7de0b74e86ed6dd230d9fbb1097a3192ac0254c8bfaf8847d2e7317f5a93f458

General

Target

8d24789b13d9188a9fd2e4d0f53ed9ea.exe
Size

35KB
MD5

8d24789b13d9188a9fd2e4d0f53ed9ea
SHA1

d9f0cb558c3098b760c686655dfed63729a76988
SHA256

7de0b74e86ed6dd230d9fbb1097a3192ac0254c8bfaf8847d2e7317f5a93f458
SHA512

45e340d292cd1a2ae7456066b3ad9a2b9631d99eba06343248f2dd8c8400d75acb1d1c1d48978ea1c99db41700bc55d46e8f4e48c742fc451ccaff4dfb8780c2
SSDEEP

768:jJuE066/gtUFR53J5Ce7mvVb5GWn39FKIsXkMS0SDKwAmeOUe81vyVM:G67tUF/7C+mt9GW+IAJNSCzOUt1vyV

Score

8^/10

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 6 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\dcikpcfhalmblomhkcfcebnnefiledge fanbgjbfcakcbdaakendohofboodkibe = "live video"	8d24789b13d9188a9fd2e4d0f53ed9ea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\dcikpcfhalmblomhkcfcebnnefiledge iincedonfjiflkfielipkccnibngjpam = "live cams"	8d24789b13d9188a9fd2e4d0f53ed9ea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\eepelkjedknhdppomifbalcigephpbhm oogiceeppfaakkobpghaaieajbbklmeb = "Proclaim Telcom, Inc."	dluxjp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\dcikpcfhalmblomhkcfcebnnefiledge fanbgjbfcakcbdaakendohofboodkibe = "live video"	dluxjp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\dcikpcfhalmblomhkcfcebnnefiledge iincedonfjiflkfielipkccnibngjpam = "live cams"	dluxjp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\eepelkjedknhdppomifbalcigephpbhm oogiceeppfaakkobpghaaieajbbklmeb = "Proclaim Telcom, Inc."	8d24789b13d9188a9fd2e4d0f53ed9ea.exe

Deletes itself 1 IoCs

pid	Process
2244	dluxjp.exe

Executes dropped EXE 1 IoCs

pid	Process
2244	dluxjp.exe

Loads dropped DLL 2 IoCs

pid	Process
1268	8d24789b13d9188a9fd2e4d0f53ed9ea.exe
1268	8d24789b13d9188a9fd2e4d0f53ed9ea.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DLuxjp = "c:\\program files\\dialers\\dluxjp\\dluxjp.exe /nocomm"	8d24789b13d9188a9fd2e4d0f53ed9ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DLuxjp = "c:\\program files\\dialers\\dluxjp\\dluxjp.exe /nocomm"	dluxjp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\dialers\dluxjp\dluxjp.exe	8d24789b13d9188a9fd2e4d0f53ed9ea.exe
File created	\??\c:\program files\dialers\dluxjp\dluxjp.exe	8d24789b13d9188a9fd2e4d0f53ed9ea.exe
File opened for modification	\??\c:\program files\Dialers\DLuxjp\DLuxjp.exe	8d24789b13d9188a9fd2e4d0f53ed9ea.exe
File created	C:\Program Files\Dialers\Links\DLuxjp.ico	dluxjp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2244	1268	8d24789b13d9188a9fd2e4d0f53ed9ea.exe	28
PID 1268 wrote to memory of 2244	1268	8d24789b13d9188a9fd2e4d0f53ed9ea.exe	28
PID 1268 wrote to memory of 2244	1268	8d24789b13d9188a9fd2e4d0f53ed9ea.exe	28
PID 1268 wrote to memory of 2244	1268	8d24789b13d9188a9fd2e4d0f53ed9ea.exe	28

C:\Users\Admin\AppData\Local\Temp\8d24789b13d9188a9fd2e4d0f53ed9ea.exe
"C:\Users\Admin\AppData\Local\Temp\8d24789b13d9188a9fd2e4d0f53ed9ea.exe"
1⤵
- Manipulates Digital Signatures
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1268
- C:\program files\dialers\dluxjp\dluxjp.exe
  "C:\program files\dialers\dluxjp\dluxjp.exe" -kill c:\users\admin\appdata\local\temp\8d24789b13d9188a9fd2e4d0f53ed9ea.exe /install
  2⤵
  - Manipulates Digital Signatures
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dialers\dluxjp\dluxjp.exe

Filesize
35KB

MD5
8d24789b13d9188a9fd2e4d0f53ed9ea

SHA1
d9f0cb558c3098b760c686655dfed63729a76988

SHA256
7de0b74e86ed6dd230d9fbb1097a3192ac0254c8bfaf8847d2e7317f5a93f458

SHA512
45e340d292cd1a2ae7456066b3ad9a2b9631d99eba06343248f2dd8c8400d75acb1d1c1d48978ea1c99db41700bc55d46e8f4e48c742fc451ccaff4dfb8780c2

Download Submit
C:\Users\Admin\Desktop\Sexy Girls.url

Filesize
142B

MD5
0be78a07a6ff570dae143d7e70005352

SHA1
2c2e69652dd821eb11b074bff57fbd44fb6935ef

SHA256
c01c7002f5954ae749cacbe849cd2b7032e548a0dc90e1928f3a1f0f1d7cf843

SHA512
96d915a7b959393dd15447d7ef20776e2038cbd5aa29af4da91b8225c4cb08dcba647b29cf403516d95e5c21b80a5c6644961f91c5229001c34232e7d79148c4

Download Submit
memory/1268-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1268-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1268-12-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1268-13-0x0000000000710000-0x0000000000727000-memory.dmp

Filesize
92KB

Download
memory/2244-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2244-29-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2244-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads