Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2024, 16:22

General

  • Target

    8f9cc18d3743f189e0702d941c4423da.exe

  • Size

    866KB

  • MD5

    8f9cc18d3743f189e0702d941c4423da

  • SHA1

    249578de07ac2ec3ffc2ffd400e0a4f72afff0bc

  • SHA256

    3efc4518a663cc15ee2022ec284fbcf7ce41a562ce45c2380e6c1cf9822edaab

  • SHA512

    ba04fb24288772d2ff625555674d62a4723389fc892aa5c1e01553aabcdc18c1342aa0c9dccb4d4cf58963359550749c26b6472eeeee2efda33c8271909c053d

  • SSDEEP

    24576:38GwXmL0hk0v0XW/xVfCyHH1VQJxhGjS0:38Jhkw/xVfCy1iJeO0

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe
    "C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Modifies registry class
      PID:2064
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2720

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

          Filesize

          1.4MB

          MD5

          d0226a30350152be71631317e3b77ed9

          SHA1

          57babff43b382f1ccd171915f705978fee4b34c7

          SHA256

          e3bd63c7c59777a1064cc6d81a8c7889dff4a7caa19987941f3a9dacb9f246d1

          SHA512

          f617f654331046246fc96bcac9735916fae612a023451bc13fd2e93f06187c9f99bb1d1aeee4458163347d85e72f3eb60bc9f662806096ac5e07b598242b330e

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

          Filesize

          948KB

          MD5

          1ebe7a67a48c6dcdb4c587295439fd44

          SHA1

          59279c22f71c8324d0ccc2058f2cd7b3c8c41ae3

          SHA256

          23b85b0c7d5aacfcfaff4fa4e3af5e0e09cc24d1d498d104e04ffaabc5b1ebfd

          SHA512

          8311f87325e8987bd451888c99aee11955fcbbc2dcc9b834c72c7cef1ccd0244b2bc6d5b107b1faa722d643f2b4f6c7ee85cf4b71477002eef0849aa48a27633

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

          Filesize

          715KB

          MD5

          1dd0748cc53b910a4ecd08bddee9d4b7

          SHA1

          812eb569b8c4fd637c04bf95bd7b485e191cfd5b

          SHA256

          13b9514fe51cea84dd3681eb1e4d669026d322f2dfe163477d481b9f8fcb6897

          SHA512

          b6a412246d2e5853334314614c708a7cf7cd1c784a221ba4cfa81da276904dcd88137cf99f4b7b212396d37e1da7184ee222ed69a56c1525760f24682bff30a9

        • \Program Files (x86)\LuckyTender\1.3.0\LuckyTender.dll

          Filesize

          184KB

          MD5

          fbbd36fc9f5de933753a1b855944e04a

          SHA1

          6aff38e2228f86233e103da286381da37feff0ce

          SHA256

          ff68a2096413a90a3505610353307a88355e1f34d9417acdd4f2d4855db33b62

          SHA512

          7bc90a7084cfeb60d6abe4c4d4ac641c9b65fd477c8d57c5b4fa0d84b9a797b6c4b207b5ac9fb503b42b12212dbefc9507eddf73ef984eb2d4a9cf6b064dbace

        • \Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

          Filesize

          960KB

          MD5

          f74f15bab08ae5eb5d43b3d774f5cf30

          SHA1

          5e94d983fffed36d41e137254cff59fad6a890c4

          SHA256

          3a5c29bca1bbe551154ce16a8a0a6977a2b899b89c3c46b937d748c65f1897bc

          SHA512

          37b779caba37d20493a1835529bb0115377f1f5519af3039ec621b4e458e51f5c51d199145cc64b500c8999828df2456746ab7f5fb85f852bd3f35aeb3eecfae

        • \Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

          Filesize

          984KB

          MD5

          8b95c6ab844b7b1fa40a19270c74089a

          SHA1

          08887fac24776b322a828ee307db8ecc3c07f692

          SHA256

          75782517fe8cd1e87a440c60848690be68e7e9ac71bdd3da2993857f664e791c

          SHA512

          a5d5d3f5e0a6f5cf58c0a52fcdd8efb245dea4763d34be7ee3acda202f2fde796c7879e118c957a2eeda8fb936dda30816535633825cc672edf726ceabee7022

        • \Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

          Filesize

          1.1MB

          MD5

          33010933d4b582cbc2b3b1f4ad864156

          SHA1

          14c167feeef914a639dcd68751842141feaef5fd

          SHA256

          8c971da2ccb79bbd52b213644421a2f7f720d1aa3c95e557ed595ef34b179bf3

          SHA512

          1b046a39ed2dd24fdb0f1a9ff668cba5ffed3b741782857265172d97457f9a553c4208129bdb3cca2fb2a4506e11bb5a7e8bdf883d542434231351856404c9bf

        • \Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

          Filesize

          1.2MB

          MD5

          4c5c9bc08662b6e3bc2d8e2f3dc38ea7

          SHA1

          040daf2000cdf49f159f5232f5751a79208ede02

          SHA256

          c1b51655c8783902f73a75b809dd2e5e64437f1163dc497a8b26cdaff81ab80f

          SHA512

          3693577c7b0659b4df4f3aa6fb759ed741c286023e60eda637189a6182e4940544f8400fa6d87d7155e8c29371b8a2730ae9067e25b1ac01576eb59fac9e3f7f

        • \Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe

          Filesize

          148KB

          MD5

          5b4a528aff5726712c3c4714492fc71a

          SHA1

          e60a68d8ffb33a81957199e7fa2720a5b74c6ae0

          SHA256

          bd0bd14950691bbbd1a8c791b6cecc0136b7f361d3d3617f97ab8aec4bfaee8e

          SHA512

          11cae2ad6dc83762c48d30703f0e404d7c708c2c19eb58d32ab557474271c816b08141ffd7588fc0b220728ed00d8e4c1a287becf9451bdcce3d201c098179b9

        • memory/1856-27-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB