9152487eb3e160e6f8d97b1489189f479d845b044018ccf92479021ab70656c4

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e733e40eb840af9f13d09395e4985f3.exe
Size

1.2MB
MD5

6e733e40eb840af9f13d09395e4985f3
SHA1

7595ea346535ca77ca954923426e9b6c344c495f
SHA256

9152487eb3e160e6f8d97b1489189f479d845b044018ccf92479021ab70656c4
SHA512

474187364de53a27182f6668184d3f80fa1e654d54f5b505129a388d761541ffd5bc2aa929b21a99d7bb19692a3a0071f061d32856c5eeee8fecbf13ff0cfda1
SSDEEP

24576:GIx5Kx34IQb8xlusz8HUCa2+9eu1e4B4KuOYrbRL+wdyQH:GCYF4IQwxhzeUCaF9PTjuZrbvyQH

Score

7^/10

adware persistence stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	rinst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	VulanProF94.Crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	6e733e40eb840af9f13d09395e4985f3.exe

Executes dropped EXE 5 IoCs

pid	Process
4712	rinst.exe
2500	VulanProF94.Crack.exe
2304	windowsz.exe
4604	rinst.exe
4224	khoahocphothong.net.exe

Loads dropped DLL 11 IoCs

pid	Process
2304	windowsz.exe
2304	windowsz.exe
2304	windowsz.exe
1448	6e733e40eb840af9f13d09395e4985f3.exe
4604	rinst.exe
2304	windowsz.exe
2304	windowsz.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
2500	VulanProF94.Crack.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsz = "C:\\Windows\\SysWOW64\\windowsz.exe"	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\khoahocphothong.net = "C:\\Windows\\SysWOW64\\khoahocphothong.net.exe"	khoahocphothong.net.exe

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin"	windowsz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	windowsz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	khoahocphothong.net.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin"	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	windowsz.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\khoahocphothong.net.exe	rinst.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	windowsz.exe
File created	C:\Windows\SysWOW64\khoahocphothong.netwb.dll	rinst.exe
File opened for modification	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\khoahocphothong.nethk.dll	rinst.exe
File created	C:\Windows\SysWOW64\windowszwb.dll	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\windowsz.exe	rinst.exe
File created	C:\Windows\SysWOW64\windowszhk.dll	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	khoahocphothong.net.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1	windowsz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	khoahocphothong.net.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1"	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID	windowsz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}	windowsz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment"	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS	windowsz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class"	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	windowsz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1	khoahocphothong.net.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library"	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0"	windowsz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	windowsz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID	windowsz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS	windowsz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1"	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment"	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	windowsz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	windowsz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE	windowsz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	windowsz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32	windowsz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library"	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class"	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32	khoahocphothong.net.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	khoahocphothong.net.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class"	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class"	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE	khoahocphothong.net.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE"	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	khoahocphothong.net.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	rinst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID	windowsz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	windowsz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID	windowsz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable	windowsz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID	khoahocphothong.net.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	windowsz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR	windowsz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer	khoahocphothong.net.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	khoahocphothong.net.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	windowsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	khoahocphothong.net.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2304	windowsz.exe
2304	windowsz.exe
2304	windowsz.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2304	windowsz.exe
2304	windowsz.exe
2304	windowsz.exe
2304	windowsz.exe
2304	windowsz.exe
2304	windowsz.exe
2304	windowsz.exe
2304	windowsz.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2304	windowsz.exe
2304	windowsz.exe
2304	windowsz.exe
2304	windowsz.exe
2304	windowsz.exe
2304	windowsz.exe
2304	windowsz.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe
4224	khoahocphothong.net.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 4712	1448	6e733e40eb840af9f13d09395e4985f3.exe	91
PID 1448 wrote to memory of 4712	1448	6e733e40eb840af9f13d09395e4985f3.exe	91
PID 1448 wrote to memory of 4712	1448	6e733e40eb840af9f13d09395e4985f3.exe	91
PID 4712 wrote to memory of 2500	4712	rinst.exe	93
PID 4712 wrote to memory of 2500	4712	rinst.exe	93
PID 4712 wrote to memory of 2500	4712	rinst.exe	93
PID 4712 wrote to memory of 2304	4712	rinst.exe	94
PID 4712 wrote to memory of 2304	4712	rinst.exe	94
PID 4712 wrote to memory of 2304	4712	rinst.exe	94
PID 2500 wrote to memory of 4604	2500	VulanProF94.Crack.exe	98
PID 2500 wrote to memory of 4604	2500	VulanProF94.Crack.exe	98
PID 2500 wrote to memory of 4604	2500	VulanProF94.Crack.exe	98
PID 4604 wrote to memory of 4224	4604	rinst.exe	102
PID 4604 wrote to memory of 4224	4604	rinst.exe	102
PID 4604 wrote to memory of 4224	4604	rinst.exe	102

C:\Users\Admin\AppData\Local\Temp\6e733e40eb840af9f13d09395e4985f3.exe
"C:\Users\Admin\AppData\Local\Temp\6e733e40eb840af9f13d09395e4985f3.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\VulanProF94.Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VulanProF94.Crack.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\rinst.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\rinst.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Windows\SysWOW64\khoahocphothong.net.exe
        
        C:\Windows\system32\khoahocphothong.net.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4224
- - C:\Windows\SysWOW64\windowsz.exe
    C:\Windows\system32\windowsz.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VulanProF94.Crack.exe

Filesize
959KB

MD5
e367cb48cd82099f9742c991c46fbd7b

SHA1
572ad459c1e0890afc73e76b0146b60084ad4584

SHA256
93de318ff9b92ac29a4cf118ebb426cc935f6cde8c96460659c5466f345f0bb8

SHA512
395635ce5ad68f5070b79f26bb76ebc503a0116975a1f29ec92c4235a8715adcdb6e424739bd9e7b9222e75cdfe68dd50f238c297aea33de2ce5dcb343fdafdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VulanProF94.Crack.exe

Filesize
211KB

MD5
d8f7e183880950d15e02f48534d70207

SHA1
5c1184c4d1bcc62a67dd634a0ae35e1c4fe2e58b

SHA256
44df4a21c3d1e200182cd8cc3c3ca884d3c02479c82b9dca8df0242452f5602e

SHA512
4081fa077a83e2d1c203257ab938186bdf506cb0986f6d3d8c82b80628c90c75b756e3468a9548a723acba9ef90a2ea34384d8cc2601462c35e2c8733d5072aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
996B

MD5
54f5dbcf4b39a481d30784c99831e309

SHA1
3e8cc267683e9c830dcc4fa9e25e50f7bc999105

SHA256
6dff5d5ee810a5cb830289b2138dcf4c3863cdbd383365e41110dc50a7671374

SHA512
3df8a92e56dc222700ea7562fa4d3b45eb827860d4232a153cbc06bfd36a74f9103536f5c66065e8fb3a258070f791fe3c26ffa6afc7ddc8cde48a49c829a812

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
4KB

MD5
1c82ad81db951e13462a790032877fec

SHA1
cb71be3c926885764ec460822511c03c5802134b

SHA256
0cf02dac4e829841c22e133ce02b4aa0e582c6c4abfd373979277bc03a367ca8

SHA512
08c1c1969037a6b46f157b2fe6ac1c7b268e1797270c41217fb8fd1638e1f206971e124841a27da189614eab53dfe41cec7c46f24f248fd532b3f1f2119fd72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
fbe4bab53f74d3049ef4b306d4cd8742

SHA1
6504b63908997a71a65997fa31eda4ae4de013e7

SHA256
446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092

SHA512
d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\windowsz.exe

Filesize
275KB

MD5
a99db180675ff24676ece26421e3a69a

SHA1
77b61a3d232afb9012bc56b0c2ec79bb1c0ccad7

SHA256
f39ac4347c71e571d924f713851b51408bdf8ebf6fd7e65400e0b674f6a3a0f4

SHA512
b12e96157a6633f423236078b6d7cfda04298c6be15049687b7c7230a4415ae06f55258b1137b011326ff402f98c2c5439753d35a4392e68582043c4e985963b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\windowszhk.dll

Filesize
24KB

MD5
9c74175621b5f6ac5c9300a7cc42874d

SHA1
9c40871935caf66b92c14999cc7653c81793fb82

SHA256
2364ee7e6afd021abdbb9438aabdf6db827f9555bfb869108671f6fa081811cd

SHA512
2581c1f2f2cecbda15673da60ca5881fb7e387850c9df057d412dd06e58b6b4633107086fe056e7288647be47870978c5845b529b12904a7a98f94efe5d021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\windowszwb.dll

Filesize
19KB

MD5
583d1761b700840493c9804878ea298a

SHA1
064bead8161fef6a15d54491283e68e193d0ca4f

SHA256
80bdb48d92251680b677f873f7da2b17d4d4c8eeaaef900bb826555eae8f88d7

SHA512
b87a59acd2a59c364e443912a725179b3529913479feeb5a8b556569a433b0244513703a71dca662ca3e9af884e4d723f3663ee84707fde7d2606ffb75293e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\VulanProF94.Crack.zip

Filesize
798KB

MD5
5a631c4e4d849f43939c07ef0d4511a4

SHA1
14b0f7105e3cd0ccac8c5eaff45875fcd1fbd60e

SHA256
ef1075d4a6f3351000248fed2d71dce0e37eb420094aab5f0966c8165626d18c

SHA512
ca7296c7be1b6ae5bdfaafa0d03f6de0f1a0a18766085e44af0ad01e90157bef3749602946a095aa4f4aeb08b109934e25485f26656e0a7ae4863b156012c3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\inst.dat

Filesize
996B

MD5
f34339e5f721aa7d1a742a0172330094

SHA1
87303a0d03cc4fd941d6da52c8d1bf649ca7ece8

SHA256
d484263d11f5aa576fc11074834241e352272cd15c9b8e891aa042aa78a2c750

SHA512
b582522636329490eaac3bc970991e7a3923646075f3a0c4e79ec14b4b7faee89281ee8573002ef9cd5488539feec306f1a192d930e9bfbb36fad53386b8d74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\khoahocphothong.net.exe

Filesize
424KB

MD5
f663e93c5579939cfb5fe99af1709718

SHA1
ab56041ad5885095889e87b765d8be79e495fb26

SHA256
b839386716007754bc82621d4961f91f6ba98fd025a7e54a0698e8a1d060f7c4

SHA512
6dd40394aeec71e4bddf2f433fb9623a376ae3506a3e4ba22ee091c154ffcf25944bc5ceda9140e4c7b3f7e3fe2f98380940e87450ee9229f6d7d3cb609987f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\khoahocphothong.nethk.dll

Filesize
24KB

MD5
9b60660cccada3f585c3e4284195e9c5

SHA1
8c21b1490ccc99088a87f6b7495951a320355df1

SHA256
c13d3f6a1bb8a9d652eb7802a3b2dbbf31580cbef1983a982d1a4b73ca45693e

SHA512
d68baed804995afa41003393e2894f7fb473d63399a24af0ebcd8955b2789b0989372fb7f06a7d2b67a664c4d44e084867e81cc198737da0d0aafefc4e45afca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\khoahocphothong.netwb.dll

Filesize
40KB

MD5
ea84c1f4209e797370ab6e19c8c83b66

SHA1
6e00610a3efd07be1c9911181a8ee17da4647f11

SHA256
aec793cf2d4a69bf091092f6048cb72f5ea7bea99c039fc4b82ff26f63f97754

SHA512
83eaad1b220488dbb59935739e66878d6f29871c692ec5b74ca36ff790e2cb2cfc09ae326ca6e67111b904e2d63bebb7f7b569461e479c892535b4e64d502769

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pk.bin

Filesize
4KB

MD5
d3918d6798d8b0d36325ee84df3867b2

SHA1
8e137c5cd5c5acac82c36fde506f0ced039fad9a

SHA256
c1d638ba2e1b507ca7a863a1c0a156790128471f628bc0edf0a0599820406d38

SHA512
302ae4e140a6ee9d3b2ec7b90d0f6f154583964a603ac44c48b022fb713d98e7ace8b8d88f206663978d51147f31ff61b9343b116d5b0b655905144ac19b0590

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
4KB

MD5
d91055e16388bcfff4e033a8b2628b77

SHA1
e38b04d48f3719ea716afdffd6746094c4d06576

SHA256
e222da323226e3b5b345e0e1ff949b62afc393b2c16a727acc528ff2d755dbf2

SHA512
b0aa5ff750a05df6426eb96c6ed27f73541bbbe1688c140bd83f1409f6c127d62fe5b0d30c52e07c34aad67012e9b28bd7e423e9089a368a61a8f5ddb17a931a

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
4KB

MD5
8e8e18b982439951472d2359b9af8e59

SHA1
3b8933c900152a2bd30bb22b68a8bfbe2f41d399

SHA256
855d4b4f9743eb2194f58e9e6ca7305266c036ae948ec4c12b8c516cc564109f

SHA512
ef08571759996916c5af52d5a3487017a47f8a7735e1cd6fbdf3daa5349559a80cb835b95acac3cf7a08b887dd524d0c9e5b02e8c989cfa7a1c4785ae2b2f37f

Download Submit
C:\Windows\SysWOW64\windowsz.exe

Filesize
424KB

MD5
994ffae187f4e567c6efee378af66ad0

SHA1
0cc35d07e909b7f6595b9c698fe1a8b9b39c7def

SHA256
f0b707b1ab25024ba5a65f68cd4380a66ef0ce9bb880a92e1feee818854fe423

SHA512
bd5320327a24fbab8934395d272869bfa97d77a2ee44ac6eec8fa79b3ffbd4a049bf9dfeeb6b8cc946c295a07bd07ddba41d81c76d452d2c5587b4bf92559e0a

Download Submit
C:\Windows\SysWOW64\windowszhk.dll

Filesize
24KB

MD5
9ac9028338d1b353a7cacb563bb91df7

SHA1
a20c5dee8f05c91686324cec2d5b092bafe58339

SHA256
93c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c

SHA512
ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe

Download Submit
C:\Windows\SysWOW64\windowszwb.dll

Filesize
40KB

MD5
21d4e01f38b5efd64ad6816fa0b44677

SHA1
5242d2c5b450c773b9fa3ad014a8aba9b7bb206a

SHA256
3285df0c25d4b9b6d5ccbe166a3ce3d04f5cb3a0d61c8bf29bf5f953e51b0977

SHA512
77dae941676a56664da89c7670d29ed5402032c8040df1cc231986733c78f0dc56c41f7a276ec9ea8336e3fa2bfc68d3121048e9585bf0d8a98917d799f669b8

Download Submit
memory/1448-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1448-51-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1448-45-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2500-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2500-46-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2500-109-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads