee8cb9f

SHA1
95868529973c77199b76ec593a686d9b324dee8b

SHA256
6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

SHA512
53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
a455ca431e66975d886f1a8cfee8cb9f

SHA1
95868529973c77199b76ec593a686d9b324dee8b

SHA256
6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

SHA512
53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VVQBM12O.txt

Filesize
608B

MD5
86d3924935f11943e2107f33b01e1b2c

SHA1
8f932c3f733fb9132bfbcf313c38496f10b92a2d

SHA256
94553a13873d4ad35e517e12fdd4919bf78fdda458c0f65c939b91041e7cb23c

SHA512
18082212937161fe002ff06bde4a2aa2308ff26da631835a233b9a94cd7c3c2a13ddb563ac3038da9ca7efdfd66032903e90167d12a8d51e4f271528f7bdcc46

Download Submit
C:\Windows\SysWOW64\bpk.exe

Filesize
428KB

MD5
bae0fb25bcf05a5da7fde8dce759ee0d

SHA1
bc74b07d14a63ce572755c70ceb796136d129e20

SHA256
b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d

SHA512
74a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929

Download Submit
C:\Windows\SysWOW64\bpkhk.dll

Filesize
24KB

MD5
58129986fa29f6dacd99ab45f60bcb3c

SHA1
7f21995794a060fc8629e0d113cf568de14c509e

SHA256
525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a

SHA512
62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

Download Submit
C:\Windows\SysWOW64\bpkwb.dll

Filesize
40KB

MD5
2e6016325548ab79e2d636640c6ec473

SHA1
586e2b84d46ef00e26c1686033def28e8a9995a5

SHA256
62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e

SHA512
1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86

Download Submit
C:\Windows\SysWOW64\inst.dat

Filesize
996B

MD5
3c0e120f850712777f1116fcc08c4769

SHA1
bd0bd44f804ab6d4a543a35716b5b2f1ca984890

SHA256
f4946fa872f54113d1555fd0c63d7cbf48c7f4769b7d24c7e25310bb24766994

SHA512
3781ae0b2e271536994465aed058e012713080cdd23bfcbaedbb19db400cdcc001abcb72795ef5a21e8ea2c4cc597955daa0262cb240fb89241811245ed59540

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
4KB

MD5
bae40b69af1f8de271b5304fd097807f

SHA1
fca353773dd7d714a8808d233a3e3e378c440dd5

SHA256
0e341e2aeb977531079887ad1752aeae071e1037d73d11b91e9ad8797baa4965

SHA512
c379651ce6aa180762cef9b6e85f11f3f518b97a60cbb911c7968271f889130064d835b009c21787dfb433e7870f142f088d17e50f01b7d247902f63fac36bae

Download Submit
C:\Windows\SysWOW64\rinst.exe

Filesize
7KB

MD5
a455ca431e66975d886f1a8cfee8cb9f

SHA1
95868529973c77199b76ec593a686d9b324dee8b

SHA256
6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

SHA512
53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\gunny.exe

Filesize
27KB

MD5
7c5426ce3c7c99385e30b227b08989be

SHA1
74e08804fa2c182358c3867a5404a9de5f3b353f

SHA256
4806be5a2a5728a823941afd7ae71472c1e4a04207b9e69e721ea322e6b4a64f

SHA512
548186a9953e82c248c02963c46c8a67906b2636100213859027a37552ecac259d2ddfef1a6b51528bda48addb6e685121cc29581f685a4b6ca8b4bab3c58bca

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\gunny.exe

Filesize
27KB

MD5
7c5426ce3c7c99385e30b227b08989be

SHA1
74e08804fa2c182358c3867a5404a9de5f3b353f

SHA256
4806be5a2a5728a823941afd7ae71472c1e4a04207b9e69e721ea322e6b4a64f

SHA512
548186a9953e82c248c02963c46c8a67906b2636100213859027a37552ecac259d2ddfef1a6b51528bda48addb6e685121cc29581f685a4b6ca8b4bab3c58bca

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
a455ca431e66975d886f1a8cfee8cb9f

SHA1
95868529973c77199b76ec593a686d9b324dee8b

SHA256
6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

SHA512
53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
a455ca431e66975d886f1a8cfee8cb9f

SHA1
95868529973c77199b76ec593a686d9b324dee8b

SHA256
6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

SHA512
53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
a455ca431e66975d886f1a8cfee8cb9f

SHA1
95868529973c77199b76ec593a686d9b324dee8b

SHA256
6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

SHA512
53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
a455ca431e66975d886f1a8cfee8cb9f

SHA1
95868529973c77199b76ec593a686d9b324dee8b

SHA256
6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

SHA512
53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

Download Submit
\Windows\SysWOW64\bpk.exe

Filesize
428KB

MD5
bae0fb25bcf05a5da7fde8dce759ee0d

SHA1
bc74b07d14a63ce572755c70ceb796136d129e20

SHA256
b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d

SHA512
74a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929

Download Submit
\Windows\SysWOW64\bpk.exe

Filesize
428KB

MD5
bae0fb25bcf05a5da7fde8dce759ee0d

SHA1
bc74b07d14a63ce572755c70ceb796136d129e20

SHA256
b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d

SHA512
74a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929

Download Submit
\Windows\SysWOW64\bpkhk.dll

Filesize
24KB

MD5
58129986fa29f6dacd99ab45f60bcb3c

SHA1
7f21995794a060fc8629e0d113cf568de14c509e

SHA256
525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a

SHA512
62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

Download Submit
\Windows\SysWOW64\bpkhk.dll

Filesize
24KB

MD5
58129986fa29f6dacd99ab45f60bcb3c

SHA1
7f21995794a060fc8629e0d113cf568de14c509e

SHA256
525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a

SHA512
62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

Download Submit
\Windows\SysWOW64\bpkhk.dll

Filesize
24KB

MD5
58129986fa29f6dacd99ab45f60bcb3c

SHA1
7f21995794a060fc8629e0d113cf568de14c509e

SHA256
525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a

SHA512
62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

Download Submit
\Windows\SysWOW64\bpkwb.dll

Filesize
40KB

MD5
2e6016325548ab79e2d636640c6ec473

SHA1
586e2b84d46ef00e26c1686033def28e8a9995a5

SHA256
62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e

SHA512
1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86

Download Submit
memory/904-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads