Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 17:18

General

  • Target

    8fb91d1fca02d34d04ded38a1154c8d4.exe

  • Size

    621KB

  • MD5

    8fb91d1fca02d34d04ded38a1154c8d4

  • SHA1

    5dadc3373f6efdaee50f1c788fb4ecd89e8d7289

  • SHA256

    3cbe5ed6225c0dd82b0c85fbff2821b4957b950e3e492067d3954d570c11a27e

  • SHA512

    898faa3ccf5b610d613c29d0fab4a1ac1714fc1263392fadac0cffd5e1e0a85edd5e696763d209c87a558636fa6266d2473c8776704247e92fef60c1ec330e64

  • SSDEEP

    12288:mltyc+0zT2pU0SQmWH3CMEBaLiNFLT+AR02lKhmmCAYJfzRNo:mv+030UpFME0CRJCvmcYJ1No

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 11 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 14 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 1 IoCs
  • Modifies data under HKEY_USERS 8 IoCs
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe
    "C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\name8.exe
      "C:\Users\Admin\AppData\Local\Temp\name8.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4728
      • \??\c:\windows\system\s8\iexplorer.exe
        c:\windows\system\s8\iexplorer.exe /install /SILENT a01
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\SysWOW64\net.exe
          net start S27338
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4556
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start S27338
            5⤵
              PID:3444
      • C:\Users\Admin\AppData\Local\Temp\my_70010.exe
        "C:\Users\Admin\AppData\Local\Temp\my_70010.exe"
        2⤵
        • Executes dropped EXE
        PID:4328
      • C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
        "C:\Users\Admin\AppData\Local\Temp\dodolook184.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3740
        • C:\Users\Admin\AppData\Local\Temp\855.exe
          "C:\Users\Admin\AppData\Local\Temp\855.exe" 7184
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          PID:4052
      • C:\Users\Admin\AppData\Local\Temp\bind_50195.exe
        "C:\Users\Admin\AppData\Local\Temp\bind_50195.exe"
        2⤵
        • Executes dropped EXE
        PID:4840
      • C:\Users\Admin\AppData\Local\Temp\ad2502.exe
        "C:\Users\Admin\AppData\Local\Temp\ad2502.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\CPUSH\cpush.dll"
          3⤵
          • Loads dropped DLL
          • Installs/modifies Browser Helper Object
          • Modifies registry class
          PID:4092
      • C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
        "C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:5116
    • \??\c:\windows\system\s8\iexplorer.exe
      c:\windows\system\s8\iexplorer.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:3564

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Common Files\CPUSH\cpush.dll

            Filesize

            168KB

            MD5

            05f2b5f682867496129cf0750a76a8b1

            SHA1

            2589c67a5965ebdd7fec346e8618487709bbc4bf

            SHA256

            df304a40f0d01010bdbdd8ec1b57ab91b40034bd18780718b1aa8318454ad4f2

            SHA512

            0bb2171fdadc57f6e1739e4bac5ebc8038692f43582391a53526894b079fd49078f8ca49aa0cd1f7006bc9d7bf3407c97ab763f7448a6c56587d04ebfaa2f95e

          • C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe

            Filesize

            76KB

            MD5

            5cda9ea3c2af4482df5603c8ddd7d0c2

            SHA1

            85da8541457e8eea22133937804849d43b4d4519

            SHA256

            e39af3c031e9fb92ba74b44a4302751fb73b6652f252998941c784f3f6a0efbb

            SHA512

            7f93794067113b972be1b23479af3c1897c432f7397ed06b7780f1fa605ec954de2e3bea8c49033896eb2e839aec57622626c671098189582e22775bf1a6bb99

          • C:\Users\Admin\AppData\Local\Temp\855.exe

            Filesize

            130KB

            MD5

            480b312817f238ab6f4c2dc1c4f78b41

            SHA1

            5a50e8d0564cc9b5bc656e223c2ab0a8ab759721

            SHA256

            6954055fe56fab247ce8a969fa5679207ba4f37bdfaa052bed8cf4b72da6a2e8

            SHA512

            39a91f807ce3f09306f73acf1a60baa6f23e82449e91547f36dcde45fa053c11825635e1fe1f898d743511bb475cb72f43b4e74294863f22ccbc354ba5abee1b

          • C:\Users\Admin\AppData\Local\Temp\DoSSSetup.dll

            Filesize

            84KB

            MD5

            7d70fb69d8f1e267c0dba99a7d8706e8

            SHA1

            a75a059ed010d17b660f5440123582e4548d8327

            SHA256

            1410734294de20dea4daea85bbb3245c0161a2cc6c70b772d6bc1fad4de8d899

            SHA512

            8442de28f1e2294d29026464843a743a0eed79fc6e358d494f493b0f82c181f899d3643597959afceff23b26d488636f7a9ea48c59cc476a012b07e73f7f9f37

          • C:\Users\Admin\AppData\Local\Temp\acpidisk.sys

            Filesize

            188KB

            MD5

            fccb95cfcb6ffd101162d8c638e7bc3a

            SHA1

            a8dae2cfaa57769268fdbaedf021eb6ad4c89bbe

            SHA256

            871219e8b90a42609b31dbccd968fad4f3209dbff9aedcb0034060eace5e138b

            SHA512

            0d255888ea327e6b50d84ab3feb94839a6e10838203f440ae30602be3bc2edfb15fa2d4038c34d8ae983ab45b15616889373456c25a3dda74cdedd19aa93c229

          • C:\Users\Admin\AppData\Local\Temp\ad2502.exe

            Filesize

            110KB

            MD5

            8548d060200ed09c9e40b03161756ec5

            SHA1

            46253bcd0a534d6eabaf7c0c7a5c68e69f3463dc

            SHA256

            f4efebf4b2eadf003e6fd2566da7cda057787ed960ec1d5e8c10487bc7b58288

            SHA512

            961839f8febb5c2868031876f39a81eb828f036fe317abbe2efa8de946ae4798a3a749c79868b834a8fb28b591e54f6b29ab2d046e38048ef361a9be2e51e26a

          • C:\Users\Admin\AppData\Local\Temp\bind_50195.exe

            Filesize

            20KB

            MD5

            105ff1132ecd30e09be232a581f9992e

            SHA1

            e3dc64b7b7363002708446624a22f89907de96ff

            SHA256

            97ca8dfd7d16c6b6f175ed5aa918a0ee0c96c25aef761432449c5ecb30bdc7fc

            SHA512

            3f872f80d1bc8bf80d744d596baeafc32c039ed2376730aea2a68d4e2146ebe691fcab853fcb15e82273191a404aa87d11f1f695e0281dfca617149bf2aee460

          • C:\Users\Admin\AppData\Local\Temp\dodolook184.exe

            Filesize

            166KB

            MD5

            c7c862bc46cde331b5d3da6c5d90d161

            SHA1

            c4cec33f42901c21458c5d8e24c0caa62e15ccd4

            SHA256

            95abd0e445cde613054ada9477efd1d56e3e89001773c9461285df6f87a57597

            SHA512

            ce7ab4cc12c7ab73ecdce6b43f64471b02aa235c6b64c8c076bcaf742137b96cc8e48102bd0bfa7dcdb7fa2ce9a33b9a132782a38d700a477cc5728a57a6ce62

          • C:\Users\Admin\AppData\Local\Temp\dodolook184.exe

            Filesize

            54KB

            MD5

            5ef4d4eb8adc19903011639216dd26bf

            SHA1

            13bbd6df445edcedbe7deab9df13de3d6b7a601c

            SHA256

            3928d4dc9c7cff379fdddc121944ba1041cb55b02ee8acc44c85d8d54bbcae5b

            SHA512

            9b08835b18d87c7447ab7df17d6111389dab10899645bb02b496f7385119e585bdccc450c78b8a0a903d129821a62c62830af3a8fde95a84615b5383806d2c1a

          • C:\Users\Admin\AppData\Local\Temp\my_70010.exe

            Filesize

            20KB

            MD5

            c084449b7d156a460fa7c577dd16b34a

            SHA1

            29162f945f3b5c9417d39df33946a3af0ae15841

            SHA256

            aadc5c2a41d2fefbbdb2489ec86241baceb2dfd03692543c1bf7bd249e619495

            SHA512

            f0e5099fd1e919ca087aca9f74ac3ca14d972f22f06b413c2fc619e75af1741b7f54484b49c8f8e2bea34ca406f6f819cf6326ef3cec9e92b28124a7e4694439

          • C:\Users\Admin\AppData\Local\Temp\name8.exe

            Filesize

            222KB

            MD5

            e917342a2678f0a95111943847db055b

            SHA1

            feffe90673830c4abe83d90c4aef40b380a59d27

            SHA256

            dd84551ef3d6b430ad8296654c6accfbcb596100912e613090fd9c193ba68991

            SHA512

            eff51563de5a6afdcf12a9a2f5b244fac6cb58b7a31eca62584c85d937b8664ba423543f18ac1cdcf3faa56aacac14ed560235e8a5d33a9030efec500e6c1d02

          • C:\Users\Admin\AppData\Local\Temp\nsd829E.tmp\Banner.dll

            Filesize

            4KB

            MD5

            d605203f4d6d404030b0bb8d9af5c513

            SHA1

            52fb568bef638bafe602b9605c892d61dbe0f5bf

            SHA256

            c4b76f503427b3f1b1de08c7ec56df4857ef5362acc9565fee714025b1c41a0d

            SHA512

            e9e5eb4e7fdc75a3dd411c54bd73a9052b05cce95230882a05c39d28303c3c567a0a0c21e3aa4abb1cc82fbb012f4409fccade793eef40e6760dc3fa7bace18b

          • C:\Users\Admin\AppData\Local\Temp\nse833B.tmp\System.dll

            Filesize

            10KB

            MD5

            61151aff8c92ca17b3fab51ce1ca7156

            SHA1

            68a02015863c2877a20c27da45704028dbaa7eff

            SHA256

            af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d

            SHA512

            4f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e

          • C:\Users\Admin\AppData\Local\Temp\nse855D.tmp\InstallOptions.dll

            Filesize

            12KB

            MD5

            08c82a46416a5e2b471d457968f53816

            SHA1

            3e3897c20b9e89b279b4764a633f67955bf8f09a

            SHA256

            435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9

            SHA512

            91e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d

          • C:\Users\Admin\AppData\Local\Temp\nse855D.tmp\ioSpecial.ini

            Filesize

            737B

            MD5

            7da01a60b8b58f98463affb026e8355f

            SHA1

            dda58fcf7b5ed528ad2913c2d0dd10664435aa6e

            SHA256

            fb63a8371e096200943ab0f08ece0dc6603aa9d7ef8ab52d6c727a90a969e98b

            SHA512

            89717e7cc2779dcc4e2e9470a59c88a07087c63a05d646b247de8242149afc130277b9a846de39887a882531a5c48bbf23aabe4359f1e63101c978e1139dc668

          • C:\Users\Admin\AppData\Local\Temp\nse855D.tmp\ioSpecial.ini

            Filesize

            789B

            MD5

            d32b87b1a9651a877507c7a89f2222cc

            SHA1

            17390134d38498a2a4e493a89dd46666c7e1115b

            SHA256

            1623e6a14b331744d3f9f54e9fb4ad7e5ed320ca5f80430b0e67cf5dcf8acf93

            SHA512

            05058ec350d16741a754d2da256198d1242e5d995c91386b6c5cb3359808ce4dcfacb2ffb4ff6dee2beaac3b81a6bdea58b67d7bd79f2629ad0834616dc9f08a

          • \??\c:\windows\system\s8\iexplorer.exe

            Filesize

            190KB

            MD5

            f0e35c6aa09eb617edd74d6c3d261cc7

            SHA1

            3ddc8a75ef279de85af3456c0998ce1098c3a66b

            SHA256

            f43935b8e17b6c0034b1d296868941c16dd27baba5752fb3bc1dfa1de29b2fd2

            SHA512

            020256586266bc9d4286515d53c37edce0f4bf80701b68dc3367fb3b155f3a6122b90e5e14c24866720d295c4094fa4c2fe3c8480a3bfc89e5be27caf2cd86ca

          • memory/1648-99-0x00000000005C0000-0x00000000005C1000-memory.dmp

            Filesize

            4KB

          • memory/1648-215-0x0000000000400000-0x000000000047F000-memory.dmp

            Filesize

            508KB

          • memory/2420-71-0x0000000000400000-0x000000000049CE33-memory.dmp

            Filesize

            627KB

          • memory/2420-0-0x0000000000400000-0x000000000049CE33-memory.dmp

            Filesize

            627KB

          • memory/3564-217-0x00000000005C0000-0x00000000005C1000-memory.dmp

            Filesize

            4KB

          • memory/3564-226-0x0000000000400000-0x000000000047F000-memory.dmp

            Filesize

            508KB

          • memory/3564-228-0x00000000005C0000-0x00000000005C1000-memory.dmp

            Filesize

            4KB

          • memory/4052-90-0x0000000002240000-0x0000000002257000-memory.dmp

            Filesize

            92KB