Overview

overview

8

Static

static

3

18f28e5266...b9.exe

windows7-x64

8

18f28e5266...b9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 12:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    18f28e52663cb8d68b867f1f37d4a7b9.exe

  • Size

    659KB

  • MD5

    18f28e52663cb8d68b867f1f37d4a7b9

  • SHA1

    8c786b08838fe24a009e1be0b57b3a39bfb86be9

  • SHA256

    52c2942280f41e0fbc2332ebfdae6741fd5eb2c64e81063d31ab93ba1c6fc9bd

  • SHA512

    27fee594f994e3e635958aab80d8fa4cc66ec8ffc0a15b285d18f288a2bce49e54f6ca96168ace4c980b71064f96bb7cc5ebcae4d2d62dfe714bd79c9c5d2331

  • SSDEEP

    12288:gr3ZBIReuTuYcRZHKU+68HDdg1utOmNx0po8Hpg/Q2lvkTJls:8ZB2zTVhF/hkEvh/lvaq

Score
8/10
adwarediscoverypersistencestealerupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 2 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18f28e52663cb8d68b867f1f37d4a7b9.exe
    "C:\Users\Admin\AppData\Local\Temp\18f28e52663cb8d68b867f1f37d4a7b9.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Windows\system\SkypeClient.exe
      "C:\Windows\system\SkypeClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3648
    • C:\Windows\system\dodolook326.exe
      "C:\Windows\system\dodolook326.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Users\Admin\AppData\Local\Temp\1097.exe
        "C:\Users\Admin\AppData\Local\Temp\1097.exe" 7326
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        PID:4504
    • C:\Windows\system\1d007.exe
      "C:\Windows\system\1d007.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3368
      • C:\Windows\SysWOW64\netdde32.exe
        C:\Windows\system32\netdde32.exe /install 1d007
        3⤵
        • Sets file execution options in registry
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Windows\netdde32.exe
          C:\Windows\netdde32.exe
          4⤵
          • Sets file execution options in registry
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:64
      • C:\Windows\SysWOW64\d03.exe
        C:\Windows\system32\d03.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:4068
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\CPUSH\cpush.dll"
          4⤵
          • Loads dropped DLL
          • Installs/modifies Browser Helper Object
          • Modifies registry class
          PID:468
    • C:\Windows\system\boolan61.exe
      "C:\Windows\system\boolan61.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Users\Admin\AppData\Local\Temp\boolan61.exe
        "C:\Users\Admin\AppData\Local\Temp\boolan61.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:5108
      • C:\Users\Admin\AppData\Local\Temp\boolan.exe
        "C:\Users\Admin\AppData\Local\Temp\boolan.exe"
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3804
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\program files\internet explorer\use11.dll" mymain
          4⤵
          • Loads dropped DLL
          PID:4760
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\Delm.bat
          4⤵
            PID:2256
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3596

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Common Files\CPUSH\cpush.dll
              Filesize

              168KB

              MD5

              05f2b5f682867496129cf0750a76a8b1

              SHA1

              2589c67a5965ebdd7fec346e8618487709bbc4bf

              SHA256

              df304a40f0d01010bdbdd8ec1b57ab91b40034bd18780718b1aa8318454ad4f2

              SHA512

              0bb2171fdadc57f6e1739e4bac5ebc8038692f43582391a53526894b079fd49078f8ca49aa0cd1f7006bc9d7bf3407c97ab763f7448a6c56587d04ebfaa2f95e

              Download Submit

            • C:\Program Files\Internet Explorer\use11.dll
              Filesize

              12KB

              MD5

              71aab99a3fbc5d492273ac18ace38648

              SHA1

              98f394fa709d52ad11d0de5fcf4bf10e581f3065

              SHA256

              bb0b4d5ff730c15cc09b4fa7a0170a481d52370f9de6ba1dca5f1b0cde1b24da

              SHA512

              bf7fcc6e91448e0759c389f871900868dac460485b99b7d48c38840c1e8cb0788c5e18f6ed71167d66f002c6118f8d693302dc3e02258c7c5f3d1efefb45f7cf

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1097.exe
              Filesize

              129KB

              MD5

              170b9c9a5dc7d866a2b03bc10b116381

              SHA1

              28a21ec37cf4dc5fb45c98c65e9b93d295db8b8a

              SHA256

              48d1c7c44fc308bfb8ec62a9a4d08b43944ccc09a432f6be306048392b0ef5f2

              SHA512

              11c3cfaf295cb095347190df7ec2101a3b004feaabf7400bf40333aeffd9244e5457dc098e3ed7274eff5de97d3e2267f04b7b0af08ba2763061f35b31e2aeac

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\DoSSSetup.dll
              Filesize

              80KB

              MD5

              c12c0bb5e2ebf521a8eb5d5dccb15638

              SHA1

              fd4ccdcd39d2f597251bf7212202b535fdf8fb4a

              SHA256

              bd809761a4e6cb485065961aa082ded3ede1a0369f203531f1732d82131b581a

              SHA512

              e4b79d96a920cd49dacad471bd488aa7a3b0c459c26f3f63d3be99992b117cfca13bda9e05e3927e16d9733b1c522a961d34393cefaa72321fd4ca36f7bb7d61

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\acpidisk.sys
              Filesize

              178KB

              MD5

              a78c08c422198d555e77b3027a038053

              SHA1

              2616fc27e685ee63acda1cb78651a2d68afb5361

              SHA256

              329583641219caf4ec0dc9451bc33c550eefd41c7234724d23f2ba40f3e10fca

              SHA512

              0ae8842b73e8936e3a044ce6a6b539d59e884ed97aa4268e9a2b51d2405717d63dd26d15ce928ca705f0c25cb262ecf87ff514b51cee4865899e60967d75b025

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\boolan.exe
              Filesize

              43KB

              MD5

              954a91db9247c4e815ea95101d48862f

              SHA1

              7bb4ae19a2153c507e559fad0f1d3fdf925f745a

              SHA256

              7ea6327242b0cecf1aa4b6e49a1436531ab6b02abf8fb4beb7d744636d8edcdf

              SHA512

              4beddfb94b92889ccdb2f130c678db05d113f4124585e475df849b30a2068aab2d0b76f25d5f367788788a75ebad17ee7c3ae55fb7c0ee0e868f596499593494

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\boolan61.exe
              Filesize

              100KB

              MD5

              6bd08e23f842dd375eb30b333ce4b6e8

              SHA1

              b96b86342e4a5914450d44970f254d46bf9a865d

              SHA256

              0dba8d4dbbacfb077f31465280abe1e95c750080f174a7443ea80b0bd5108d62

              SHA512

              27786ba351f3c996d154806d00fd4a7c12ea9c51fea1e62fe07aee3a394940384bc2ff1d934aeb48c10bbd4c3d5e5a4152b968f9836f73cc10dbcb025512cd0f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nsq7B0D.tmp\System.dll
              Filesize

              10KB

              MD5

              61151aff8c92ca17b3fab51ce1ca7156

              SHA1

              68a02015863c2877a20c27da45704028dbaa7eff

              SHA256

              af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d

              SHA512

              4f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e

              Download Submit

            • C:\Windows\SysWOW64\d03.exe
              Filesize

              110KB

              MD5

              6ba170a48c9fa186a3f6cb8720a5cfe3

              SHA1

              5a9089c1bd3c8bfea1b4e3aa9fb30c9eb65680ee

              SHA256

              f695522f3b4afbfefae85b2d24043e59b263ecb51d608b73cb1ae77bbbc116af

              SHA512

              49a43f0938a5c656f54545923cf66cc78081e05b7b5416d19270cdb438bab132942da717e79870bb7c40562545a4546da70d74436f78da96738fbb69071dcdbc

              Download Submit

            • C:\Windows\SysWOW64\netdde32.exe
              Filesize

              41KB

              MD5

              7f4ca048802b54279e65b9c5c0adaa7c

              SHA1

              b6b41830185b13dc253c70239e29230d2b8f7f28

              SHA256

              3325dfe169a9ea6de3b0228fe231636b13bc287c935ffb35b364519f48e421aa

              SHA512

              442c0e9c042ab7a30ea9d21314894f197f8e003009e3b7e03b470c46b65260ba0aab7d02253ff287052786d67a4f4fe9ae3faa59bb8bf2712fa911333d816c61

              Download Submit

            • C:\Windows\System\1d007.exe
              Filesize

              184KB

              MD5

              b1e9e12a3faf6deb75c7eb0b39d721be

              SHA1

              61ffb7e924937e6e4248af371305959935dcbf7a

              SHA256

              1cb67128e73fcb46b633c63de4d0497f8541888eea27997bb2cb80d403f905e7

              SHA512

              31db64c3a462ab4be0fac5252277b79a7337e0dae852abbfbafed72dc3c750a0805feed3be0ae21796f464c2d3e7176c8588abd0ac250b46c72111440a1e1151

              Download Submit

            • C:\Windows\System\SkypeClient.exe
              Filesize

              57KB

              MD5

              ba1aad08339e2b675ebeb18f13613ca4

              SHA1

              57a66ac24295df33fcd293c7e8dd29e7e98e580c

              SHA256

              2920b87a3abaf6122615dd96527c7cfa90e76cb3062da7143743ecb23c764c66

              SHA512

              76103b2e52914e0dc5294de544db66e3f1deacf78b8f5724a4bb5c46852ef2310a207499df1e219a44c5e8e3904dd417d80bf08e1f590cf1e045698cbd880eb2

              Download Submit

            • C:\Windows\System\boolan61.exe
              Filesize

              180KB

              MD5

              4689ad0e9c7993f095653a4e68e1d89d

              SHA1

              f92ee629c2dcbad4cea39af8bc421dc29d99c620

              SHA256

              4345d0a770f7061425992fe7ee9a2ae34a18ac63ca6e9f7113a76107560cb1c2

              SHA512

              94fddd78f077e2d997df8abb2a3169ea946b5205213a4650823030d0f77e0f5212729068fa1d6a6d181c78d60a021491033059d3552b16287db0925e21e4da44

              Download Submit

            • C:\Windows\System\dodolook326.exe
              Filesize

              166KB

              MD5

              ba5ed986afe1f2ff22455a4da42511b8

              SHA1

              64adf2916b9a6c565d49f79d483fcd396ef68f09

              SHA256

              12cc5517641a90d984d463e07fb15e782ade5b9254e8982fdfaa8cdb22dfd387

              SHA512

              7d59fd87bef4b40813ac8658e9d14a9912daf097d2a90ec3d663c9ab85a1f52a4849298a2cf1bfc5fc090094d6e4b6ba7b8c7edfd9dd82114bca9612203c0f0d

              Download Submit

            • C:\Windows\sysdn.ini
              Filesize

              134B

              MD5

              6a957082f40593a84848a36cf92bbe10

              SHA1

              556cd23f427fd58227def7c41d10309e8ddd00f8

              SHA256

              543ce576fee71391fc05857cfb02eee32dd9cd025ff1deeaac1666d953466db0

              SHA512

              52aeed7c78b4ba0a6add6bcb50279da9aa431a7fdb75cd053c410f2a6633aa00d40a0c0591a4af54810445ab6b990c71d8bf196bb9eef3e10c26ed12f1fe0448

              Download Submit

            • \??\c:\Delm.bat
              Filesize

              132B

              MD5

              f2a97ff677c52aff5e21e4119d02d721

              SHA1

              a9ec0f0c12a870f0ae22cf59b2a556dfd11d51ca

              SHA256

              2757b80a1ff9388d87c2ba4047b4651577fe6e881c54dc180a896ae2772dcb81

              SHA512

              9d2e29d2294bfc2f24c619c942c774d1f65e34bec90eabbed5517fe5847ad8edce8793d144283f1c1de37df684ce5eef73ee15778abcef575b7174c0b71770ff

              Download Submit

            • memory/3648-124-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/3648-20-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/3648-18-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/3648-125-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/3648-155-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/3648-153-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/3648-151-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/3648-142-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/3648-147-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/3804-118-0x0000000000400000-0x000000000042A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/3804-119-0x0000000000470000-0x0000000000471000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3804-145-0x0000000000400000-0x000000000042A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/4504-51-0x0000000002270000-0x0000000002286000-memory.dmp

              Filesize

              88KB

              Download

            • memory/4760-150-0x0000000000400000-0x000000000040F000-memory.dmp

              Filesize

              60KB

              Download

            • memory/4760-140-0x0000000000E40000-0x0000000000E41000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4760-138-0x0000000000400000-0x000000000040F000-memory.dmp

              Filesize

              60KB

              Download

            • memory/4940-154-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4940-19-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download