Overview

overview

10

Static

static

7

About.chm

windows7-x64

1

About.chm

windows10-2004-x64

10

Setup_s34.exe

windows7-x64

7

Setup_s34.exe

windows10-2004-x64

10

baid.exe

windows7-x64

7

baid.exe

windows10-2004-x64

10

bind_8152.exe

windows7-x64

7

bind_8152.exe

windows10-2004-x64

10

duisc.exe

windows7-x64

8

duisc.exe

windows10-2004-x64

10

edmtd.exe

windows7-x64

7

edmtd.exe

windows10-2004-x64

10

itadx.exe

windows7-x64

7

itadx.exe

windows10-2004-x64

10

ly2_03.exe

windows7-x64

10

ly2_03.exe

windows10-2004-x64

10

pcast.exe

windows7-x64

10

pcast.exe

windows10-2004-x64

10

pingtu12.exe

windows7-x64

1

pingtu12.exe

windows10-2004-x64

10

qqa02_u88setup.exe

windows7-x64

8

qqa02_u88setup.exe

windows10-2004-x64

10

sdcnc.exe

windows7-x64

8

sdcnc.exe

windows10-2004-x64

10

sdpig.exe

windows7-x64

7

sdpig.exe

windows10-2004-x64

10

sdreg.exe

windows7-x64

1

sdreg.exe

windows10-2004-x64

10

sdset.exe

windows7-x64

10

sdset.exe

windows10-2004-x64

10

sogoutb_se...ni.exe

windows7-x64

7

sogoutb_se...ni.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pcast.exe

  • Size

    542KB

  • MD5

    dad4aede2fd849808e65c571c3bac6d9

  • SHA1

    f070fe992379247e50105cae1a418d7e0e898876

  • SHA256

    ff2a609b9fa369dc77d410b56fd3f0f16758aad6c3c21702e325cc5a2d133c9a

  • SHA512

    7eff93e06144857e8633023c7c0a8f84adf06aa412b56c41d9a42f1d0e9e93d356898629930b6d01d4807153a39afda57e4034f19a04b2b754e922171e191a8f

  • SSDEEP

    12288:SKoFAyW66UYsvrVN4ARGMJhBworlrHzC10K8+TqPE3l8OQxD:noFAM7oAlhB7r5TCSj+OPM8OqD

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 2 IoCs
    evasion
  • Manipulates Digital Signatures 1 TTPs 1 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pcast.exe
    "C:\Users\Admin\AppData\Local\Temp\pcast.exe"
    1⤵
    • Manipulates Digital Signatures
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies registry class
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Program Files (x86)\pcast\PodcastbarMini\start.exe
      "C:\Program Files (x86)\pcast\PodcastbarMini\start.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2720
  • C:\Program Files (x86)\pcast\PodcastbarMini\PodcastBarMini.exe
    "C:\Program Files (x86)\pcast\PodcastbarMini\PodcastBarMini.exe"
    1⤵
    • Modifies firewall policy service
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\pcast\PodcastbarMini\version.ini
    Filesize

    56B

    MD5

    90afa1d476f2595d4ee854ad63dcf486

    SHA1

    e9fef886f4bfe95a29956d8715aef9e7c1209616

    SHA256

    61f69ddf2a15dcb75133cd8e0a1353424f694f9f44816b78fa04384410903696

    SHA512

    8203235d538ef81e98cfa657ac67ace2f6ae7a13a496c716d5be857679325fff4fb8ffff57e61d55ab9b732c8000d5a71ffed54ce2009681a5ae7bbdaf41ffe0

    Download Submit

  • \Program Files (x86)\pcast\PodcastbarMini\PodcastBarMini.exe
    Filesize

    356KB

    MD5

    018e7c1c54de447436a978c26fe1c5fc

    SHA1

    373888daf7cf03673a5b68f62dc8e6b56182fcae

    SHA256

    92534286413fee4cb015da8a2b498d47fb7a533df69ef3576aeaeefa5186c22e

    SHA512

    2e113883ba62fce7e45adb3c5ee0829207e24bde7e9220c388a7237a11100d60dcb16c3e1f3b50f2051bd3378109fca7d7a7cab333135ba96eb2e0b8ac59d4bd

    Download Submit

  • \Program Files (x86)\pcast\PodcastbarMini\Start.exe
    Filesize

    128KB

    MD5

    02f0fa087aabb8fc3ec4163718f904c0

    SHA1

    6664d84709929a094968b440d60bbc02b6cacf4e

    SHA256

    913c17db5fced9e152d1b6cf91ef9ba12c160cfd54142eef5aae2de8770c2bc9

    SHA512

    3d92e75d49a47e1ac52d23359b7ee6fc0753dba527a6ee98a7fd43507f066362caa50267b5b698ea40f5ca46d7ea879054d88cfd13a7d77bda049fe9c0d5f366

    Download Submit

  • \Program Files (x86)\pcast\PodcastbarMini\pCastCtl.dll
    Filesize

    708KB

    MD5

    ad989d530b72dd1d5a5a0294f9add513

    SHA1

    8092dfabf4b0dd7abd1ecc9827b9f14222598d6f

    SHA256

    8888b9f192e44b3db636ba26966d374ec849d1f7508491244ca68f98da6dc388

    SHA512

    b0efd7918946572d80833ee938e3b0473309a40efe915845f8df26237b5221a4db176d2d66d75d21a68a0965a1395039fc1270422bb760953a5aadb64611212e

    Download Submit