Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 16:22

General

  • Target

    8f9cc18d3743f189e0702d941c4423da.exe

  • Size

    866KB

  • MD5

    8f9cc18d3743f189e0702d941c4423da

  • SHA1

    249578de07ac2ec3ffc2ffd400e0a4f72afff0bc

  • SHA256

    3efc4518a663cc15ee2022ec284fbcf7ce41a562ce45c2380e6c1cf9822edaab

  • SHA512

    ba04fb24288772d2ff625555674d62a4723389fc892aa5c1e01553aabcdc18c1342aa0c9dccb4d4cf58963359550749c26b6472eeeee2efda33c8271909c053d

  • SSDEEP

    24576:38GwXmL0hk0v0XW/xVfCyHH1VQJxhGjS0:38Jhkw/xVfCy1iJeO0

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe
    "C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Modifies registry class
      PID:4756
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe"
      2⤵
      • Executes dropped EXE
      PID:5104

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\LuckyTender\1.3.0\LuckyTender.dll

          Filesize

          184KB

          MD5

          fbbd36fc9f5de933753a1b855944e04a

          SHA1

          6aff38e2228f86233e103da286381da37feff0ce

          SHA256

          ff68a2096413a90a3505610353307a88355e1f34d9417acdd4f2d4855db33b62

          SHA512

          7bc90a7084cfeb60d6abe4c4d4ac641c9b65fd477c8d57c5b4fa0d84b9a797b6c4b207b5ac9fb503b42b12212dbefc9507eddf73ef984eb2d4a9cf6b064dbace

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

          Filesize

          1.7MB

          MD5

          6eb8b23d51279bb8585fc88731001d80

          SHA1

          b993ba10af96d7db79ec4fd4771511d880255604

          SHA256

          b58d68b9c4488c7a2137582ae26c7e743f8a8c1bbbef1f9f1cd9f8a03f03ccdd

          SHA512

          74683daefdc3095fe298dcfe0b7596fd91526f4281974f14bf39c04f0e19343e3792b34c114d4c8bcc418b7b5d9cdc201eebe06538347337abcb1231af60ef0a

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe

          Filesize

          148KB

          MD5

          5b4a528aff5726712c3c4714492fc71a

          SHA1

          e60a68d8ffb33a81957199e7fa2720a5b74c6ae0

          SHA256

          bd0bd14950691bbbd1a8c791b6cecc0136b7f361d3d3617f97ab8aec4bfaee8e

          SHA512

          11cae2ad6dc83762c48d30703f0e404d7c708c2c19eb58d32ab557474271c816b08141ffd7588fc0b220728ed00d8e4c1a287becf9451bdcce3d201c098179b9

        • memory/2740-27-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB