f73eb4451ef01490c725d10393934627cc77e53668f3e1fc633a940bb05cf8d4

Analysis

max time kernel
222s
max time network
255s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3825d6fb7a4382f476703a77eec61b98.exe
Size

38KB
MD5

3825d6fb7a4382f476703a77eec61b98
SHA1

5880b258c3c2510350ad5db27f94cf7552d84afb
SHA256

f73eb4451ef01490c725d10393934627cc77e53668f3e1fc633a940bb05cf8d4
SHA512

17d0ac770d1fd27e4bc7033723131631326c960160d0e32a36e5382220f99bda9c5798636eea65b70774701d8cea7ac2532073ae40a78c96fc248abc2036f142
SSDEEP

768:aHpqwkfEY6GmDvRwlNoJfiqFMkBh5e6BXZgB4e:aHpXkfhitgQiqFd5XZgCe

Score

10^/10

adware evasion persistence stealer upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\rundll32.exe = "C:\\Windows\\SysWOW64\\rundll32.exe:*:Enabled:rundll32"	rundll32.exe

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\MSPCLOCK.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\adp94xx.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\appid.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\ipfltdrv.sys	rundll32.exe
File created	C:\Windows\SysWOW64\Drivers\ksecdd.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\ql2300.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\fdc.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\flpydisk.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\nvraid.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\raspppoe.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\sfloppy.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\wd.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\disk.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\hidir.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\ndistapi.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\vga.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\WudfPf.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\amdppm.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\kbdhid.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\monitor.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\MTConfig.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\gagp30kx.sys	rundll32.exe
File created	C:\Windows\SysWOW64\Drivers\ksecpkg.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\rdpencdd.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\peauth.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\smb.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\vhdmp.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\Rtnic64.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\usbehci.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\mountmgr.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\rasl2tp.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\rdyboost.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\termdd.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\wfplwf.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\amdk8.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\nvstor.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\usbccgp.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\viaide.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\dmvsc.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\lsi_scsi.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\raspptp.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\sffdisk.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\tunnel.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\usbuhci.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\acpipmi.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\HTTP.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\ipnat.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\lsi_sas.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\sisraid4.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\terminpt.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\VMBusHID.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\wmiacpi.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\cdrom.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\swenum.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\IPMIDrv.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\mouhid.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\CmBatt.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\iirsp.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\modem.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\tcpip.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\rdpbus.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\ohci1394.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\sffp_mmc.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\TsUsbGD.sys	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0004000000004ed7-5.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2664	rundll32.exe

Loads dropped DLL 5 IoCs

pid	Process
2536	3825d6fb7a4382f476703a77eec61b98.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2536-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-5.dat	upx
behavioral1/memory/2536-7-0x0000000010000000-0x0000000010041000-memory.dmp	upx
behavioral1/memory/2536-9-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2536-10-0x0000000010000000-0x0000000010041000-memory.dmp	upx
behavioral1/memory/2536-13-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2536-14-0x0000000010000000-0x0000000010041000-memory.dmp	upx
behavioral1/memory/2664-20-0x0000000010000000-0x0000000010041000-memory.dmp	upx
behavioral1/memory/2664-21-0x0000000010000000-0x0000000010041000-memory.dmp	upx
behavioral1/memory/2664-22-0x0000000010000000-0x0000000010041000-memory.dmp	upx
behavioral1/memory/2664-32-0x0000000010000000-0x0000000010041000-memory.dmp	upx
behavioral1/memory/2664-232-0x0000000010000000-0x0000000010041000-memory.dmp	upx
behavioral1/memory/2664-242-0x0000000010000000-0x0000000010041000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	rundll32.exe

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdhash	3825d6fb7a4382f476703a77eec61b98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	3825d6fb7a4382f476703a77eec61b98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdhash\DllName = "mdhash.dll"	3825d6fb7a4382f476703a77eec61b98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdhash\Startup = "mdhash"	3825d6fb7a4382f476703a77eec61b98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdhash\Impersonate = "1"	3825d6fb7a4382f476703a77eec61b98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdhash\Asynchronous = "1"	3825d6fb7a4382f476703a77eec61b98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdhash\MaxWait = "1"	3825d6fb7a4382f476703a77eec61b98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdhash\adr97 = "[027DAABAAC574B17C]"	3825d6fb7a4382f476703a77eec61b98.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mdhash.dll	3825d6fb7a4382f476703a77eec61b98.exe
File created	C:\Windows\SysWOW64\mdhsh.sys	3825d6fb7a4382f476703a77eec61b98.exe
File opened for modification	C:\Windows\SysWOW64\mdhsh.sys	3825d6fb7a4382f476703a77eec61b98.exe
File opened for modification	C:\Windows\SysWOW64\idf.bin	3825d6fb7a4382f476703a77eec61b98.exe
File opened for modification	C:\Windows\SysWOW64\k86.bin	3825d6fb7a4382f476703a77eec61b98.exe
File opened for modification	C:\Windows\SysWOW64\idf.bin	rundll32.exe
File created	C:\Windows\SysWOW64\CLFS.sys	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4F3C-8081-5663EE0C6C49}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2664	rundll32.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2664	2536	3825d6fb7a4382f476703a77eec61b98.exe	29
PID 2536 wrote to memory of 2664	2536	3825d6fb7a4382f476703a77eec61b98.exe	29
PID 2536 wrote to memory of 2664	2536	3825d6fb7a4382f476703a77eec61b98.exe	29
PID 2536 wrote to memory of 2664	2536	3825d6fb7a4382f476703a77eec61b98.exe	29
PID 2536 wrote to memory of 2664	2536	3825d6fb7a4382f476703a77eec61b98.exe	29
PID 2536 wrote to memory of 2664	2536	3825d6fb7a4382f476703a77eec61b98.exe	29
PID 2536 wrote to memory of 2664	2536	3825d6fb7a4382f476703a77eec61b98.exe	29

C:\Users\Admin\AppData\Local\Temp\3825d6fb7a4382f476703a77eec61b98.exe
"C:\Users\Admin\AppData\Local\Temp\3825d6fb7a4382f476703a77eec61b98.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe mdhash.dll,mdhash C:\Users\Admin\AppData\Local\Temp\3825d6fb7a4382f476703a77eec61b98.exe
  2⤵
  - Modifies firewall policy service
  - Drops file in Drivers directory
  - Deletes itself
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mdhsh.sys

Filesize
8KB

MD5
fa1af74ab17b5d7af7b56f46f09108f4

SHA1
5e98d7e2e2b59799bd6a05c4a7e9fab34bd883d2

SHA256
86b7e650f323db5dcb5ccbaa43e84513871f7fbdb65d6314a386d09920cf5112

SHA512
88ddeede18cf67f4e3f44cfe738a37f746f53417c0f475b9a525347e73dd02e637a915142d0cc04d01444f08eee2d28f0f42fda369bcc16cb956f894b9898f99

Download Submit
\Windows\SysWOW64\mdhash.dll

Filesize
21KB

MD5
74e66a253e1903eb5a7846d46ff534f9

SHA1
538ce4817faf657f30fc91c9faaa33cbce9f04a3

SHA256
17d466513173ae8a905996505a652b38d3fc5958d681663482f6c9e6245e7291

SHA512
bb610538c1ece66ef0f891d810fa1de80d81cbc3fd173845f4aa0dd1a99bd83bc3a6de8563af845e813b445182d5f007e8f9d67940012239131155a107a6930b

Download Submit
memory/2536-14-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2536-9-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2536-10-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2536-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2536-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2536-7-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2664-20-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2664-21-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2664-22-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2664-32-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2664-232-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2664-242-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download