52c2942280f41e0fbc2332ebfdae6741fd5eb2c64e81063d31ab93ba1c6fc9bd

Analysis

max time kernel
142s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 12:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

18f28e52663cb8d68b867f1f37d4a7b9.exe
Size

659KB
MD5

18f28e52663cb8d68b867f1f37d4a7b9
SHA1

8c786b08838fe24a009e1be0b57b3a39bfb86be9
SHA256

52c2942280f41e0fbc2332ebfdae6741fd5eb2c64e81063d31ab93ba1c6fc9bd
SHA512

27fee594f994e3e635958aab80d8fa4cc66ec8ffc0a15b285d18f288a2bce49e54f6ca96168ace4c980b71064f96bb7cc5ebcae4d2d62dfe714bd79c9c5d2331
SSDEEP

12288:gr3ZBIReuTuYcRZHKU+68HDdg1utOmNx0po8Hpg/Q2lvkTJls:8ZB2zTVhF/hkEvh/lvaq

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	boolan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\main = "rundll32.exe \"C:\\program files\\internet explorer\\use11.dll\" mymain"	boolan.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\acpidisk.sys	1097.exe
File opened for modification	C:\Windows\SysWOW64\drivers\acpidisk.sys	1097.exe

Executes dropped EXE 9 IoCs

pid	Process
2232	SkypeClient.exe
2808	dodolook326.exe
2752	1097.exe
2952	1d007.exe
2940	boolan61.exe
1772	d03.exe
824	boolan61.exe
672	netdde32.exe
1056	boolan.exe

Loads dropped DLL 62 IoCs

pid	Process
1708	18f28e52663cb8d68b867f1f37d4a7b9.exe
1708	18f28e52663cb8d68b867f1f37d4a7b9.exe
2232	SkypeClient.exe
2232	SkypeClient.exe
2232	SkypeClient.exe
1708	18f28e52663cb8d68b867f1f37d4a7b9.exe
1708	18f28e52663cb8d68b867f1f37d4a7b9.exe
2808	dodolook326.exe
2808	dodolook326.exe
2808	dodolook326.exe
2808	dodolook326.exe
2808	dodolook326.exe
2808	dodolook326.exe
2752	1097.exe
2752	1097.exe
2752	1097.exe
2752	1097.exe
2752	1097.exe
2752	1097.exe
1708	18f28e52663cb8d68b867f1f37d4a7b9.exe
1708	18f28e52663cb8d68b867f1f37d4a7b9.exe
1708	18f28e52663cb8d68b867f1f37d4a7b9.exe
1708	18f28e52663cb8d68b867f1f37d4a7b9.exe
2952	1d007.exe
2952	1d007.exe
2952	1d007.exe
2940	boolan61.exe
2940	boolan61.exe
2940	boolan61.exe
2952	1d007.exe
2940	boolan61.exe
2940	boolan61.exe
2952	1d007.exe
1772	d03.exe
1772	d03.exe
1772	d03.exe
824	boolan61.exe
824	boolan61.exe
824	boolan61.exe
2952	1d007.exe
2952	1d007.exe
2940	boolan61.exe
2940	boolan61.exe
1056	boolan.exe
1056	boolan.exe
1056	boolan.exe
672	netdde32.exe
672	netdde32.exe
672	netdde32.exe
2072	regsvr32.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2088	WerFault.exe
2088	WerFault.exe
800	rundll32.exe
800	rundll32.exe
800	rundll32.exe
800	rundll32.exe
2808	dodolook326.exe
2152	WerFault.exe
2088	WerFault.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0033000000016047-9.dat	upx
behavioral1/memory/2232-22-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2232-24-0x00000000001D0000-0x00000000001F8000-memory.dmp	upx
behavioral1/memory/2232-72-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2232-145-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2232-157-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2232-174-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2232-189-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/1056-190-0x00000000002B0000-0x00000000002DA000-memory.dmp	upx
behavioral1/memory/2232-193-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2232-199-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2232-201-0x0000000000400000-0x0000000000428000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ = "AdPopup"	regsvr32.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\netdde32.exe	1d007.exe
File created	C:\Windows\SysWOW64\netdde32.exe	1d007.exe
File opened for modification	C:\Windows\SysWOW64\d03.exe	1d007.exe
File created	C:\Windows\SysWOW64\d03.exe	1d007.exe
File created	C:\Windows\SysWOW64\63-29-7018	boolan61.exe
File opened for modification	C:\Windows\SysWOW64\mscpx32r.det	1097.exe
File created	C:\Windows\SysWOW64\mscpx32r.det	1097.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\CPUSH\Uninst.exe	d03.exe
File created	C:\Program Files (x86)\Common Files\CPUSH\cpush.dll	d03.exe
File created	C:\program files\internet explorer\KVMonXP11.exe	boolan.exe
File opened for modification	C:\program files\internet explorer\KVMonXP11.exe	boolan.exe
File created	C:\program files\internet explorer\use11.dll	boolan.exe
File opened for modification	C:\program files\internet explorer\use11.dll	boolan.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\dodolook326.exe	18f28e52663cb8d68b867f1f37d4a7b9.exe
File created	C:\Windows\system\1d007.exe	18f28e52663cb8d68b867f1f37d4a7b9.exe
File opened for modification	C:\Windows\system\1d007.exe	18f28e52663cb8d68b867f1f37d4a7b9.exe
File opened for modification	C:\Windows\sysdn.ini	boolan.exe
File created	C:\Windows\system\boolan61.exe	18f28e52663cb8d68b867f1f37d4a7b9.exe
File opened for modification	C:\Windows\system\boolan61.exe	18f28e52663cb8d68b867f1f37d4a7b9.exe
File created	C:\Windows\system\dodolook326.exe	18f28e52663cb8d68b867f1f37d4a7b9.exe
File created	C:\Windows\system\SkypeClient.exe	18f28e52663cb8d68b867f1f37d4a7b9.exe
File opened for modification	C:\Windows\system\SkypeClient.exe	18f28e52663cb8d68b867f1f37d4a7b9.exe
File opened for modification	C:\Windows\8A45.tmp	boolan61.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2088	672	WerFault.exe	35
2152	1056	WerFault.exe	36

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1\ = "CPopupBlock Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock\CurVer\ = "NewAdPopup.PopupBlock.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic.1\ = "CAdLogic Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CLSID\ = "{34A12A06-48C0-420D-8F11-73552EE9631A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\VersionIndependentProgID\ = "NewAdPopup.ToolbarDetector"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CurVer\ = "NewAdPopup.ToolbarDetector.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID\ = "{34A12A06-48C0-420D-8F11-73552EE9631A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\ = "NewAdPopup 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CLSID\ = "{11F09AFD-75AD-4E51-AB43-E09E9351CE16}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CurVer\ = "NewMediasActive.RELogic.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ = "CToolbarDetector Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\ = "CToolbarDetector Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ = "IAdLogic"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\cpush.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1056	boolan.exe
1056	boolan.exe
1056	boolan.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	boolan.exe
Token: SeDebugPrivilege	1056	boolan.exe
Token: SeDebugPrivilege	1056	boolan.exe
Token: SeRestorePrivilege	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe
Token: SeBackupPrivilege	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2232	SkypeClient.exe
2232	SkypeClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2232	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	28
PID 1708 wrote to memory of 2232	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	28
PID 1708 wrote to memory of 2232	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	28
PID 1708 wrote to memory of 2232	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	28
PID 1708 wrote to memory of 2232	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	28
PID 1708 wrote to memory of 2232	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	28
PID 1708 wrote to memory of 2232	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	28
PID 1708 wrote to memory of 2808	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	29
PID 1708 wrote to memory of 2808	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	29
PID 1708 wrote to memory of 2808	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	29
PID 1708 wrote to memory of 2808	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	29
PID 1708 wrote to memory of 2808	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	29
PID 1708 wrote to memory of 2808	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	29
PID 1708 wrote to memory of 2808	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	29
PID 2808 wrote to memory of 2752	2808	dodolook326.exe	30
PID 2808 wrote to memory of 2752	2808	dodolook326.exe	30
PID 2808 wrote to memory of 2752	2808	dodolook326.exe	30
PID 2808 wrote to memory of 2752	2808	dodolook326.exe	30
PID 2808 wrote to memory of 2752	2808	dodolook326.exe	30
PID 2808 wrote to memory of 2752	2808	dodolook326.exe	30
PID 2808 wrote to memory of 2752	2808	dodolook326.exe	30
PID 1708 wrote to memory of 2952	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	31
PID 1708 wrote to memory of 2952	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	31
PID 1708 wrote to memory of 2952	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	31
PID 1708 wrote to memory of 2952	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	31
PID 1708 wrote to memory of 2952	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	31
PID 1708 wrote to memory of 2952	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	31
PID 1708 wrote to memory of 2952	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	31
PID 1708 wrote to memory of 2940	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	32
PID 1708 wrote to memory of 2940	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	32
PID 1708 wrote to memory of 2940	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	32
PID 1708 wrote to memory of 2940	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	32
PID 1708 wrote to memory of 2940	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	32
PID 1708 wrote to memory of 2940	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	32
PID 1708 wrote to memory of 2940	1708	18f28e52663cb8d68b867f1f37d4a7b9.exe	32
PID 2940 wrote to memory of 824	2940	boolan61.exe	33
PID 2940 wrote to memory of 824	2940	boolan61.exe	33
PID 2940 wrote to memory of 824	2940	boolan61.exe	33
PID 2940 wrote to memory of 824	2940	boolan61.exe	33
PID 2940 wrote to memory of 824	2940	boolan61.exe	33
PID 2940 wrote to memory of 824	2940	boolan61.exe	33
PID 2940 wrote to memory of 824	2940	boolan61.exe	33
PID 2952 wrote to memory of 1772	2952	1d007.exe	34
PID 2952 wrote to memory of 1772	2952	1d007.exe	34
PID 2952 wrote to memory of 1772	2952	1d007.exe	34
PID 2952 wrote to memory of 1772	2952	1d007.exe	34
PID 2952 wrote to memory of 1772	2952	1d007.exe	34
PID 2952 wrote to memory of 1772	2952	1d007.exe	34
PID 2952 wrote to memory of 1772	2952	1d007.exe	34
PID 2952 wrote to memory of 672	2952	1d007.exe	35
PID 2952 wrote to memory of 672	2952	1d007.exe	35
PID 2952 wrote to memory of 672	2952	1d007.exe	35
PID 2952 wrote to memory of 672	2952	1d007.exe	35
PID 2952 wrote to memory of 672	2952	1d007.exe	35
PID 2952 wrote to memory of 672	2952	1d007.exe	35
PID 2952 wrote to memory of 672	2952	1d007.exe	35
PID 2940 wrote to memory of 1056	2940	boolan61.exe	36
PID 2940 wrote to memory of 1056	2940	boolan61.exe	36
PID 2940 wrote to memory of 1056	2940	boolan61.exe	36
PID 2940 wrote to memory of 1056	2940	boolan61.exe	36
PID 2940 wrote to memory of 1056	2940	boolan61.exe	36
PID 2940 wrote to memory of 1056	2940	boolan61.exe	36
PID 2940 wrote to memory of 1056	2940	boolan61.exe	36
PID 1772 wrote to memory of 2072	1772	d03.exe	37

C:\Users\Admin\AppData\Local\Temp\18f28e52663cb8d68b867f1f37d4a7b9.exe
"C:\Users\Admin\AppData\Local\Temp\18f28e52663cb8d68b867f1f37d4a7b9.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\system\SkypeClient.exe
  "C:\Windows\system\SkypeClient.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2232
- C:\Windows\system\dodolook326.exe
  "C:\Windows\system\dodolook326.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\1097.exe
    "C:\Users\Admin\AppData\Local\Temp\1097.exe" 7326
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:2752
- C:\Windows\system\1d007.exe
  "C:\Windows\system\1d007.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\d03.exe
    C:\Windows\system32\d03.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\CPUSH\cpush.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Modifies registry class
      PID:2072
- - C:\Windows\SysWOW64\netdde32.exe
    C:\Windows\system32\netdde32.exe /install 1d007
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 256
      4⤵
      Loads dropped DLL
      Program crash
      PID:2088
- C:\Windows\system\boolan61.exe
  "C:\Windows\system\boolan61.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\boolan61.exe
    "C:\Users\Admin\AppData\Local\Temp\boolan61.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:824
- - C:\Users\Admin\AppData\Local\Temp\boolan.exe
    "C:\Users\Admin\AppData\Local\Temp\boolan.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 348
      4⤵
      Loads dropped DLL
      Program crash
      PID:2152
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\program files\internet explorer\use11.dll" mymain
      4⤵
      Loads dropped DLL
      PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\boolan61.exe

Filesize
100KB

MD5
6bd08e23f842dd375eb30b333ce4b6e8

SHA1
b96b86342e4a5914450d44970f254d46bf9a865d

SHA256
0dba8d4dbbacfb077f31465280abe1e95c750080f174a7443ea80b0bd5108d62

SHA512
27786ba351f3c996d154806d00fd4a7c12ea9c51fea1e62fe07aee3a394940384bc2ff1d934aeb48c10bbd4c3d5e5a4152b968f9836f73cc10dbcb025512cd0f

Download Submit
C:\Windows\sysdn.ini

Filesize
134B

MD5
6a957082f40593a84848a36cf92bbe10

SHA1
556cd23f427fd58227def7c41d10309e8ddd00f8

SHA256
543ce576fee71391fc05857cfb02eee32dd9cd025ff1deeaac1666d953466db0

SHA512
52aeed7c78b4ba0a6add6bcb50279da9aa431a7fdb75cd053c410f2a6633aa00d40a0c0591a4af54810445ab6b990c71d8bf196bb9eef3e10c26ed12f1fe0448

Download Submit
C:\Windows\system\1d007.exe

Filesize
64KB

MD5
0c6c2905634f0e2100bdf9d3d0dcd848

SHA1
499e927d1288b4c7c8598583ba128119ed4251dc

SHA256
577be0978f545099e595b0770bd89918e9cef4b93d0e43f66040e3a40f9b33bc

SHA512
2ac9b062c22f47967f6dc7832cf47c81f1f6fb4a14cc558fb7bd5092603ddb0d20b295cb334155251480ae443ac7122ddf9d923282d0c9ed9c02eed98ea0677d

Download Submit
C:\Windows\system\boolan61.exe

Filesize
180KB

MD5
4689ad0e9c7993f095653a4e68e1d89d

SHA1
f92ee629c2dcbad4cea39af8bc421dc29d99c620

SHA256
4345d0a770f7061425992fe7ee9a2ae34a18ac63ca6e9f7113a76107560cb1c2

SHA512
94fddd78f077e2d997df8abb2a3169ea946b5205213a4650823030d0f77e0f5212729068fa1d6a6d181c78d60a021491033059d3552b16287db0925e21e4da44

Download Submit
C:\Windows\system\boolan61.exe

Filesize
8KB

MD5
78ca68ae3257e092874b65dd2d9b6286

SHA1
72fed93542fb60aab119ad6ad94be657c319237f

SHA256
6363b3cdf9f0d94f74bb70bd7ae99590e71be044a48279e2a8e7924b7005779a

SHA512
e5d9d7e5c8fab2da119330f0a5fc666668ef7af40fead128673ce8aceb8a31c4c7af850a3eb2435b5f4be860ecaff2240b54fbe3798ca6a6b0162640499b6ffd

Download Submit
\Users\Admin\AppData\Local\Temp\1097.exe

Filesize
129KB

MD5
170b9c9a5dc7d866a2b03bc10b116381

SHA1
28a21ec37cf4dc5fb45c98c65e9b93d295db8b8a

SHA256
48d1c7c44fc308bfb8ec62a9a4d08b43944ccc09a432f6be306048392b0ef5f2

SHA512
11c3cfaf295cb095347190df7ec2101a3b004feaabf7400bf40333aeffd9244e5457dc098e3ed7274eff5de97d3e2267f04b7b0af08ba2763061f35b31e2aeac

Download Submit
\Users\Admin\AppData\Local\Temp\DoSSSetup.dll

Filesize
80KB

MD5
c12c0bb5e2ebf521a8eb5d5dccb15638

SHA1
fd4ccdcd39d2f597251bf7212202b535fdf8fb4a

SHA256
bd809761a4e6cb485065961aa082ded3ede1a0369f203531f1732d82131b581a

SHA512
e4b79d96a920cd49dacad471bd488aa7a3b0c459c26f3f63d3be99992b117cfca13bda9e05e3927e16d9733b1c522a961d34393cefaa72321fd4ca36f7bb7d61

Download Submit
\Users\Admin\AppData\Local\Temp\boolan.exe

Filesize
43KB

MD5
954a91db9247c4e815ea95101d48862f

SHA1
7bb4ae19a2153c507e559fad0f1d3fdf925f745a

SHA256
7ea6327242b0cecf1aa4b6e49a1436531ab6b02abf8fb4beb7d744636d8edcdf

SHA512
4beddfb94b92889ccdb2f130c678db05d113f4124585e475df849b30a2068aab2d0b76f25d5f367788788a75ebad17ee7c3ae55fb7c0ee0e868f596499593494

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5B79.tmp\System.dll

Filesize
10KB

MD5
61151aff8c92ca17b3fab51ce1ca7156

SHA1
68a02015863c2877a20c27da45704028dbaa7eff

SHA256
af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d

SHA512
4f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e

Download Submit
\Windows\SysWOW64\d03.exe

Filesize
110KB

MD5
6ba170a48c9fa186a3f6cb8720a5cfe3

SHA1
5a9089c1bd3c8bfea1b4e3aa9fb30c9eb65680ee

SHA256
f695522f3b4afbfefae85b2d24043e59b263ecb51d608b73cb1ae77bbbc116af

SHA512
49a43f0938a5c656f54545923cf66cc78081e05b7b5416d19270cdb438bab132942da717e79870bb7c40562545a4546da70d74436f78da96738fbb69071dcdbc

Download Submit
\Windows\SysWOW64\netdde32.exe

Filesize
41KB

MD5
7f4ca048802b54279e65b9c5c0adaa7c

SHA1
b6b41830185b13dc253c70239e29230d2b8f7f28

SHA256
3325dfe169a9ea6de3b0228fe231636b13bc287c935ffb35b364519f48e421aa

SHA512
442c0e9c042ab7a30ea9d21314894f197f8e003009e3b7e03b470c46b65260ba0aab7d02253ff287052786d67a4f4fe9ae3faa59bb8bf2712fa911333d816c61

Download Submit
\Windows\system\1d007.exe

Filesize
184KB

MD5
b1e9e12a3faf6deb75c7eb0b39d721be

SHA1
61ffb7e924937e6e4248af371305959935dcbf7a

SHA256
1cb67128e73fcb46b633c63de4d0497f8541888eea27997bb2cb80d403f905e7

SHA512
31db64c3a462ab4be0fac5252277b79a7337e0dae852abbfbafed72dc3c750a0805feed3be0ae21796f464c2d3e7176c8588abd0ac250b46c72111440a1e1151

Download Submit
\Windows\system\1d007.exe

Filesize
8KB

MD5
6ff969383ea4214a2756623eab427e96

SHA1
f8dd5fd072f9db96b9d8090ac71f656681d392f2

SHA256
1e235e768ceb5eefd6b0c2c18b8e7aeed7e839414c54e2b55817f2d29f66e8f4

SHA512
06fe547ba6205c4b1e082b46f4530b7817bdc5b2cb8e9c23ae462bcbf45f27821fd35ae906de68cf5257e0f1f42b5210f294499ab590c757bb4454f3a35716db

Download Submit
\Windows\system\SkypeClient.exe

Filesize
57KB

MD5
ba1aad08339e2b675ebeb18f13613ca4

SHA1
57a66ac24295df33fcd293c7e8dd29e7e98e580c

SHA256
2920b87a3abaf6122615dd96527c7cfa90e76cb3062da7143743ecb23c764c66

SHA512
76103b2e52914e0dc5294de544db66e3f1deacf78b8f5724a4bb5c46852ef2310a207499df1e219a44c5e8e3904dd417d80bf08e1f590cf1e045698cbd880eb2

Download Submit
\Windows\system\dodolook326.exe

Filesize
166KB

MD5
ba5ed986afe1f2ff22455a4da42511b8

SHA1
64adf2916b9a6c565d49f79d483fcd396ef68f09

SHA256
12cc5517641a90d984d463e07fb15e782ade5b9254e8982fdfaa8cdb22dfd387

SHA512
7d59fd87bef4b40813ac8658e9d14a9912daf097d2a90ec3d663c9ab85a1f52a4849298a2cf1bfc5fc090094d6e4b6ba7b8c7edfd9dd82114bca9612203c0f0d

Download Submit
memory/800-179-0x0000000000750000-0x000000000075F000-memory.dmp

Filesize
60KB

Download
memory/800-178-0x0000000000750000-0x000000000075F000-memory.dmp

Filesize
60KB

Download
memory/800-196-0x0000000000750000-0x000000000075F000-memory.dmp

Filesize
60KB

Download
memory/800-197-0x0000000000760000-0x000000000076F000-memory.dmp

Filesize
60KB

Download
memory/800-195-0x0000000000750000-0x000000000075F000-memory.dmp

Filesize
60KB

Download
memory/800-194-0x0000000000750000-0x000000000075F000-memory.dmp

Filesize
60KB

Download
memory/800-186-0x0000000000760000-0x000000000076F000-memory.dmp

Filesize
60KB

Download
memory/800-180-0x0000000000750000-0x000000000075F000-memory.dmp

Filesize
60KB

Download
memory/824-125-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1056-158-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/1056-159-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/1056-191-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/1056-190-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/1056-187-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1056-143-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1056-162-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download
memory/1056-161-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1056-160-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/1708-16-0x0000000000AD0000-0x0000000000AF8000-memory.dmp

Filesize
160KB

Download
memory/1708-135-0x0000000000AD0000-0x0000000000AF8000-memory.dmp

Filesize
160KB

Download
memory/1708-200-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1708-21-0x0000000000AD0000-0x0000000000AF8000-memory.dmp

Filesize
160KB

Download
memory/1708-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1708-144-0x0000000000AD0000-0x0000000000AF8000-memory.dmp

Filesize
160KB

Download
memory/2232-145-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2232-193-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2232-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2232-201-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2232-189-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2232-72-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2232-157-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2232-155-0x00000000001D0000-0x00000000001F8000-memory.dmp

Filesize
160KB

Download
memory/2232-23-0x00000000001D0000-0x00000000001F8000-memory.dmp

Filesize
160KB

Download
memory/2232-24-0x00000000001D0000-0x00000000001F8000-memory.dmp

Filesize
160KB

Download
memory/2232-199-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2232-174-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2752-66-0x00000000003D0000-0x00000000003E6000-memory.dmp

Filesize
88KB

Download
memory/2940-141-0x0000000002DE0000-0x0000000002E0A000-memory.dmp

Filesize
168KB

Download
memory/2940-146-0x0000000002DE0000-0x0000000002E0A000-memory.dmp

Filesize
168KB

Download