Analysis

  • max time kernel
    141s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2024, 17:18

General

  • Target

    8fb91d1fca02d34d04ded38a1154c8d4.exe

  • Size

    621KB

  • MD5

    8fb91d1fca02d34d04ded38a1154c8d4

  • SHA1

    5dadc3373f6efdaee50f1c788fb4ecd89e8d7289

  • SHA256

    3cbe5ed6225c0dd82b0c85fbff2821b4957b950e3e492067d3954d570c11a27e

  • SHA512

    898faa3ccf5b610d613c29d0fab4a1ac1714fc1263392fadac0cffd5e1e0a85edd5e696763d209c87a558636fa6266d2473c8776704247e92fef60c1ec330e64

  • SSDEEP

    12288:mltyc+0zT2pU0SQmWH3CMEBaLiNFLT+AR02lKhmmCAYJfzRNo:mv+030UpFME0CRJCvmcYJ1No

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 55 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 25 IoCs
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe
    "C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\name8.exe
      "C:\Users\Admin\AppData\Local\Temp\name8.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1964
      • \??\c:\windows\system\s8\iexplorer.exe
        c:\windows\system\s8\iexplorer.exe /install /SILENT a01
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1652
    • C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
      "C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2760
    • C:\Users\Admin\AppData\Local\Temp\ad2502.exe
      "C:\Users\Admin\AppData\Local\Temp\ad2502.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2812
    • C:\Users\Admin\AppData\Local\Temp\bind_50195.exe
      "C:\Users\Admin\AppData\Local\Temp\bind_50195.exe"
      2⤵
      • Executes dropped EXE
      PID:2624
    • C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
      "C:\Users\Admin\AppData\Local\Temp\dodolook184.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2608
    • C:\Users\Admin\AppData\Local\Temp\my_70010.exe
      "C:\Users\Admin\AppData\Local\Temp\my_70010.exe"
      2⤵
      • Executes dropped EXE
      PID:2852
  • C:\Users\Admin\AppData\Local\Temp\855.exe
    "C:\Users\Admin\AppData\Local\Temp\855.exe" 7184
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    PID:1632
  • C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start S27338
    1⤵
      PID:2908
    • \??\c:\windows\system\s8\iexplorer.exe
      c:\windows\system\s8\iexplorer.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:1072
    • C:\Windows\SysWOW64\net.exe
      net start S27338
      1⤵
        PID:2144
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\CPUSH\cpush.dll"
        1⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies registry class
        PID:1764

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe

              Filesize

              76KB

              MD5

              5cda9ea3c2af4482df5603c8ddd7d0c2

              SHA1

              85da8541457e8eea22133937804849d43b4d4519

              SHA256

              e39af3c031e9fb92ba74b44a4302751fb73b6652f252998941c784f3f6a0efbb

              SHA512

              7f93794067113b972be1b23479af3c1897c432f7397ed06b7780f1fa605ec954de2e3bea8c49033896eb2e839aec57622626c671098189582e22775bf1a6bb99

            • C:\Users\Admin\AppData\Local\Temp\855.exe

              Filesize

              130KB

              MD5

              480b312817f238ab6f4c2dc1c4f78b41

              SHA1

              5a50e8d0564cc9b5bc656e223c2ab0a8ab759721

              SHA256

              6954055fe56fab247ce8a969fa5679207ba4f37bdfaa052bed8cf4b72da6a2e8

              SHA512

              39a91f807ce3f09306f73acf1a60baa6f23e82449e91547f36dcde45fa053c11825635e1fe1f898d743511bb475cb72f43b4e74294863f22ccbc354ba5abee1b

            • C:\Users\Admin\AppData\Local\Temp\dodolook184.exe

              Filesize

              166KB

              MD5

              c7c862bc46cde331b5d3da6c5d90d161

              SHA1

              c4cec33f42901c21458c5d8e24c0caa62e15ccd4

              SHA256

              95abd0e445cde613054ada9477efd1d56e3e89001773c9461285df6f87a57597

              SHA512

              ce7ab4cc12c7ab73ecdce6b43f64471b02aa235c6b64c8c076bcaf742137b96cc8e48102bd0bfa7dcdb7fa2ce9a33b9a132782a38d700a477cc5728a57a6ce62

            • C:\Users\Admin\AppData\Local\Temp\name8.exe

              Filesize

              222KB

              MD5

              e917342a2678f0a95111943847db055b

              SHA1

              feffe90673830c4abe83d90c4aef40b380a59d27

              SHA256

              dd84551ef3d6b430ad8296654c6accfbcb596100912e613090fd9c193ba68991

              SHA512

              eff51563de5a6afdcf12a9a2f5b244fac6cb58b7a31eca62584c85d937b8664ba423543f18ac1cdcf3faa56aacac14ed560235e8a5d33a9030efec500e6c1d02

            • C:\Users\Admin\AppData\Local\Temp\nso649.tmp\ioSpecial.ini

              Filesize

              788B

              MD5

              052546ada8843941715fa25f82c48751

              SHA1

              f43e9a1e4600cfd27b269bcac311822abd909c97

              SHA256

              9fc283ac999c3f3511724a391336cedd11d237037e9c9496aea5a748652f9c36

              SHA512

              f1b84ad8b3b33df1d2c5c470b6630aa6ed26fba07c175683b4102b7263ab3298d54538910785e24764ac6e6e143e2d8a55e1423cb35d9cc7a35d6473b5758383

            • C:\Windows\system\s8\iexplorer.exe

              Filesize

              190KB

              MD5

              f0e35c6aa09eb617edd74d6c3d261cc7

              SHA1

              3ddc8a75ef279de85af3456c0998ce1098c3a66b

              SHA256

              f43935b8e17b6c0034b1d296868941c16dd27baba5752fb3bc1dfa1de29b2fd2

              SHA512

              020256586266bc9d4286515d53c37edce0f4bf80701b68dc3367fb3b155f3a6122b90e5e14c24866720d295c4094fa4c2fe3c8480a3bfc89e5be27caf2cd86ca

            • \Users\Admin\AppData\Local\Temp\ad2502.exe

              Filesize

              110KB

              MD5

              8548d060200ed09c9e40b03161756ec5

              SHA1

              46253bcd0a534d6eabaf7c0c7a5c68e69f3463dc

              SHA256

              f4efebf4b2eadf003e6fd2566da7cda057787ed960ec1d5e8c10487bc7b58288

              SHA512

              961839f8febb5c2868031876f39a81eb828f036fe317abbe2efa8de946ae4798a3a749c79868b834a8fb28b591e54f6b29ab2d046e38048ef361a9be2e51e26a

            • \Users\Admin\AppData\Local\Temp\bind_50195.exe

              Filesize

              20KB

              MD5

              105ff1132ecd30e09be232a581f9992e

              SHA1

              e3dc64b7b7363002708446624a22f89907de96ff

              SHA256

              97ca8dfd7d16c6b6f175ed5aa918a0ee0c96c25aef761432449c5ecb30bdc7fc

              SHA512

              3f872f80d1bc8bf80d744d596baeafc32c039ed2376730aea2a68d4e2146ebe691fcab853fcb15e82273191a404aa87d11f1f695e0281dfca617149bf2aee460

            • \Users\Admin\AppData\Local\Temp\my_70010.exe

              Filesize

              20KB

              MD5

              c084449b7d156a460fa7c577dd16b34a

              SHA1

              29162f945f3b5c9417d39df33946a3af0ae15841

              SHA256

              aadc5c2a41d2fefbbdb2489ec86241baceb2dfd03692543c1bf7bd249e619495

              SHA512

              f0e5099fd1e919ca087aca9f74ac3ca14d972f22f06b413c2fc619e75af1741b7f54484b49c8f8e2bea34ca406f6f819cf6326ef3cec9e92b28124a7e4694439

            • \Users\Admin\AppData\Local\Temp\nso649.tmp\InstallOptions.dll

              Filesize

              12KB

              MD5

              08c82a46416a5e2b471d457968f53816

              SHA1

              3e3897c20b9e89b279b4764a633f67955bf8f09a

              SHA256

              435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9

              SHA512

              91e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d

            • \Users\Admin\AppData\Local\Temp\nso649.tmp\System.dll

              Filesize

              10KB

              MD5

              61151aff8c92ca17b3fab51ce1ca7156

              SHA1

              68a02015863c2877a20c27da45704028dbaa7eff

              SHA256

              af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d

              SHA512

              4f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e

            • \Users\Admin\AppData\Local\Temp\nst57E.tmp\Banner.dll

              Filesize

              4KB

              MD5

              d605203f4d6d404030b0bb8d9af5c513

              SHA1

              52fb568bef638bafe602b9605c892d61dbe0f5bf

              SHA256

              c4b76f503427b3f1b1de08c7ec56df4857ef5362acc9565fee714025b1c41a0d

              SHA512

              e9e5eb4e7fdc75a3dd411c54bd73a9052b05cce95230882a05c39d28303c3c567a0a0c21e3aa4abb1cc82fbb012f4409fccade793eef40e6760dc3fa7bace18b

            • memory/1072-274-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1072-283-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/1072-285-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1632-260-0x0000000000300000-0x0000000000317000-memory.dmp

              Filesize

              92KB

            • memory/1652-273-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/2364-142-0x0000000000400000-0x000000000049CE33-memory.dmp

              Filesize

              627KB

            • memory/2364-1-0x0000000000400000-0x000000000049CE33-memory.dmp

              Filesize

              627KB