Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 16:22
Static task
static1
Behavioral task
behavioral1
Sample
8f9cc18d3743f189e0702d941c4423da.exe
Resource
win7-20231215-en
General
-
Target
8f9cc18d3743f189e0702d941c4423da.exe
-
Size
866KB
-
MD5
8f9cc18d3743f189e0702d941c4423da
-
SHA1
249578de07ac2ec3ffc2ffd400e0a4f72afff0bc
-
SHA256
3efc4518a663cc15ee2022ec284fbcf7ce41a562ce45c2380e6c1cf9822edaab
-
SHA512
ba04fb24288772d2ff625555674d62a4723389fc892aa5c1e01553aabcdc18c1342aa0c9dccb4d4cf58963359550749c26b6472eeeee2efda33c8271909c053d
-
SSDEEP
24576:38GwXmL0hk0v0XW/xVfCyHH1VQJxhGjS0:38Jhkw/xVfCy1iJeO0
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2064 setup2.exe 2720 setup1.exe -
Loads dropped DLL 9 IoCs
pid Process 1856 8f9cc18d3743f189e0702d941c4423da.exe 2064 setup2.exe 2064 setup2.exe 2064 setup2.exe 2064 setup2.exe 1856 8f9cc18d3743f189e0702d941c4423da.exe 2720 setup1.exe 2720 setup1.exe 2720 setup1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5E2402A0-5F99-4188-B30D-D8743996B340} setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5E2402A0-5F99-4188-B30D-D8743996B340}\ = "LuckyTender" setup2.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\LuckyTender\1.3.0\LuckyTender.dll setup2.exe File created C:\Program Files (x86)\LuckyTender\uninst.exe setup2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 1 IoCs
resource yara_rule behavioral1/files/0x002e0000000139cb-5.dat nsis_installer_1 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\ = "SliderShowCtrl Class" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\ = "SliderShowCtrl Class" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32 setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\ = "ISliderWindow" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32\ = "{3794345D-C731-4FBB-8471-73DDC8DFFDD2}" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CLSID\ = "{5E2402A0-5F99-4188-B30D-D8743996B340}" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\VersionIndependentProgID\ = "SliderShow.SliderShowCtrl" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\InprocServer32\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\LuckyTender.dll" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\Version = "1.0" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SliderShow.DLL\AppID = "{7656BFE4-2AAE-4E04-98B6-5912E99FBE38}" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\AppID = "{7656BFE4-2AAE-4E04-98B6-5912E99FBE38}" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\ = "SliderShow 1.0 Type Library" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\FLAGS setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70} setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\InprocServer32\ThreadingModel = "Apartment" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32 setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CLSID setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\0 setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\InProcServer32\ThreadingModel = "Both" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\VersionIndependentProgID setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\Version = "1.0" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32\ = "{3794345D-C731-4FBB-8471-73DDC8DFFDD2}" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\NumMethods setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\NumMethods setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\ProgID\ = "SliderShow.SliderShowCtrl.1" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ = "ISliderShowCtrl" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\Version = "1.0" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CurVer setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\InprocServer32 setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832} setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7656BFE4-2AAE-4E04-98B6-5912E99FBE38} setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\ = "SliderShowCtrl Class" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832} setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ = "ISliderWindowAx" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\NumMethods setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SliderShow.DLL setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1 setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70} setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2} setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ = "ISliderWindowAx" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\InProcServer32\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\LuckyTender.dll" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\Programmable setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\FLAGS\ = "0" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\HELPDIR setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32 setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\Version = "1.0" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\NumMethods\ = "7" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7656BFE4-2AAE-4E04-98B6-5912E99FBE38}\ = "SliderShow" setup2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\CLSID setup2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\CLSID\ = "{5E2402A0-5F99-4188-B30D-D8743996B340}" setup2.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1856 wrote to memory of 2064 1856 8f9cc18d3743f189e0702d941c4423da.exe 28 PID 1856 wrote to memory of 2064 1856 8f9cc18d3743f189e0702d941c4423da.exe 28 PID 1856 wrote to memory of 2064 1856 8f9cc18d3743f189e0702d941c4423da.exe 28 PID 1856 wrote to memory of 2064 1856 8f9cc18d3743f189e0702d941c4423da.exe 28 PID 1856 wrote to memory of 2064 1856 8f9cc18d3743f189e0702d941c4423da.exe 28 PID 1856 wrote to memory of 2064 1856 8f9cc18d3743f189e0702d941c4423da.exe 28 PID 1856 wrote to memory of 2064 1856 8f9cc18d3743f189e0702d941c4423da.exe 28 PID 1856 wrote to memory of 2720 1856 8f9cc18d3743f189e0702d941c4423da.exe 29 PID 1856 wrote to memory of 2720 1856 8f9cc18d3743f189e0702d941c4423da.exe 29 PID 1856 wrote to memory of 2720 1856 8f9cc18d3743f189e0702d941c4423da.exe 29 PID 1856 wrote to memory of 2720 1856 8f9cc18d3743f189e0702d941c4423da.exe 29 PID 1856 wrote to memory of 2720 1856 8f9cc18d3743f189e0702d941c4423da.exe 29 PID 1856 wrote to memory of 2720 1856 8f9cc18d3743f189e0702d941c4423da.exe 29 PID 1856 wrote to memory of 2720 1856 8f9cc18d3743f189e0702d941c4423da.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe"C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies registry class
PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5d0226a30350152be71631317e3b77ed9
SHA157babff43b382f1ccd171915f705978fee4b34c7
SHA256e3bd63c7c59777a1064cc6d81a8c7889dff4a7caa19987941f3a9dacb9f246d1
SHA512f617f654331046246fc96bcac9735916fae612a023451bc13fd2e93f06187c9f99bb1d1aeee4458163347d85e72f3eb60bc9f662806096ac5e07b598242b330e
-
Filesize
948KB
MD51ebe7a67a48c6dcdb4c587295439fd44
SHA159279c22f71c8324d0ccc2058f2cd7b3c8c41ae3
SHA25623b85b0c7d5aacfcfaff4fa4e3af5e0e09cc24d1d498d104e04ffaabc5b1ebfd
SHA5128311f87325e8987bd451888c99aee11955fcbbc2dcc9b834c72c7cef1ccd0244b2bc6d5b107b1faa722d643f2b4f6c7ee85cf4b71477002eef0849aa48a27633
-
Filesize
715KB
MD51dd0748cc53b910a4ecd08bddee9d4b7
SHA1812eb569b8c4fd637c04bf95bd7b485e191cfd5b
SHA25613b9514fe51cea84dd3681eb1e4d669026d322f2dfe163477d481b9f8fcb6897
SHA512b6a412246d2e5853334314614c708a7cf7cd1c784a221ba4cfa81da276904dcd88137cf99f4b7b212396d37e1da7184ee222ed69a56c1525760f24682bff30a9
-
Filesize
184KB
MD5fbbd36fc9f5de933753a1b855944e04a
SHA16aff38e2228f86233e103da286381da37feff0ce
SHA256ff68a2096413a90a3505610353307a88355e1f34d9417acdd4f2d4855db33b62
SHA5127bc90a7084cfeb60d6abe4c4d4ac641c9b65fd477c8d57c5b4fa0d84b9a797b6c4b207b5ac9fb503b42b12212dbefc9507eddf73ef984eb2d4a9cf6b064dbace
-
Filesize
960KB
MD5f74f15bab08ae5eb5d43b3d774f5cf30
SHA15e94d983fffed36d41e137254cff59fad6a890c4
SHA2563a5c29bca1bbe551154ce16a8a0a6977a2b899b89c3c46b937d748c65f1897bc
SHA51237b779caba37d20493a1835529bb0115377f1f5519af3039ec621b4e458e51f5c51d199145cc64b500c8999828df2456746ab7f5fb85f852bd3f35aeb3eecfae
-
Filesize
984KB
MD58b95c6ab844b7b1fa40a19270c74089a
SHA108887fac24776b322a828ee307db8ecc3c07f692
SHA25675782517fe8cd1e87a440c60848690be68e7e9ac71bdd3da2993857f664e791c
SHA512a5d5d3f5e0a6f5cf58c0a52fcdd8efb245dea4763d34be7ee3acda202f2fde796c7879e118c957a2eeda8fb936dda30816535633825cc672edf726ceabee7022
-
Filesize
1.1MB
MD533010933d4b582cbc2b3b1f4ad864156
SHA114c167feeef914a639dcd68751842141feaef5fd
SHA2568c971da2ccb79bbd52b213644421a2f7f720d1aa3c95e557ed595ef34b179bf3
SHA5121b046a39ed2dd24fdb0f1a9ff668cba5ffed3b741782857265172d97457f9a553c4208129bdb3cca2fb2a4506e11bb5a7e8bdf883d542434231351856404c9bf
-
Filesize
1.2MB
MD54c5c9bc08662b6e3bc2d8e2f3dc38ea7
SHA1040daf2000cdf49f159f5232f5751a79208ede02
SHA256c1b51655c8783902f73a75b809dd2e5e64437f1163dc497a8b26cdaff81ab80f
SHA5123693577c7b0659b4df4f3aa6fb759ed741c286023e60eda637189a6182e4940544f8400fa6d87d7155e8c29371b8a2730ae9067e25b1ac01576eb59fac9e3f7f
-
Filesize
148KB
MD55b4a528aff5726712c3c4714492fc71a
SHA1e60a68d8ffb33a81957199e7fa2720a5b74c6ae0
SHA256bd0bd14950691bbbd1a8c791b6cecc0136b7f361d3d3617f97ab8aec4bfaee8e
SHA51211cae2ad6dc83762c48d30703f0e404d7c708c2c19eb58d32ab557474271c816b08141ffd7588fc0b220728ed00d8e4c1a287becf9451bdcce3d201c098179b9