Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 17:18
Static task
static1
Behavioral task
behavioral1
Sample
8fb91d1fca02d34d04ded38a1154c8d4.exe
Resource
win7-20231129-en
General
-
Target
8fb91d1fca02d34d04ded38a1154c8d4.exe
-
Size
621KB
-
MD5
8fb91d1fca02d34d04ded38a1154c8d4
-
SHA1
5dadc3373f6efdaee50f1c788fb4ecd89e8d7289
-
SHA256
3cbe5ed6225c0dd82b0c85fbff2821b4957b950e3e492067d3954d570c11a27e
-
SHA512
898faa3ccf5b610d613c29d0fab4a1ac1714fc1263392fadac0cffd5e1e0a85edd5e696763d209c87a558636fa6266d2473c8776704247e92fef60c1ec330e64
-
SSDEEP
12288:mltyc+0zT2pU0SQmWH3CMEBaLiNFLT+AR02lKhmmCAYJfzRNo:mv+030UpFME0CRJCvmcYJ1No
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\acpidisk.sys 855.exe File opened for modification C:\Windows\SysWOW64\drivers\acpidisk.sys 855.exe -
resource yara_rule behavioral1/files/0x00070000000149f5-108.dat aspack_v212_v242 -
Executes dropped EXE 9 IoCs
pid Process 1964 name8.exe 2852 my_70010.exe 2608 dodolook184.exe 2624 bind_50195.exe 2812 ad2502.exe 1652 iexplorer.exe 1632 855.exe 2760 51µØÍ¼Setup64.exe 1072 iexplorer.exe -
Loads dropped DLL 55 IoCs
pid Process 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 1964 name8.exe 1964 name8.exe 1964 name8.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 1964 name8.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2608 dodolook184.exe 2608 dodolook184.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2608 dodolook184.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 1964 name8.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2608 dodolook184.exe 1964 name8.exe 1964 name8.exe 2812 ad2502.exe 2812 ad2502.exe 2812 ad2502.exe 2608 dodolook184.exe 1652 iexplorer.exe 1652 iexplorer.exe 1652 iexplorer.exe 2608 dodolook184.exe 1632 855.exe 1632 855.exe 1632 855.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 2760 51µØÍ¼Setup64.exe 2760 51µØÍ¼Setup64.exe 2760 51µØÍ¼Setup64.exe 2760 51µØÍ¼Setup64.exe 2760 51µØÍ¼Setup64.exe 1632 855.exe 1632 855.exe 1632 855.exe 1764 regsvr32.exe 2608 dodolook184.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ = "AdPopup" regsvr32.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mscpx32r.det 855.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserrordiagoff[1] iexplorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1] iexplorer.exe File created C:\Windows\SysWOW64\mscpx32r.det 855.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat iexplorer.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserrordiagoff[1] iexplorer.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\navcancl[1] iexplorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\navcancl[1] iexplorer.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ErrorPageTemplate[1] iexplorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ErrorPageTemplate[1] iexplorer.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1] iexplorer.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\CPUSH\Uninst.exe ad2502.exe File created C:\Program Files (x86)\Common Files\CPUSH\cpush.dll ad2502.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification \??\c:\windows\system\s8\iexplorer.exe name8.exe File created \??\c:\windows\system\s8\iexplorer.exe name8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 1 IoCs
resource yara_rule behavioral1/files/0x0007000000014b31-141.dat nsis_installer_1 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main iexplorer.exe -
Modifies data under HKEY_USERS 25 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings iexplorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" iexplorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" iexplorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 iexplorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58} iexplorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\aa-1f-df-43-f7-d9 iexplorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ iexplorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections iexplorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad iexplorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\WpadDecisionTime = 40501c3c8e57da01 iexplorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main iexplorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" iexplorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0049000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 iexplorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\WpadNetworkName = "Network 3" iexplorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-1f-df-43-f7-d9\WpadDecisionTime = 40501c3c8e57da01 iexplorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings iexplorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 iexplorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" iexplorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\WpadDecision = "0" iexplorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-1f-df-43-f7-d9\WpadDecisionReason = "1" iexplorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix iexplorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" iexplorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\WpadDecisionReason = "1" iexplorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-1f-df-43-f7-d9 iexplorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-1f-df-43-f7-d9\WpadDecision = "0" iexplorer.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ = "CAdLogic Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ = "IAdLogic" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID\ = "NewAdPopup.PopupBlock.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\AppID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32\ThreadingModel = "apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ = "IPopupBlock" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID\ = "NewAdPopup.PopupBlock" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic.1\CLSID\ = "{11F09AFD-75AD-4E51-AB43-E09E9351CE16}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\ = "NewAdPopup 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID\ = "NewMediasActive.RELogic.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID\ = "NewMediasActive.RELogic" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ = "CToolbarDetector Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CurVer\ = "NewMediasActive.RELogic.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\AppID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\ = "CToolbarDetector Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock\CurVer\ = "NewAdPopup.PopupBlock.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\cpush.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CLSID\ = "{11F09AFD-75AD-4E51-AB43-E09E9351CE16}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32\ThreadingModel = "apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\AppID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ = "CPopupBlock Object" regsvr32.exe -
Runs net.exe
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2760 51µØÍ¼Setup64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 480 Process not Found -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1652 iexplorer.exe 1652 iexplorer.exe 1072 iexplorer.exe 1072 iexplorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 1964 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 28 PID 2364 wrote to memory of 1964 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 28 PID 2364 wrote to memory of 1964 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 28 PID 2364 wrote to memory of 1964 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 28 PID 2364 wrote to memory of 1964 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 28 PID 2364 wrote to memory of 1964 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 28 PID 2364 wrote to memory of 1964 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 28 PID 2364 wrote to memory of 2852 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 40 PID 2364 wrote to memory of 2852 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 40 PID 2364 wrote to memory of 2852 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 40 PID 2364 wrote to memory of 2852 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 40 PID 2364 wrote to memory of 2608 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 39 PID 2364 wrote to memory of 2608 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 39 PID 2364 wrote to memory of 2608 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 39 PID 2364 wrote to memory of 2608 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 39 PID 2364 wrote to memory of 2608 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 39 PID 2364 wrote to memory of 2608 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 39 PID 2364 wrote to memory of 2608 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 39 PID 2364 wrote to memory of 2624 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 38 PID 2364 wrote to memory of 2624 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 38 PID 2364 wrote to memory of 2624 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 38 PID 2364 wrote to memory of 2624 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 38 PID 2364 wrote to memory of 2812 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 37 PID 2364 wrote to memory of 2812 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 37 PID 2364 wrote to memory of 2812 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 37 PID 2364 wrote to memory of 2812 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 37 PID 2364 wrote to memory of 2812 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 37 PID 2364 wrote to memory of 2812 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 37 PID 2364 wrote to memory of 2812 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 37 PID 1964 wrote to memory of 1652 1964 name8.exe 36 PID 1964 wrote to memory of 1652 1964 name8.exe 36 PID 1964 wrote to memory of 1652 1964 name8.exe 36 PID 1964 wrote to memory of 1652 1964 name8.exe 36 PID 1964 wrote to memory of 1652 1964 name8.exe 36 PID 1964 wrote to memory of 1652 1964 name8.exe 36 PID 1964 wrote to memory of 1652 1964 name8.exe 36 PID 2608 wrote to memory of 1632 2608 dodolook184.exe 29 PID 2608 wrote to memory of 1632 2608 dodolook184.exe 29 PID 2608 wrote to memory of 1632 2608 dodolook184.exe 29 PID 2608 wrote to memory of 1632 2608 dodolook184.exe 29 PID 2608 wrote to memory of 1632 2608 dodolook184.exe 29 PID 2608 wrote to memory of 1632 2608 dodolook184.exe 29 PID 2608 wrote to memory of 1632 2608 dodolook184.exe 29 PID 2364 wrote to memory of 2760 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 30 PID 2364 wrote to memory of 2760 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 30 PID 2364 wrote to memory of 2760 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 30 PID 2364 wrote to memory of 2760 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 30 PID 2364 wrote to memory of 2760 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 30 PID 2364 wrote to memory of 2760 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 30 PID 2364 wrote to memory of 2760 2364 8fb91d1fca02d34d04ded38a1154c8d4.exe 30 PID 2812 wrote to memory of 1764 2812 ad2502.exe 35 PID 2812 wrote to memory of 1764 2812 ad2502.exe 35 PID 2812 wrote to memory of 1764 2812 ad2502.exe 35 PID 2812 wrote to memory of 1764 2812 ad2502.exe 35 PID 2812 wrote to memory of 1764 2812 ad2502.exe 35 PID 2812 wrote to memory of 1764 2812 ad2502.exe 35 PID 2812 wrote to memory of 1764 2812 ad2502.exe 35 PID 1652 wrote to memory of 2144 1652 iexplorer.exe 34 PID 1652 wrote to memory of 2144 1652 iexplorer.exe 34 PID 1652 wrote to memory of 2144 1652 iexplorer.exe 34 PID 1652 wrote to memory of 2144 1652 iexplorer.exe 34 PID 1652 wrote to memory of 2144 1652 iexplorer.exe 34 PID 1652 wrote to memory of 2144 1652 iexplorer.exe 34 PID 1652 wrote to memory of 2144 1652 iexplorer.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe"C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\name8.exe"C:\Users\Admin\AppData\Local\Temp\name8.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\windows\system\s8\iexplorer.exec:\windows\system\s8\iexplorer.exe /install /SILENT a013⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
-
-
-
C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe"C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2760
-
-
C:\Users\Admin\AppData\Local\Temp\ad2502.exe"C:\Users\Admin\AppData\Local\Temp\ad2502.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\bind_50195.exe"C:\Users\Admin\AppData\Local\Temp\bind_50195.exe"2⤵
- Executes dropped EXE
PID:2624
-
-
C:\Users\Admin\AppData\Local\Temp\dodolook184.exe"C:\Users\Admin\AppData\Local\Temp\dodolook184.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608
-
-
C:\Users\Admin\AppData\Local\Temp\my_70010.exe"C:\Users\Admin\AppData\Local\Temp\my_70010.exe"2⤵
- Executes dropped EXE
PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\855.exe"C:\Users\Admin\AppData\Local\Temp\855.exe" 71841⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1632
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start S273381⤵PID:2908
-
\??\c:\windows\system\s8\iexplorer.exec:\windows\system\s8\iexplorer.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1072
-
C:\Windows\SysWOW64\net.exenet start S273381⤵PID:2144
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\CPUSH\cpush.dll"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD55cda9ea3c2af4482df5603c8ddd7d0c2
SHA185da8541457e8eea22133937804849d43b4d4519
SHA256e39af3c031e9fb92ba74b44a4302751fb73b6652f252998941c784f3f6a0efbb
SHA5127f93794067113b972be1b23479af3c1897c432f7397ed06b7780f1fa605ec954de2e3bea8c49033896eb2e839aec57622626c671098189582e22775bf1a6bb99
-
Filesize
130KB
MD5480b312817f238ab6f4c2dc1c4f78b41
SHA15a50e8d0564cc9b5bc656e223c2ab0a8ab759721
SHA2566954055fe56fab247ce8a969fa5679207ba4f37bdfaa052bed8cf4b72da6a2e8
SHA51239a91f807ce3f09306f73acf1a60baa6f23e82449e91547f36dcde45fa053c11825635e1fe1f898d743511bb475cb72f43b4e74294863f22ccbc354ba5abee1b
-
Filesize
166KB
MD5c7c862bc46cde331b5d3da6c5d90d161
SHA1c4cec33f42901c21458c5d8e24c0caa62e15ccd4
SHA25695abd0e445cde613054ada9477efd1d56e3e89001773c9461285df6f87a57597
SHA512ce7ab4cc12c7ab73ecdce6b43f64471b02aa235c6b64c8c076bcaf742137b96cc8e48102bd0bfa7dcdb7fa2ce9a33b9a132782a38d700a477cc5728a57a6ce62
-
Filesize
222KB
MD5e917342a2678f0a95111943847db055b
SHA1feffe90673830c4abe83d90c4aef40b380a59d27
SHA256dd84551ef3d6b430ad8296654c6accfbcb596100912e613090fd9c193ba68991
SHA512eff51563de5a6afdcf12a9a2f5b244fac6cb58b7a31eca62584c85d937b8664ba423543f18ac1cdcf3faa56aacac14ed560235e8a5d33a9030efec500e6c1d02
-
Filesize
788B
MD5052546ada8843941715fa25f82c48751
SHA1f43e9a1e4600cfd27b269bcac311822abd909c97
SHA2569fc283ac999c3f3511724a391336cedd11d237037e9c9496aea5a748652f9c36
SHA512f1b84ad8b3b33df1d2c5c470b6630aa6ed26fba07c175683b4102b7263ab3298d54538910785e24764ac6e6e143e2d8a55e1423cb35d9cc7a35d6473b5758383
-
Filesize
190KB
MD5f0e35c6aa09eb617edd74d6c3d261cc7
SHA13ddc8a75ef279de85af3456c0998ce1098c3a66b
SHA256f43935b8e17b6c0034b1d296868941c16dd27baba5752fb3bc1dfa1de29b2fd2
SHA512020256586266bc9d4286515d53c37edce0f4bf80701b68dc3367fb3b155f3a6122b90e5e14c24866720d295c4094fa4c2fe3c8480a3bfc89e5be27caf2cd86ca
-
Filesize
110KB
MD58548d060200ed09c9e40b03161756ec5
SHA146253bcd0a534d6eabaf7c0c7a5c68e69f3463dc
SHA256f4efebf4b2eadf003e6fd2566da7cda057787ed960ec1d5e8c10487bc7b58288
SHA512961839f8febb5c2868031876f39a81eb828f036fe317abbe2efa8de946ae4798a3a749c79868b834a8fb28b591e54f6b29ab2d046e38048ef361a9be2e51e26a
-
Filesize
20KB
MD5105ff1132ecd30e09be232a581f9992e
SHA1e3dc64b7b7363002708446624a22f89907de96ff
SHA25697ca8dfd7d16c6b6f175ed5aa918a0ee0c96c25aef761432449c5ecb30bdc7fc
SHA5123f872f80d1bc8bf80d744d596baeafc32c039ed2376730aea2a68d4e2146ebe691fcab853fcb15e82273191a404aa87d11f1f695e0281dfca617149bf2aee460
-
Filesize
20KB
MD5c084449b7d156a460fa7c577dd16b34a
SHA129162f945f3b5c9417d39df33946a3af0ae15841
SHA256aadc5c2a41d2fefbbdb2489ec86241baceb2dfd03692543c1bf7bd249e619495
SHA512f0e5099fd1e919ca087aca9f74ac3ca14d972f22f06b413c2fc619e75af1741b7f54484b49c8f8e2bea34ca406f6f819cf6326ef3cec9e92b28124a7e4694439
-
Filesize
12KB
MD508c82a46416a5e2b471d457968f53816
SHA13e3897c20b9e89b279b4764a633f67955bf8f09a
SHA256435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9
SHA51291e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d
-
Filesize
10KB
MD561151aff8c92ca17b3fab51ce1ca7156
SHA168a02015863c2877a20c27da45704028dbaa7eff
SHA256af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d
SHA5124f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e
-
Filesize
4KB
MD5d605203f4d6d404030b0bb8d9af5c513
SHA152fb568bef638bafe602b9605c892d61dbe0f5bf
SHA256c4b76f503427b3f1b1de08c7ec56df4857ef5362acc9565fee714025b1c41a0d
SHA512e9e5eb4e7fdc75a3dd411c54bd73a9052b05cce95230882a05c39d28303c3c567a0a0c21e3aa4abb1cc82fbb012f4409fccade793eef40e6760dc3fa7bace18b