Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 17:18
Static task
static1
Behavioral task
behavioral1
Sample
8fb91d1fca02d34d04ded38a1154c8d4.exe
Resource
win7-20231129-en
General
-
Target
8fb91d1fca02d34d04ded38a1154c8d4.exe
-
Size
621KB
-
MD5
8fb91d1fca02d34d04ded38a1154c8d4
-
SHA1
5dadc3373f6efdaee50f1c788fb4ecd89e8d7289
-
SHA256
3cbe5ed6225c0dd82b0c85fbff2821b4957b950e3e492067d3954d570c11a27e
-
SHA512
898faa3ccf5b610d613c29d0fab4a1ac1714fc1263392fadac0cffd5e1e0a85edd5e696763d209c87a558636fa6266d2473c8776704247e92fef60c1ec330e64
-
SSDEEP
12288:mltyc+0zT2pU0SQmWH3CMEBaLiNFLT+AR02lKhmmCAYJfzRNo:mv+030UpFME0CRJCvmcYJ1No
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\acpidisk.sys 855.exe File opened for modification C:\Windows\SysWOW64\drivers\acpidisk.sys 855.exe -
resource yara_rule behavioral2/files/0x000600000002322a-86.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 8fb91d1fca02d34d04ded38a1154c8d4.exe -
Executes dropped EXE 9 IoCs
pid Process 4728 name8.exe 4328 my_70010.exe 3740 dodolook184.exe 4840 bind_50195.exe 4052 855.exe 4956 ad2502.exe 5116 51µØÍ¼Setup64.exe 1648 iexplorer.exe 3564 iexplorer.exe -
Loads dropped DLL 11 IoCs
pid Process 4728 name8.exe 3740 dodolook184.exe 4728 name8.exe 4052 855.exe 4052 855.exe 4052 855.exe 4052 855.exe 4092 regsvr32.exe 3740 dodolook184.exe 5116 51µØÍ¼Setup64.exe 5116 51µØÍ¼Setup64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ = "AdPopup" regsvr32.exe -
Drops file in System32 directory 14 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\dnserrordiagoff[1] iexplorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ErrorPageTemplate[1] iexplorer.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\errorPageStrings[1] iexplorer.exe File opened for modification C:\Windows\SysWOW64\mscpx32r.det 855.exe File created C:\Windows\SysWOW64\mscpx32r.det 855.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ErrorPageTemplate[1] iexplorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 iexplorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE iexplorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 iexplorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies iexplorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\dnserrordiagoff[1] iexplorer.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\navcancl[1] iexplorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\navcancl[1] iexplorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\errorPageStrings[1] iexplorer.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\CPUSH\Uninst.exe ad2502.exe File created C:\Program Files (x86)\Common Files\CPUSH\cpush.dll ad2502.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification \??\c:\windows\system\s8\iexplorer.exe name8.exe File created \??\c:\windows\system\s8\iexplorer.exe name8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023228-59.dat nsis_installer_1 -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" iexplorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" iexplorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ iexplorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" iexplorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" iexplorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" iexplorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" iexplorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix iexplorer.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic.1\ = "CAdLogic Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ = "IAdLogic" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ = "IPopupBlock" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1\ = "CPopupBlock Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CLSID\ = "{34A12A06-48C0-420D-8F11-73552EE9631A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ProgID\ = "NewAdPopup.ToolbarDetector.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID\ = "NewMediasActive.RELogic" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ = "CToolbarDetector Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\cpush.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32\ThreadingModel = "apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ = "CPopupBlock Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32\ThreadingModel = "apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\ = "CToolbarDetector Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\VersionIndependentProgID\ = "NewAdPopup.ToolbarDetector" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\cpush.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\AppID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CurVer\ = "NewMediasActive.RELogic.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\ = "NewAdPopup 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock\CurVer\ = "NewAdPopup.PopupBlock.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID\ = "NewMediasActive.RELogic.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID\ = "{34A12A06-48C0-420D-8F11-73552EE9631A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A} regsvr32.exe -
Runs net.exe
-
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1648 iexplorer.exe 1648 iexplorer.exe 3564 iexplorer.exe 3564 iexplorer.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2420 wrote to memory of 4728 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 84 PID 2420 wrote to memory of 4728 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 84 PID 2420 wrote to memory of 4728 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 84 PID 2420 wrote to memory of 4328 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 86 PID 2420 wrote to memory of 4328 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 86 PID 2420 wrote to memory of 4328 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 86 PID 2420 wrote to memory of 3740 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 87 PID 2420 wrote to memory of 3740 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 87 PID 2420 wrote to memory of 3740 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 87 PID 2420 wrote to memory of 4840 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 88 PID 2420 wrote to memory of 4840 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 88 PID 2420 wrote to memory of 4840 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 88 PID 3740 wrote to memory of 4052 3740 dodolook184.exe 89 PID 3740 wrote to memory of 4052 3740 dodolook184.exe 89 PID 3740 wrote to memory of 4052 3740 dodolook184.exe 89 PID 2420 wrote to memory of 4956 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 90 PID 2420 wrote to memory of 4956 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 90 PID 2420 wrote to memory of 4956 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 90 PID 2420 wrote to memory of 5116 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 92 PID 2420 wrote to memory of 5116 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 92 PID 2420 wrote to memory of 5116 2420 8fb91d1fca02d34d04ded38a1154c8d4.exe 92 PID 4728 wrote to memory of 1648 4728 name8.exe 91 PID 4728 wrote to memory of 1648 4728 name8.exe 91 PID 4728 wrote to memory of 1648 4728 name8.exe 91 PID 4956 wrote to memory of 4092 4956 ad2502.exe 93 PID 4956 wrote to memory of 4092 4956 ad2502.exe 93 PID 4956 wrote to memory of 4092 4956 ad2502.exe 93 PID 1648 wrote to memory of 4556 1648 iexplorer.exe 94 PID 1648 wrote to memory of 4556 1648 iexplorer.exe 94 PID 1648 wrote to memory of 4556 1648 iexplorer.exe 94 PID 4556 wrote to memory of 3444 4556 net.exe 96 PID 4556 wrote to memory of 3444 4556 net.exe 96 PID 4556 wrote to memory of 3444 4556 net.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe"C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\name8.exe"C:\Users\Admin\AppData\Local\Temp\name8.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\windows\system\s8\iexplorer.exec:\windows\system\s8\iexplorer.exe /install /SILENT a013⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\net.exenet start S273384⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start S273385⤵PID:3444
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\my_70010.exe"C:\Users\Admin\AppData\Local\Temp\my_70010.exe"2⤵
- Executes dropped EXE
PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\dodolook184.exe"C:\Users\Admin\AppData\Local\Temp\dodolook184.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\855.exe"C:\Users\Admin\AppData\Local\Temp\855.exe" 71843⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4052
-
-
-
C:\Users\Admin\AppData\Local\Temp\bind_50195.exe"C:\Users\Admin\AppData\Local\Temp\bind_50195.exe"2⤵
- Executes dropped EXE
PID:4840
-
-
C:\Users\Admin\AppData\Local\Temp\ad2502.exe"C:\Users\Admin\AppData\Local\Temp\ad2502.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\CPUSH\cpush.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4092
-
-
-
C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe"C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5116
-
-
\??\c:\windows\system\s8\iexplorer.exec:\windows\system\s8\iexplorer.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD505f2b5f682867496129cf0750a76a8b1
SHA12589c67a5965ebdd7fec346e8618487709bbc4bf
SHA256df304a40f0d01010bdbdd8ec1b57ab91b40034bd18780718b1aa8318454ad4f2
SHA5120bb2171fdadc57f6e1739e4bac5ebc8038692f43582391a53526894b079fd49078f8ca49aa0cd1f7006bc9d7bf3407c97ab763f7448a6c56587d04ebfaa2f95e
-
Filesize
76KB
MD55cda9ea3c2af4482df5603c8ddd7d0c2
SHA185da8541457e8eea22133937804849d43b4d4519
SHA256e39af3c031e9fb92ba74b44a4302751fb73b6652f252998941c784f3f6a0efbb
SHA5127f93794067113b972be1b23479af3c1897c432f7397ed06b7780f1fa605ec954de2e3bea8c49033896eb2e839aec57622626c671098189582e22775bf1a6bb99
-
Filesize
130KB
MD5480b312817f238ab6f4c2dc1c4f78b41
SHA15a50e8d0564cc9b5bc656e223c2ab0a8ab759721
SHA2566954055fe56fab247ce8a969fa5679207ba4f37bdfaa052bed8cf4b72da6a2e8
SHA51239a91f807ce3f09306f73acf1a60baa6f23e82449e91547f36dcde45fa053c11825635e1fe1f898d743511bb475cb72f43b4e74294863f22ccbc354ba5abee1b
-
Filesize
84KB
MD57d70fb69d8f1e267c0dba99a7d8706e8
SHA1a75a059ed010d17b660f5440123582e4548d8327
SHA2561410734294de20dea4daea85bbb3245c0161a2cc6c70b772d6bc1fad4de8d899
SHA5128442de28f1e2294d29026464843a743a0eed79fc6e358d494f493b0f82c181f899d3643597959afceff23b26d488636f7a9ea48c59cc476a012b07e73f7f9f37
-
Filesize
188KB
MD5fccb95cfcb6ffd101162d8c638e7bc3a
SHA1a8dae2cfaa57769268fdbaedf021eb6ad4c89bbe
SHA256871219e8b90a42609b31dbccd968fad4f3209dbff9aedcb0034060eace5e138b
SHA5120d255888ea327e6b50d84ab3feb94839a6e10838203f440ae30602be3bc2edfb15fa2d4038c34d8ae983ab45b15616889373456c25a3dda74cdedd19aa93c229
-
Filesize
110KB
MD58548d060200ed09c9e40b03161756ec5
SHA146253bcd0a534d6eabaf7c0c7a5c68e69f3463dc
SHA256f4efebf4b2eadf003e6fd2566da7cda057787ed960ec1d5e8c10487bc7b58288
SHA512961839f8febb5c2868031876f39a81eb828f036fe317abbe2efa8de946ae4798a3a749c79868b834a8fb28b591e54f6b29ab2d046e38048ef361a9be2e51e26a
-
Filesize
20KB
MD5105ff1132ecd30e09be232a581f9992e
SHA1e3dc64b7b7363002708446624a22f89907de96ff
SHA25697ca8dfd7d16c6b6f175ed5aa918a0ee0c96c25aef761432449c5ecb30bdc7fc
SHA5123f872f80d1bc8bf80d744d596baeafc32c039ed2376730aea2a68d4e2146ebe691fcab853fcb15e82273191a404aa87d11f1f695e0281dfca617149bf2aee460
-
Filesize
166KB
MD5c7c862bc46cde331b5d3da6c5d90d161
SHA1c4cec33f42901c21458c5d8e24c0caa62e15ccd4
SHA25695abd0e445cde613054ada9477efd1d56e3e89001773c9461285df6f87a57597
SHA512ce7ab4cc12c7ab73ecdce6b43f64471b02aa235c6b64c8c076bcaf742137b96cc8e48102bd0bfa7dcdb7fa2ce9a33b9a132782a38d700a477cc5728a57a6ce62
-
Filesize
54KB
MD55ef4d4eb8adc19903011639216dd26bf
SHA113bbd6df445edcedbe7deab9df13de3d6b7a601c
SHA2563928d4dc9c7cff379fdddc121944ba1041cb55b02ee8acc44c85d8d54bbcae5b
SHA5129b08835b18d87c7447ab7df17d6111389dab10899645bb02b496f7385119e585bdccc450c78b8a0a903d129821a62c62830af3a8fde95a84615b5383806d2c1a
-
Filesize
20KB
MD5c084449b7d156a460fa7c577dd16b34a
SHA129162f945f3b5c9417d39df33946a3af0ae15841
SHA256aadc5c2a41d2fefbbdb2489ec86241baceb2dfd03692543c1bf7bd249e619495
SHA512f0e5099fd1e919ca087aca9f74ac3ca14d972f22f06b413c2fc619e75af1741b7f54484b49c8f8e2bea34ca406f6f819cf6326ef3cec9e92b28124a7e4694439
-
Filesize
222KB
MD5e917342a2678f0a95111943847db055b
SHA1feffe90673830c4abe83d90c4aef40b380a59d27
SHA256dd84551ef3d6b430ad8296654c6accfbcb596100912e613090fd9c193ba68991
SHA512eff51563de5a6afdcf12a9a2f5b244fac6cb58b7a31eca62584c85d937b8664ba423543f18ac1cdcf3faa56aacac14ed560235e8a5d33a9030efec500e6c1d02
-
Filesize
4KB
MD5d605203f4d6d404030b0bb8d9af5c513
SHA152fb568bef638bafe602b9605c892d61dbe0f5bf
SHA256c4b76f503427b3f1b1de08c7ec56df4857ef5362acc9565fee714025b1c41a0d
SHA512e9e5eb4e7fdc75a3dd411c54bd73a9052b05cce95230882a05c39d28303c3c567a0a0c21e3aa4abb1cc82fbb012f4409fccade793eef40e6760dc3fa7bace18b
-
Filesize
10KB
MD561151aff8c92ca17b3fab51ce1ca7156
SHA168a02015863c2877a20c27da45704028dbaa7eff
SHA256af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d
SHA5124f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e
-
Filesize
12KB
MD508c82a46416a5e2b471d457968f53816
SHA13e3897c20b9e89b279b4764a633f67955bf8f09a
SHA256435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9
SHA51291e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d
-
Filesize
737B
MD57da01a60b8b58f98463affb026e8355f
SHA1dda58fcf7b5ed528ad2913c2d0dd10664435aa6e
SHA256fb63a8371e096200943ab0f08ece0dc6603aa9d7ef8ab52d6c727a90a969e98b
SHA51289717e7cc2779dcc4e2e9470a59c88a07087c63a05d646b247de8242149afc130277b9a846de39887a882531a5c48bbf23aabe4359f1e63101c978e1139dc668
-
Filesize
789B
MD5d32b87b1a9651a877507c7a89f2222cc
SHA117390134d38498a2a4e493a89dd46666c7e1115b
SHA2561623e6a14b331744d3f9f54e9fb4ad7e5ed320ca5f80430b0e67cf5dcf8acf93
SHA51205058ec350d16741a754d2da256198d1242e5d995c91386b6c5cb3359808ce4dcfacb2ffb4ff6dee2beaac3b81a6bdea58b67d7bd79f2629ad0834616dc9f08a
-
Filesize
190KB
MD5f0e35c6aa09eb617edd74d6c3d261cc7
SHA13ddc8a75ef279de85af3456c0998ce1098c3a66b
SHA256f43935b8e17b6c0034b1d296868941c16dd27baba5752fb3bc1dfa1de29b2fd2
SHA512020256586266bc9d4286515d53c37edce0f4bf80701b68dc3367fb3b155f3a6122b90e5e14c24866720d295c4094fa4c2fe3c8480a3bfc89e5be27caf2cd86ca