Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 19:08

General

  • Target

    8fecd0dd91d9d0811d67e18db275c126.exe

  • Size

    282KB

  • MD5

    8fecd0dd91d9d0811d67e18db275c126

  • SHA1

    58e3bb4c421d10bea8855cfd521da25e3aaa2779

  • SHA256

    89377e06e411db8fa2e76c586b549099c339d3d4ed6f4bc3b14888204c50a373

  • SHA512

    77e32aeece8b4c222a4a6d80412819da6f766a1758c444e4dd9448d7c4b2170ce46770fc7bc6c3a6747862573ca1324850b5e430e877170c0d5828ea44fb6643

  • SSDEEP

    6144:ee34L675+ZPPfnE2Qyn20UA5ibYMYC/gMXG6lCHBL75+ZPPfnE2Qyn20U:G6F+ZPPfnEUnhwMhLF+ZPPfnEUn

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 15 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe
    "C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\InfoTab\InfoTab.dll"
      2⤵
        PID:1112
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\PlusTab\PlusTab.dll"
        2⤵
          PID:2748
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\SmartTool\SmartTool.dll"
          2⤵
            PID:3632
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\TopGuide\TopGuide.dll"
            2⤵
              PID:404
            • C:\Windows\SysWOW64\regsvr32.exe
              C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\InfoWise\InfoWise.dll"
              2⤵
                PID:3600
              • C:\Windows\SysWOW64\regsvr32.exe
                C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\WiseBar\WiseBar.dll"
                2⤵
                  PID:556
                • C:\Windows\SysWOW64\regsvr32.exe
                  C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\FineTop\FineTop.dll"
                  2⤵
                  • Loads dropped DLL
                  • Installs/modifies Browser Helper Object
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  PID:4216
                • C:\Program Files (x86)\FineTop\FineTop.exe
                  "C:\Program Files (x86)\FineTop\FineTop.exe"
                  2⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Adds Run key to start application
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3608
                  • C:\Windows\SysWOW64\regsvr32.exe
                    regsvr32 /s "C:\Program Files (x86)\FineTop\FineTop.dll"
                    3⤵
                    • Loads dropped DLL
                    • Installs/modifies Browser Helper Object
                    • Modifies Internet Explorer settings
                    • Modifies registry class
                    PID:2200
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\system32\explorer.exe
                  2⤵
                  • Deletes itself
                  PID:3840

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files (x86)\FineTop\FineTop.dll

                      Filesize

                      130KB

                      MD5

                      82a6904974f4f20c147fce776663b1b0

                      SHA1

                      eee8e0a93cb1be3dcfef2699f154f0881e68dda4

                      SHA256

                      407a5ed628dbd6f1c2cea2276b4ea98f053160dd6f5ee3007dcbad02382a1a77

                      SHA512

                      50dfb3c8e67e1ef794f3dd1b4caaa515bfe342e17e4bb73dd2b1e58a2ac61e327bed2395c1f36d8f2a69de8c5a73ce03eda03a9c0c5515b5965191edfb22c005

                    • C:\Program Files (x86)\FineTop\FineTop.exe

                      Filesize

                      42KB

                      MD5

                      61c81941b91b1d502971bd42a29806a1

                      SHA1

                      72ee7b2fb665f01415a00267cbc1a5d385d1f0cf

                      SHA256

                      6e0d4e65b147d69b249c40c1f9cc5ea82ae3179777bd25462eef3449d3bbbdb8

                      SHA512

                      0583df8495ed3c252713bfa2b0b38b9a2aac8ce22ed5e50e42cf5a7d94e903e605614a5ab507a0b10497f434759c945eec7ae1f124f530fe3d488f4ec661de7f

                    • C:\Program Files (x86)\FineTop\adc.acc

                      Filesize

                      28KB

                      MD5

                      72b966950a0f53df4ce2fdb19679c3c6

                      SHA1

                      ccfff4ecc68608a6231e75e175d2aeba62d37fa5

                      SHA256

                      aa3c21a88e93709f149284cc17a37439d3f7f90b785119fee5ef330902718b65

                      SHA512

                      84149a210748bc45f02d7f5e12b37e91eba44500d7222efaa46228b1330ffe0dfc1efbb612a67a562ddffc3048ba5d67426b739ac950e8da27f0ee9e86707e33

                    • C:\Users\Admin\AppData\Local\Temp\nsj695A.tmp\IpConfig.dll

                      Filesize

                      114KB

                      MD5

                      a3ed6f7ea493b9644125d494fbf9a1e6

                      SHA1

                      ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

                      SHA256

                      ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

                      SHA512

                      7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

                    • C:\Users\Admin\AppData\Local\Temp\nsj695A.tmp\NSISdl.dll

                      Filesize

                      14KB

                      MD5

                      a5f8399a743ab7f9c88c645c35b1ebb5

                      SHA1

                      168f3c158913b0367bf79fa413357fbe97018191

                      SHA256

                      dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

                      SHA512

                      824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

                    • C:\Users\Admin\AppData\Local\Temp\nsj695A.tmp\SelfDel.dll

                      Filesize

                      4KB

                      MD5

                      7cff7fe2caea5184d98c147e7e263132

                      SHA1

                      21f39d3d0dd5f7198d67ef30e95d10ae3460093e

                      SHA256

                      281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101

                      SHA512

                      fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a

                    • C:\Users\Admin\AppData\Local\Temp\nsj695A.tmp\UAC.dll

                      Filesize

                      13KB

                      MD5

                      29858669d7da388d1e62b4fd5337af12

                      SHA1

                      756b94898429a9025a04ae227f060952f1149a5f

                      SHA256

                      c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62

                      SHA512

                      6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

                    • C:\Users\Admin\AppData\Local\Temp\nsj695A.tmp\nsProcess.dll

                      Filesize

                      4KB

                      MD5

                      05450face243b3a7472407b999b03a72

                      SHA1

                      ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

                      SHA256

                      95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

                      SHA512

                      f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

                    • memory/4012-69-0x0000000073560000-0x0000000073569000-memory.dmp

                      Filesize

                      36KB