Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2024, 23:25

General

  • Target

    8accd407222deef7660f75dcba8cf6c6.exe

  • Size

    91KB

  • MD5

    8accd407222deef7660f75dcba8cf6c6

  • SHA1

    65b2699ef4a88c64205d99a01efd6b95d81244d2

  • SHA256

    ca87f191be00b273242716a4b2747d4da6027befc4ed6e12ad0046a9b3a9c572

  • SHA512

    800211fc7c6cc9f06fb63e22b04568bd934a84d8f93743d16b55b37228de5c1a3a2c410efabd883ac92c898222d6ea26cce80909ed10b7902874eb163c19fccc

  • SSDEEP

    1536:yu4nPGyZSZmbWXE4b+jy0GH5or5k784G629+l3iXAXD2CD+ExhaLPzNCmW/qjwEk:yfulB+u1544n2cleAnx0NCpyj/uv

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe
    "C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:4724
    • C:\Program Files (x86)\PostTip\PostTip.exe
      "C:\Program Files (x86)\PostTip\PostTip.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies registry class
        PID:4480
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c \DelUS.bat
      2⤵
        PID:3496

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\DelUS.bat

            Filesize

            243B

            MD5

            89dfe7a7a6147c643bb4337b3103ae33

            SHA1

            be87652d93427342a60fe92e68f20116af3329a4

            SHA256

            50e509882ff928822ac2ee9ed38a1bd294012484179b90864cd7933e88d16893

            SHA512

            bc6c905e2942844297311614ad15113de82f3fc07b612c5f55a7f997a11bcd72cfa4f6d53f78aebb2ab2b80a6e4a2b9d8711280ead4bc75e1ac78d6a86e3097a

          • C:\Program Files (x86)\PostTip\PostTip.dll

            Filesize

            146KB

            MD5

            a91d1721d3d945db7b97b2184d01bcff

            SHA1

            9f2a2e0c00dfde68cc68dfb68ebf68bfe2db4b96

            SHA256

            4a14bdc36a06c2f07e2f90c3efa6ea408b9dc36181e418f5a001eaf9cdcd9389

            SHA512

            4d3594d3c7f6856d7bff004825df3e7b274069070476f0e040245c6f14613c2fe5ec6cac6ae1c54104c978c4899d2b0421425f146d8e0a96ca44b711ce08fd66

          • C:\Program Files (x86)\PostTip\PostTip.exe

            Filesize

            38KB

            MD5

            dd0481ba5c98acab24d53e6a894bd429

            SHA1

            d83b22224aa891ed22d4e3549066b8a0e19d005c

            SHA256

            84fde9b01b4d3c5bc7d8bf487c9d64e7e86021f060f624c6d693c1e196bf2e9c

            SHA512

            3716353b3d604f56f4f30681d62ca1ce6b21f5ae2839c5e43ada0efe5b5e511c8e0fd5fe07d95326b2e0bd21df06ea159561a4a9903ecef7779a20fc8aae6b60

          • memory/5096-0-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/5096-11-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB